Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Make a folder read-write for all users without using ACLs System
People often want to share a folder on their startup drive (or another drive with ownership enabled) between several local users. It's easy to change permissions on the whole folder, but any newly created files inside that folder will only be writable by the user that created them.

A standard way of dealing with this issue is by using inherited ACLs as described in this hint. However, that method has a couple of drawbacks. Namely, some applications like Open Office don't understand ACLs. Other applications use temporary files when saving files that can wash out the ACLs, depending on particular setup. That includes, for example, Photoshop which strips off ACLs on re-saves. Lastly, inherited ACLs are only applied to newly created files and files copied to the shared folder. They are not applied to files moved to the shared folder. The proposed method of sharing a folder has no such deficiencies. It works in 10.5 and 10.6.

The trick is to mount a local folder on the same computer via NFS.

Here's how:
  1. Make a folder somewhere that you want to share between several users. It should be somewhere out of the way, because it will not be accessed directly but rather through the mount point.
  2. Make another folder which which will be the mount point for the NFS share. Let's say the original shared folder is tucked away in /var/root/share1 and the mount point is /users/shared/mnt.
  3. Using your favorite command line editor, create a file named exports in /etc (you need to do it as a root, so use sudo) with the following content:
    /var/root/share1 -mapall=501 localhost
    -mapall=501 means that all users accessing this share via NFS will be mapped to user ID 501 -- that's what will allow all of them to read and write everything in that folder. The UID in the command should be the same as the owner of the folder /var/root/share1. To make sure this is true, run this command in Terminal: sudo chown 501 /var/root/share1.
  4. Open the file /etc/auto_master (again using sudo) and add the following line to it:
    /-        shared_folder
  5. Create a file named shared_folder in /etc (sudo again), with the following content:
    /users/shared/mnt  localhost:/private/var/root/share1
  6. Restart your Mac.
After the restart, you're done. Go to /users/shared, and you'll see a mounted volume there at mnt. All users will be able to write to everything inside this folder.

If you want to restrict access to only some users, change the location of the mount point and put it in some folder that only particular users have access to. If you are running 10.5, you can skip steps four and five, and after you restart the computer, you can use Directory Utility to create an auto-mounted NFS share instead of using autofs.

This doesn't seem to work in 10.6 -- NFS automounting has been moved to Disk Utility in 10.6. But trying to use it to create an NFS auto-mount of a folder on localhost results in the mount point becoming a regular alias pointing to the original shared folder. As a result, the special UID mapping is lost.

Lastly, note that since the mounted NFS share will be treated as a separate drive, the usual Finder rules will apply to it: dragging files to it from the main drive will copy those files; Command-drag something if you want to move it instead of copying it.

[robg adds: I haven't tested this one, but it sounds like an interesting alternative to ACLs.]
    •    
  • Currently 2.78 / 5
  You rated: 5 / 5 (23 votes cast)
 
[19,861 views]  

Make a folder read-write for all users without using ACLs | 16 comments | Create New Account
Click here to return to the 'Make a folder read-write for all users without using ACLs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
iPhoto? iTunes?
Authored by: jspivack on Feb 05, '10 12:40:48PM

so...could you use this to share iPhoto, or iTunes, among different users on the same machine? There are lots of different hints for this, but I don't recall having come across a perfect foolproof one...



[ Reply to This | # ]
iPhoto? iTunes?
Authored by: V.K. on Feb 05, '10 01:32:22PM

yes, you can share itunes and iphoto this way if you want to. but there is no need for this hint with iphoto 09 sharing. it can take care of different ownership issues itself. just put the iphoto library in a folder accessible by several users like /users/shared and point their iphoto libraries to that location. to do that start iphoto while holding option. it will then let you choose a library. just keep in mind that if you do it this way two users should not be accessing iphoto at the same time. one user at a time only. as for itunes, yes, you can use this hint but you can also use the ACL method mentioned in the hint. that's easier to implement and will work just as well for itunes. this hint is really just for situations where ACLs are not suitable for some reason, like sharing photoshop projects. incredibly, even the latest version of photoshop doesn't deal with ACLs correctly and strips off ACLs when you save a file. so the ACL method won't work there but this one will.



[ Reply to This | # ]
iPhoto? iTunes?
Authored by: bhagemann on Feb 05, '10 06:23:19PM

That's how I thought (in theory) iPhoto9 resolved this long standing issue. Here's the dilemma I still had... with my iPhoto Library in /users/shared/ and then selecting it with iPhoto in BOTH accounts as the default library, it SEEMS to be fine. But I cannot edit a photo that was imported by the other account in a given account. User1 can import photos, edit, do whatever. User2 can then SEE those photos and use them.. but NOT crop or otherwise modify them. The thumbnail that was created on import is unmodifiable because of ownership issues apparently. Same the other way around with photos that User2 imports -- User1 can see but not edit. So to edit a file you need to be in the account which imported it from the camera.

To me the point of the /users/shared folder is a mystery given that it doesn't really enable sharing of files outside of 'read only'. Seems practically impossible for a multi-user mac to share photos or tunes, which I would THINK would be a very common need. My only solution so far is to host the iPhoto (and iTunes --same issue with modifying mp3 tags) libraries on an EXTERNAL drive set to ignore permissions. Which defeated my purpose of buying a new iMac with a 2TB internal drive. All these hacks using ACL lists and odd permissions to me miss the point. The shared folder SHOULD WORK and I'm unwilling to use a convoluted workaround to accomplish it. I know I spent a good part of a week trying to get it to work a few months ago. Oh well... I guess until Apple solves this for us, my internal drive will have lots and lots of free space! ;-)



[ Reply to This | # ]
iPhoto? iTunes?
Authored by: ret on Feb 06, '10 06:14:53PM

Another approach (there's an apple technical note to this effect, btw) is to create a sparse disk image without permissions, and add it to the each user's startup items. Move the iPhoto library to this virtual disk, and you've got effectively the same result, but with your internal drive being used.

This seems to work quite well for me.

---
perl -e 'require Signature.pm; srand; printf STDOUT "%s\n", $Signature[rand @Signature];'



[ Reply to This | # ]
iPhoto? iTunes?
Authored by: lsequeir on Feb 09, '10 02:42:15AM
To me the point of the /users/shared folder is a mystery given that it doesn't really enable sharing of files outside of 'read only'. Seems practically impossible for a multi-user mac to share photos or tunes, which I would THINK would be a very common need. My only solution so far is to host the iPhoto (and iTunes --same issue with modifying mp3 tags) libraries on an EXTERNAL drive set to ignore permissions. Which defeated my purpose of buying a new iMac with a 2TB internal drive.
That is one good reason to partition the drive. All my macs have at least one other partition besides the system partition in the internal drive. You could easily partition the 2TB drive in such a way as to have, say, a MEDIA partition, ignoring permissions, where the iTunes and iPhoto (and, say, EyeTV...) libraries could reside and be shared. The usual restriction of having one user at a time running of these applications still applies, but this is by far the easiest way to do it.
---
Luís


[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: Sesquipedalian on Feb 05, '10 12:52:57PM
This method is interesting, but it is complicated and it definitely has some drawbacks (as the original hint describes). Instead, if inherited ACLs are not doing the job for you, I suggest using a Launch Agent to update permissions in the shared folder automatically.

First, create a new plain text file named info.stovell.MakeSharedReallyShared.plist on your desktop with the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>info.stovell.MakeSharedReallyShared</string>
	<key>ProgramArguments</key>
	<array>
		<string>find</string>
		<string>/Users/Shared</string>
		<string>!</string>
		<string>-perm</string>
		<string>777</string>
		<string>-exec</string>
		<string>chmod</string>
		<string>777</string>
		<string>{}</string>
		<string>;</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>3600</integer>
	<key>WatchPaths</key>
	<array>
		<string>/Users/Shared</string>
	</array>
</dict>
</plist>

Then move the file to /Library/LaunchAgents. You will need to enter your administrator password to complete the move.

Finally, either log out and log back in, or just enter the following command into Terminal:launchctl load /Library/LaunchAgents/info.stovell.MakeSharedReallyShared.plist

A bit of explanation:

Whenever the contents of /Users/Shared are modified, and once every hour (3600 seconds), this launch agent will run a command that finds all files or folders in /Users/Shared that do not have full permissions for everyone, and sets the permissions on those files so that everyone does have full permissions.

Note that the launch agent is triggered any time something changes within /Users/Shared itself, but not if something changes in a file within a subfolder of /Users/Shared. That is why the launch agent also runs once every hour, so that it can catch any files that may have recently been added in a subfolder somewhere. If you want to change the frequency at which the command runs, just change the 3600 to another number (e.g. 900 for every 15 mins, 86400 for every 24 hrs).

[ Reply to This | # ]

Make a folder read-write for all users without using ACLs
Authored by: DrivingHome on Feb 11, '10 04:14:00AM
I went one step further, since I was having problems with ownership that was preventing this from working properly. I'd tried the chmod -R and chown -R in crontab, but found that my time machine backups were massive every night. Because this is only touching the files that have the wrong permission/ownership, it's much better.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.Pictures.fixsharedownership</string>
	<key>UserName</key>
	<string>root</string>
	<key>ProgramArguments</key>
	<array>
		<string>find</string>
		<string>/Users/Shared/Pictures</string>
		<string>(</string>
		<string>!</string>
		<string>-user</string>
		<string>myusername</string>
		<string>-or</string>
		<string>!</string>
		<string>-group</string>
		<string>mygroupname</string>
		<string>)</string>
		<string>-exec</string>
		<string>chown</string>
		<string>myusername:mygroupname</string>
		<string>{}</string>
		<string>;</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>3631</integer>
	<key>WatchPaths</key>
	<array>
		<string>/Users/Shared/Pictures</string>
	</array>
</dict>
</plist>
Note, the brackets that set the precedence of the or operator, otherwise it doesn't work. This together with a similar plist file to the one above for permissions goes in the LaunchDaemons directory as we need it to be always run by root. I decided to use consecutive prime numbers for the interval to ensure they're not always running at the same time. In actual fact, I have 6 of these launch daemons running, 2 for shared Music, 2 for shared Pictures and 2 for shared Documents.

[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: michaelw on Jul 15, '10 08:29:42AM

Still would like more detail about the Launch Agent solution works, and the improvements of the second solution.

Also, is there a simple way in the command syntax of these scripts to exclude a specific folder?



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: snowdog on Feb 05, '10 12:53:46PM

Couldn't get this to work under 10.6.2. Finder asks me to authenticate when I try to copy a file to "/users/shared/mnt". A get info on mnt shows that "everyone" has read access only.
I put the original directory into "/var" instead of "/var/root", could that have made the difference?



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: V.K. on Feb 05, '10 01:38:38PM

sorry, can't explain that. I tested this repeatedly and it works for me.
putting the folder in /var is ok. you can put it anywhere. just make sure you specify full path in the /etc/shared_folder file. you can't use symbolic links there so the path should be /private/var/mnt not /var/mnt.



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: snowdog on Feb 05, '10 02:56:24PM

Ok, got it working. Just changed protection on the "mnt" directory to rwx for everyone.



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: KenS on Feb 10, '10 07:29:14AM

It makes me sad to think that the collaborative work environment once promoted by Apple with Macintosh has been deprecated in favor of the abyss of ACLs, ACEs, POSIX inherit permissions, etc.



[ Reply to This | # ]
How does one mount an NFS volume on a local network?
Authored by: apta on Feb 14, '10 02:15:13AM

I followed the instructions and got the NFS volume to show up as described. I would now like to share it on a LAN so that an OS 10.4 Mac can access it.

Can someone point me on how to do this, preferably so that the NFS volume mounts automatically on the 10.4 Mac?

Thanks!



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: humpalumpa on Feb 14, '10 02:35:56AM

I just dont understand all of your hassles and tweaks.
It' so simple to do:
DO NOT use a shared folder.
Use a shared DISK IMAGE instead.
Disable ownership on this volume and things are fine.
No problems, no restrictions, no complicated setups.



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: apta on Feb 14, '10 10:12:31PM

The sparse disk image idea is great but not really practical if the folder to be shared already contains 50GB of data.



[ Reply to This | # ]
Make a folder read-write for all users without using ACLs
Authored by: michaelw on Jul 14, '10 02:43:51PM

DrivingHome: could you please supply a bit more detail on your method? Are you changing ownership to the user that is logged in? Does the username field have to be replaced with an actual name, or are the scripts good as is? Why two scripts for those folders: are you making this work for two users and putting the script in their individual Library folders?



[ Reply to This | # ]