[HOWTO] Make the Shared directory behave as a truly shared directory.

[coolgrafix]

Many users wish to be able to collaborate with their fellow users by sharing files hosted on a central workstation or server. With Mac OS X this isn't as easy as it may sound due to multi-user permission safeguards. This HOW-TO shows how to set up a Mac OS X 10.2.3 workstation to have it's Shared folder available to any user in the "staff" group, whether they log into the machine remotely for file sharing or if they log into the machine directly. This HOW-TO assumes that the machine is a new installation and that the Shared folder is empty.[list=1][*]All users who expect to have access to /Users/Shared/ must be in the "staff" group. They will be members of this group by default if added as OS X users through the GUI.
[*]/Users/Shared/ must be owned by the group "staff". To make this change, execute the following command from the Terminal:

sudo chgrp staff /Users/Shared
[*]/Users/Shared/ must have Read and Write access for its group "staff". By default it has "Read only" access for its group. This change must be made from the Terminal. To make this change, execute the following command from the Terminal:

sudo chmod g+w /Users/Shared
[*]/Users/Shared/ must have the "sticky bit" turned off. To make this change, execute the following command from the Terminal:

sudo chmod u-t /Users/Shared
[*]Each file by default needs to have group write permissions. This is not the way Mac OS X 10.2.3 ships. To change this default behavior, do the following:

a) You'll need to edit the /etc/rc file by executing the following command from the Terminal:

sudo pico /etc/rc

b) This will bring up the PICO text editor in your Terminal. You may need to provide an administrator password if prompted for one.

c) Next, scroll to the bottom of the file using PICO's built-in shortcut, Control-V. The end of the document will look something like this:

Code:

      # Set language from CDIS.custom - assumes this is parse-able by sh
      . /var/log/CDIS.custom
      export LANGUAGE

      SystemStarter -g ${VerboseFlag} ${SafeBoot}

      exit 0

d) You need to add the following command after the line with "export LANGUAGE". Use the arrow keys to move as needed and hit return to insert some lines:

umask 002

The resulting file will have an ending similar to this:

Code:

      # Set language from CDIS.custom - assumes this is parse-able by sh
      . /var/log/CDIS.custom
      export LANGUAGE

      umask 002

      SystemStarter -g ${VerboseFlag} ${SafeBoot}

      exit 0

It's important to have the "umask" line directly before the "SystemStarter" line.

e) Now you need to save the file. Hit Control-O to save the file. You'll have to confirm the name by hitting return.

f) Next, hit Control-X to leave the program.
[*]If you wish to share /Users/Shared with Windows users via SMB/CIFS (Windows file sharing) you'll need to set up /Users/Shared for SMB sharing and also enable group access for that share. To make this change, do the following:

a) You'll need to edit /etc/smb.conf by executing the following command from the Terminal:

sudo pico /etc/smb.conf

b) This will bring up the PICO text editor in your Terminal. You may need to provide an administrator password if prompted for one.

c) Next, scroll to the part of this file that begins with "[global]". It will look something like this:

Code:

    [global]
      client code page = 437
      coding system = utf8
      guest account = unknown
      encrypt passwords = yes

d) You need to add the following command after the line with "encrypt passwords = yes". Use the arrow keys to move as needed and hit return to insert some lines:

create mask = 0774

The resulting change will look similar to this:

Code:

    [global]
      client code page = 437
      coding system = utf8
      guest account = unknown
      encrypt passwords = yes
      create mask = 0774

e) Next, you need to set up the shared folder itself. Add the following code after the "create mask" line:

[Shared]
writeable = Yes
path = /Users/Shared
guest ok = Yes

The resulting change will look similar to this:

Code:

    [global]
      client code page = 437
      coding system = utf8
      guest account = unknown
      encrypt passwords = yes
      create mask = 0774
      
    [Shared]
      writeable = Yes
      path = /Users/Shared
      guest ok = Yes

Note: The name of the Windows share will be "Shared" in this case because that's how we declared it with "[Shared]".

e) Optionally, you could apply a variety of settings at this point to your smb.conf file's [global] section. Here are a few to consider:

Code:

      veto files = Temporary Items/Desktop */TheFindByContentFolder/\
      TheVolumeSettingsFolder/Network */
      hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/Icon*/
      hide dot files = yes
      workgroup = WORKGROUP
      netbios name = NETBIOSNAME
      server string = MyServer

Substitute your own values for WORKGROUP, NETBIOSNAME, and MyServer. Note that the \ character acts as a line continuation. See http://us1.samba.org/samba/docs/man/smb.conf.5.html for complete documentation of these directives.

f) Now you need to save the file. Hit Control-O to save the file. You'll have to confirm the name by hitting return.

g) Next, hit Control-X to leave the program.

h) Enable Windows file sharing (if not already on) in the Sharing preference panel of System Preferences.
[*]You may wish at this point to set certain users' home directories to be /Users/Shared/ itself, thus preventing confusion when logging in through file sharing.* This can be done from the GUI with the NetInfo Manager utility, found in /Applications/Utilities/. This is not advised, as problems can arise if one of the users logged in at the workstation itself; the users would all be sharing the same home directory, preferences, etc. However, if interested, follow the following steps from NetInfo Manager:

a) If the lock icon is closed, click it and provide an administrator password.

b) You will be presented with a four-paned window: three panes across the top, and across the bottom. In the upper left-most pane, click the slash symbol ("/") if it is not already selected.

c) A list will appear in the upper middle pane. Click the "users" item from this list.

d) A list of users will appear in the upper right-most pane. Select a user to modify by clicking the user's name.

e) A list of properties and values will appear in the bottom pane. Scroll down the list until you see the "home" property. Double-click on home's value, which should be in the form "/Users/username".

f) Change this value to "/Users/Shared", omitting the quotes.

g) Save these changes by hitting Command-S, or choosing Save Changes under the Domain menu at the top of the screen.

h) You will be asked to confirm the modification. Click "Update this copy" to continue.

i) Repeat steps d - h for each user you wish to modify.

j) Click the lock to insure no further changes are made.

* NOTE: A preferred method would be to install a second hard drive, or repartition an existing one, and set up the new drive in a similar manner as /Users/Shared/. In this case, each user would keep their separate home directories. The new volume would appear in their file sharing volume selection screen.
[*]Restart the machine.[/list=1]
To read up on all this yourself, check out the following links, provided by gatorparrots:

http://forums.osxfaq.com/viewtopic.php?t=3313
http://forums.osxfaq.com/viewtopic.php?t=3338
http://forums.osxfaq.com/viewtopic.php?t=1909

Comments, corrections, and improvements welcomed.

[gatorparrots]

Rather than use /Users/Shared as a basis for your shared directory, I suggest leaving it be with Apple's defaults and creating another directory (such as /public).

It is very possible that a future installer or system update or even the Repair Permissions function of Disk Utility will reverse any changes you make to the /Users/Shared directory. Using a different directory altogether (and even one outside of the usual /Users path) safely guards you from that possibility.

Also, some uncouth installers, such as the Wacom Tablet software, actually install items into /Users/Shared (instead of /Library or ~/Library)!!! At best this can be perceived as a cosmetic blemish; at worst, it opens you up to host of security problems or the possibility of another *unknowing* user accidentally deleting such software/preferences out of the shared directory.

[coolgrafix]

Excellent points.

In my particular situation, a small ad agency with Mac/Windows clients, I abandoned the notion of sharing the Shared folder entirely in favor of simply sharing a folder on the machine's second hard drive in a similar manner. The HOWTO doesn't cover this process, but the issues are largely the same.

[WeeZer51402]

why does the file creation mode need to be changed from 22 to 002 when the directory allready grants rwx access to the group?

[coolgrafix]

Weezer, it's been a long time since I researched/wrote this article, but if memory serves, just because the Shared folder has the desired permissions doesn't mean that new files created in it will inherit those permissions. Such was the behavior in 10.2.3, and I havne't researched this in any newer versions. The issues that Point 5 discusses can be researched independently by following the links at the end of the HOWTO. =)

Brad

[neo36]

i've got a question on this one:

having set up the Shared directory as the home directory for different users i discovered the following problem: when you delete users, os x moves everything the user own into the folder "Deleted Users". if the users home directory is "Shared", it get's moved, too. is there a way to avoid this?

[MacMuppet]

Great! Thanks, I've been pondering this recently as I share my machine with my girlfriend and we want to share things like documents, and especially iTunes and iPhoto libraries.
The original solution I came up with was to create a folder, change the permissions to 'unknown' (I didnt really understand the user groups at this time), and make sure 'others' had read and write access, and then dragging it to the top level of my Macintosh HD, leaving an alias to 'mutual folder' on the desktop, and then logging on as her, and getting an alias onto the desktop. Essentially I was trying to get a 'Drop Box' that wasnt 'write only' but could be used to easily transfer files from one to the other.
I think you'll agree this was rather a clunky and inelligant solution, and indeed I wasn't keen to have my iPhoto and iTunes anywahere that my girlfriend could write to (she's the opposite of technically minded).

I think I'll be having a bash at this when I get home....

[cyguy]

coolgraphix,
How much of solution applies to Panther?
What are your thoughts on adding the following to /Library/Preferences/.GlobalPreferences.plist

<key>NSUmask</key>
<integer>002</integer> or <integer>0</integer>

Thanx