12.11. Six Mac OS X Security Shields

 <  Day Day Up  >  

12.10. Permissions

A factory-fresh installation of Mac OS X offers one way for you to submit files to somebody else (that person's Public folder), one way to accept files from other people (your Drop Box folder), and one community folder that's available to all account holders on a single Mac (the Shared folder). These limits are the most visible aspects of Mac OS X's access privileges system , a fairly rigid scheme of permissions that let you control how much freedom your fellow account holders (and network visitors ) have to view and edit the files on your Mac.

Most people are perfectly content with Apple's proposed permissions setup: Account holders have access only to their own stuff, with the exception of the Shared, Public, and Drop Box folders. If you're in that category, skip ahead a few pages and rejoice; the business of changing the permissions for certain folders can be complex and brain-bending.

But there are benefits to learning about permissions. Maybe you'd like to create some other folders in your Home folder that other account holders are allowed to open .

Permissions also protect your folders from across the network, too. For example, you could seal off your Public folder so that people Can't see whats inside. Or for added convenience, maybe you'd like to set up some additional drop box folders, or other "public" folders, for your co-worker's use from across the network.

Here's a quick summary of some typical setups. In each case, you Can't make changes unless either (a) you have an Administrator account or (b) it's a folder that you own (it's in your Home folder, or you created it).

12.10.1. Three Common Scenarios

To adjust a file or folder's permission settings, begin by highlighting the icon in question and choosing File Get Info .


Tip: You can also change the permissions for many folders at once. Just highlight all of them, and then, while pressing the Option key, choose File Show Inspector.

Expand the Ownership & Permissions section, and then the Details section. Click the tiny padlock icon. When you actually make a change, you'll be asked to prove your worthiness as an administrator by typing your password.


Tip: At this point, an administrator can change the ownership of the folder just by choosing another name from the Owner pop-up menu. In other words, any administrator can seize full access to every folder in every account, blasting right past those red "Do not go here" symbols.Better be good, you Standard account-holding boys and girls !

Now you can use the Access pop-up menus as follows :

  • Full access by everybody . If you want to turn one of your folders into one that resembles the Shared folder (full free access by anyone with an account), set up its Get Info window like the one shown at left in Figure 12-14.

  • Give, but don't take . To make another folder work like your Drop Box folder (people can put things in, but can't actually open the folder), set things up as shown at middle in Figure 12-14.


    Tip: Remember that people can't put anything into a new Drop Box “type folder if they can't get to it. Make sure you've turned on "Read" access for whatever folder it's in. (Making a Drop Box folder in your Documents folder, for example, won't work ”because nobody else is allowed to open your Documents folder to begin with.)
  • Look, but don't touch . You can also turn any of your folders into another Public-type, "bulletin board" folder. People can open or copy files from inside, but they can't put anything in or save any changes they make.

You'll realize the importance of mastering these various access permissions when you get a load of this startling fact: Unless you intervene, everybody else who uses this Mac can peek into everything in every new folder you create (unless it's inside a folder that is, itself, off-limits). Technically speaking, every new folder springs into existence with read-only permissions for everyone. They're allowed to open or copy anything inside.

Figure 12-14. Set the three pop-up menus as shown for three typical configurations for folders you create: a Shared-type folder (left), a drop-box folder, and the "bulletin board" folder. Click "Apply to enclosed items," if you like. Finally, close the Get Info window.


The bottom line: As you type the title of a new folder that you'd prefer to keep private ( Salaries 2007 or My Spicy Dreams Journal , lets say), remember to use the File Get Info routine to change the new folder's Group settings to Nobody, and Others setting to No Access.

(Even so, remember that anyone with an Administrator account can blow your intentions to smithereens. Such people can, at any time, override your ownership and permission settings, even making your folders off-limits to you , if they so desire . That's what you get for using a Mac that you've allowed somebody else to set up for you.)

12.10.2. Advanced Permissions Settings

The three common scenarios described above will get most people where they need to go, but there's a lot more power lurking within each file or folder's Get Info (or Show Inspector) dialog box. They're hiding within those pop-up menus labeled Owner, Group, and Others.

More on these designations in a moment. For now, note that these three pop-up menus contain identical commands. They let you specify what you, the other peoplewho've been put into your work group, and the entire network community can do with this document or folder:

POWER USERS CLINIC
Creating Groups

As noted in this chapter, changing permissions settings on a networked Mac, or one with a lot of account holders, is a lot easier if you sweep all your minions into subsets called groups . They might be called Marketing, Finance, and Creative, for example, or Adults, Children, and Animals.

This process requires a program called NetInfo Manager, which is in your Applications Utilities folder. NetInfo Manager is an extremely technical program designed for network administrators with years of training and a vested pension plan. Veering off the instructional path detailed in this box could, in theory, get your Mac in trouble.

All right then: Open NetInfo Manager. Click the tiny padlock in the lower-left corner. When prompted, type in your administrator's name and password, and then click OK. The Mac is just making sure that somebody with a clue is at the helm.

NetInfo presents a staggering array of network- related variables . In the second column, click the one called groups .

The next column to the right lists all the canned groups that come with Mac OS X: admin, bin, dae-mon, kmem , and so on. These terms aren't closely related to English, but Unix names were designed primarily for effi ciency in typing.

The easiest way to create a new group is to duplicate one of the existing groups. Click "admin" in the list of groups, and then click the Duplicate button at the top of the window. Now click Duplicate in the confi rmation message.

The copy, called "admin copy," is highlighted, and a few bits of information about it appear at the bottom of the window. One of them “in the Property column “says name .

Double-click "admin copy" at the bottom of the window, in the Value(s) column. Type the new name for your group and then press Enter.

You've just created and named a new group. But to help Mac OS X keep this one separate from the others, you also need to give it a new group ID number, abbreviated gid in Unix-ese.

If the gid value (at the bottom of the window) isn't already highlighted, double-click it. Then type 200 and press Enter. (The actual number doesn't matter, except that it can't be the same as any the other folders' group IDs. The pre-existing ones are all under 100, so you should be in good shape.)

Now you need to make sure that the right people belong to this group. In the middle of the window, click the users row without expanding it. Choose Directory Insert Value (or press Option-c-I).

The users row now expands, revealing individual rows for each account holder who already belongs to this group. A new_value box waits for you to type in the name of somebody you've created an account for. (Sorry, efficiency fans, there's no simple pop-up list of the accounts on your Mac; NetInfo Manager assumes that you can remember the precise name and capitalization of every account.)

Type the short account name (Section 12.2.) of the person you want to add to this group, and then press Enter. Repeat the Directory Insert Value step for each additional account holder you want to add. (You can also delete someone from this group by highlighting the appropriate row and then choosing Directory Delete Value.)

When you're finished adding people, save your changes (Domain Save Changes), and click "Up-date this copy" in the confi rmation dialog box. Quit NetInfo Manager.

At the moment, you've got yourself a properly defi ned group, but this information is just kicking around in Mac OS X's head without any practical value. The next step is to tell Mac OS X which fi les and folders are the private stomping grounds of this group, as described on the next page.

Incidentally, if you're going to be spending a lot of time creating and managing groups, check out a program called SharePoints (available from this book's "Missing CD" page at www.missingmanuals.com). It's a big timesaver.


  • If you choose No Access , then you're a network tease ”your co-workers may be able to see the folder, but its name and icon are dimmed and unavailable.

  • The Read only option lets other people open the folder, open the files inside, or copy the files inside; however, they can't put anything new into the folder, nor save changes to files they find there. Set up a folder like this as a distribution point for newsletters, standard logos, or other company information. Or turn this on for a document that you want people to be able to read but not edit.

  • The Write only (Drop Box) option is available only for folders. Turn it on if you want your co-workers to be able to see the folder, but not open it. All they can do is copy files into it. (Your own Drop Box ”which Mac OS X creates automatically in your Home Public folder ”works this way, too.)

    This option is useful for setting up a place where people can put documents that are intended for your eyes only. Think students turning in homework, underlings turning in quarterly reports , and so on.

  • Finally, choose Read & Write if you'd like your colleagues to have full access to the folder. They can do anything with the files inside, including trashing them.


Note: Whenever you adjust the permissions for a folder like this, remember to take into account the permissions of the folder it's in (that is, its paren't folder). No matter how exquisitely you set up a drop box folder, for example, nobody will even know it's there unless it's inside a folder for which you've turned on at least "Read only" access.

12.10.3. Owners and Groups

But wait. Just when you thought this permissions business might be easy enough for you to grasp without that long-postponed Ph.D. in astrophysics, it gets more complicated.

It turns out that you can assign these different levels of freedom to different subsets of people on your network or among the account holders. That's why there are three different pop-up menus:

  • Owner . That's you.

    Of course, ordinarily, you have full access (Read & Write) to all of your folders. You can put anything into them, take anything out of them, and do whatever you like with them. But if you feel the need to protect yourself from your own destructive instincts , you can actually limit your own access to certain folders. For example, you can turn one into a drop box using this pop-up menu.

    If you're an administrator, in fact, you can do more than specify how much access you have. You can actually change the owner, so that somebody else has control over this icon.

    To make this change, click the padlock icon, and then choose a new owner from the Owner pop-up menu.

    This is an unbelievably sweeping power. It means that you can trod roughshod over everyone else's stuff, blowing away all of the usual Mac OS X account-security mechanisms. If you feel like trashing all the files of everyone else who uses this Mac, you can do it. You, after all, are Administrator, God of the Mac. (This, by the way, is a good argument for limiting the number of people who have Administrator accounts. Remember, they can do the same thing to you.)

    In any case, as soon as you choose a new owner from the pop-up menu, you're asked for your account password. Type it, and then click OK.

    Now you can not only change who the owner is , but you can also use the Owner Access pop-up menu to specify how much access that person has to the selected file or folder.

  • Group . As your accounts and networking setups become more complex, being able to work with subsets of the people on your network ” groups ”can be a great timesaver. For example, you might create groups called Marketing, Temps, and Executives. Later, you can permit an entire group of these people access to a particular file, folder, or disk in one fell swoop. (Groups are also the key to letting Standard account holders on your network see and access secondary drives on your Mac OS X computer.)

    Mac OS X offers no easy mechanism for setting up such groups. (There is a complicated way, however, which is described in the box on Section 12.10.2.)

    Mac OS X, however, comes with a whole bunch of canned, prefab groups. If you're an administrator, for example, you belong to the admin group, among others. (If you're a mere peon, a Standard account holder, you probably belong to only one group ”which is named after you, and created automatically along with your account.) The other group names here ” dialer, guest, mail , and such ”exist for the benefit of network administrators and for Mac OS X itself.

    If you have a Standard account, you can't change the Group pop-up menu. Using the Group Access pop-up menu, however, you can change how much access everyone in your group has to the file or folder. (Again, though, nobody else is in your group unless some network Einstein has done some tinkering under the hood.)

    If you're an administrator, you can make a selected file or folder available to any other group (and then, by using the Access pop-up menu beneath it, specify that group's degree of access). Once again, you're asked to prove your worthiness by entering your administrator password.

  • Others . So far, you've specified how much access the owner of this icon has, and how much access one favored group gets to it. But what about everyone else?

    They are the Others , of course. This pop-up menu specifies how much freedom everybody else, including guests, has to the selected file or folder. Needless to say, if security is an issue where you work, you may not want to set the Others pop-up menu to permit full access.


Note: You can't give "Others" more access to the folder than you gave the Group people ”only the same degree of freedom, or less. For example, you can't give Read & Write access to a folder to Others, but give your own administrator group only Drop Box access.

If you want the change to affect all the folders inside the selected disk or folder in the same way, click "Apply to enclosed items." In the confirmation box, click OK.

In any case, close the Info window when you're finished. You've just fooled around with some high- powered Unix mojo ”without even knowing it.

 <  Day Day Up  >  


Mac OS X. The Missing Manual
Mac OS X Snow Leopard: The Missing Manual (Missing Manuals)
ISBN: 0596153287
EAN: 2147483647
Year: 2005
Pages: 506
Authors: David Pogue

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net