Mastering Permissions and Accounts

Creating User Accounts

In order to create a new user account in Mac OS X, your own account must have admin access. You create new user accounts using Accounts panel of System Preferences; in the Accounts panel, you select the Users tab. (In versions of OS X prior to 10.2, Users was a separate preference panel.) To add a user, simply click the New User… button (you may be asked to authenticate before you can make any changes; if so, enter your username and password). A new user account info window will drop down (Figure 1.5) and you will be asked to complete the fields presented:

• Name The user's full name.

• Short Name A short version of the user's name; this will also be the name of their user folder in /Users.

• New Password The password you give the new account. If the account is for another person, they will be able to change it.

• Verify Enter the password a second time to verify it; if this field and the Password field do not match, you will be asked to type both over again until they match.

• Password Hint (optional) You can supply a hint for the given password in case the user forgets it. This hint will be shown only if you've selected the Show password hint… option in the Login Options tab.

• Picture You can choose a login picture for the account. If you have selected to display the Login window as a list of users (via the Login Options tab), each user's account will be represented by their full name and the picture selected here. You can choose a picture from the list, or you can choose your own custom picture by browsing your hard drive or dragging the picture to the window.

• Allow user to administer this computer If checked, the new user will have full admin access. Use this option sparingly and only with people you trust to do the right thing (and not to do the wrong things) with such access.

• Allow user to log in from Windows If you have Windows Sharing set up (for more details see Chapter 10), checking this box will allow the new user to connect to your computer from a Windows computer.

Figure 1.5: Creating a new user account

When you've finished, click the Save button to create the new user account. You'll notice that a new user account is visible in the Accounts window, and, if you check, you'll find that a new folder has been created in /Users, with the new user's short username as its title . If you log out, the new user (or you) can then log in under the new account.

There is one other thing left to do before the new account setup is complete. If the new user is not an admin user, you can also choose to restrict the user's abilities. To do so, click on the Capabilities… button. A new window is presented with a number of options (Figure 1.6). While most are self-explanatory, a few deserve a bit more attention.

Figure 1.6: Limiting the capabilities of a new user

• Use only these applications If this option is selected, you can control which applications in /Applications the user can access; which utilities in /Applications/Utilities the user can access; which OS 9 applications in /Applications (OS 9) the user can launch (if that folder is present on your Mac); and any other applications located elsewhere (Others). You can choose to allow or disallow each category, or you can click the disclosure triangle next to a category to select particular applications. In addition, you may find that some applications aren't listed; to add them to the list, click the Locate… button at the bottom of the window and browse your hard drive to find them. (This is also a good way to add applications stored on other partitions or volumes.)

• Simple Finder This option lets you provide extremely limited access along with a very simple interface (for children or users who are not very comfortable with computers). The Desktop will be completely empty (it will not even show the hard drive). The Apple menu will be limited to just two commands: Sleep and Log Out… The Dock will include only the Trash, the Finder, and three folders: My Applications, Documents (for saving documents), and Shared (the Shared user folder, for saving or opening shared documents). Clicking one of these folders in the Dock brings up a window in "button" mode—documents and applications are represented by large icons, and a single click opens or launches them. The contents of My Applications is defined by you, the administrator; when you select the Simple Finder option, the Use only these applications option in the Capabilities window changes to Show these applications in My Applications folder. Just as you could limit the applications available to a user in standard Finder mode, selecting applications here lets you choose whether or not the user even sees them. Finally, if you've allowed the user to open System Preferences, only a few of the panels will actually be accessible: the Personal panels, as well as Sound and Universal Access.

Editing User Accounts

Editing user accounts is also done using the Accounts panel of System Preferences. You simply select a user account, and then click either the Edit User... button or the Capabilities... button, depending on whether you want to edit the account itself or the user capabilities for that account. However, while this System Preferences panel is available to all users, how much of an account's settings can be modified depends on user level:

• Normal users Assuming an administrator has not limited their capabilities (as previously described), normal users can edit their password, their password hint, and their login picture. They cannot change their own capabilities, nor can they change their Name or Short Name.

• Admin users Users with admin status can edit all capabilities of other users, as well as every field in the Edit User… window except for Short Name.

Deleting User Accounts

At some point you may want to delete a user account. Perhaps the user is no longer employed at your company, maybe your friend or relative doesn't use your computer anymore, or maybe you've just been creating new accounts as an exercise as you've been reading this chapter. For whatever the reason, the need sometimes arises to wipe an account off of your computer.

Like creating and editing user accounts, deleting a user account starts in the Accounts pane of System Preferences. However, it doesn't end there. Since each account has its own home folder replete with settings, documents, and any other files or applications the user placed or saved there, deleting a user account runs the risk of losing anything inside that user's home folder. Luckily, as you'll see in a moment, OS X has a mechanism for avoiding this potentially problematic situation.

To delete a user account, first select the user you wish to delete and click the Delete User… button. As soon as you do so, a window will pop up asking if you're sure this is what you want to do. It also tells you that if you do delete the account, the contents of that user's home folder will "be put in a file in the Deleted Users folder" (Figure 1.7).

Figure 1.7: Deleting a user account

When you click OK, the account will be removed from the list of accounts. But what about that new file the warning box told you about? In the Finder, navigate to the /Users directory; in addition to the home folders of the user accounts that still exist on your computer, there is now a new folder, Deleted Users. Inside, you'll find a disk image called deletedusername.dmg (it's not actually called that, of course; deletedusername is the name of the user you just deleted). If you double click the file, Disk Copy will launch and mount the image in the Finder. The mounted disk contains the contents of the deleted user's home folder, so you, as the administrator, can copy any documents or files you or the previous user wish to preserve, burn to CD, or drop in another user's Public folder. Once you've done this, you can unmount the image, then trash the image file itself. At that point, the entire user account is gone forever.

Unfortunately, even though you can delete the image file, you can't delete the Deleted Users folder from the Finder, as it is technically owned by the root account. If you're a neat freak like me, and you really want to get rid of that folder, launch Terminal and type the following command (make sure you've checked the folder and you don't want anything inside, as this command will permanently delete it and any contents): sudo rm -rf '/Users/Deleted Users' <RETURN>. You'll be asked for your password; enter it and hit return. The folder is gone for good!

Temporary Root Access in Terminal: sudo

If you need to do something in Terminal that requires root access, there is a command called sudo (short for switch user and do or superuser do), only available to admin-level users, that provides temporary root access in the Terminal. Any commands you issue via the sudo command will be free of the restrictions that your user account usually has. There are actually a couple of ways to use the sudo command.

Run a Single Command Using sudo

By preceding a Terminal command with sudo, you actually run that command with root access. Before the command executes, you will be asked for your password (enter your personal account password) to authenticate. This is a useful procedure for moving or deleting a file that is owned by root. If this sounds familiar, it should—we used it earlier when we deleted the Deleted Users folder (Figure 1.8). The sudo command actually has a built-in "authentication timer"; once you've entered your password to authenticate the sudo command, you can continue to issue commands using sudo without being required to provide your password. However, once you've stopped using the sudo command for about five minutes, your authentication period expires, at which point you'll be back to your old, boring self.

Figure 1.8: Using sudo to execute the rm (remove) command on a protected file

Run an Entire Terminal Session as sudo

If you know you're going to be using a lot of commands that might need root access, you can tell Terminal to maintain your temporary root access until you exit the session. To do this, type: sudo -s <RETURN>. You will be asked for your password (enter your personal account password). Once you have authenticated your account, you will have root access until you end your session (by typing exit <RETURN>). What you will notice is that after issuing the sudo s command, instead of your Terminal prompt using your username, it will now say root# (Figure 1.9).

Figure 1.9: Running a Terminal session as root using sudo -s

Sudo Caution (not Pseudo Caution)

Because you have so much power when using sudo, make sure you type what you mean to type. Word processors can correct typos; Terminal can't. Terminal interprets commands literally; if you accidentally mistype something, and the mistyped command still works, it will be executed. Take, for example, the Terminal command we used earlier:

     sudo rm -rf '/Users/Deleted Users' <RETURN>

This command can also be written as:

     sudo rm -rf /Users/Deleted\ Users <RETURN>

I'll talk more about this in Chapter 15, "Utilizing UNIX", but for now, you'll have to trust me that the two are the same. Now, suppose that you accidentally type:

     sudo rm -rf / Users/Deleted\ Users <RETURN>

Notice the space between / and Users? Terminal notices, and the resulting command will erase your hard drive. I'm not kidding.

The moral of the story is: when using root access in Terminal, don't mistype. Or use rm -ri instead of rm -rf; the former will ask you to confirm each file it attempts to delete.

Temporarily Running Applications as Root

There are times when you'll want to do something using an application—edit a configuration file in a text editor, move a file or folder using a file utility—that you don't have the privileges to do from your own account. Because the only way, or the easiest way, to do these tasks is from within an application, you can't (or don't want to) use Terminal. You might think that the only way to do this is to enable the root account and then log in as root. But fortunately, OS X provides a way to temporarily run individual applications as root. You will still be logged in under your personal account, but the application itself will behave as if it is being run by the root account.

While it's possible to do this from Terminal, I much prefer using two of my "essential" OS X utilities: Snard (shareware, http://www.gideonsoftworks.com/) or Pseudo (shareware, http://personalpages.tds.net/~brian_hill/). Snard provides a menu (either in the menu bar or in the Dock) that does a number of useful things, one of which is opening an application as root (Figure 1.10). You choose Open App As Root… from the menu, navigate to the application you want to use, and then provide your username and password to authenticate as root.

Figure 1.10: Using Snard to launch (left) and authenticate (right) an application as root

Pseudo is a one-trick pony, but it does that trick very well. You can drag an application onto the Pseudo icon in the Finder or the Dock. You can also launch Pseudo, which provides you with a convenient launch window (Figure 1.11), or you can choose File ➣ Launch… from within Pseudo. Finally Pseudo lets you create Launch Documents that open a particular application as root when double-clicked. I have several of these documents for various applications I use frequently as root.

Figure 1.11: Using Pseudo to launch (left) and authenticate (right) an application as root

As an example of when this type of functionality might be useful, some advanced users customize the configuration of the built-in Apache web server in Mac OS X. One of the files used to do this is /private/etc/httpd/httpd.conf. This text file is owned by root, so even an admin user cannot edit it. Yet by launching a text editor, such as OS X's TechEdit or the commercial BBEdit Lite (http://www.barebones.com/products/bbedit_lite.html), as root, the file can be edited and saved.

As another example, many software installers ask for your admin-level username and password when you launch them. What is happening is that you are actually authenticating the installer to allow it to run as root so that it can install files where it needs to.

Enabling/Using the Root Account

If you can't do the things you need to do using the methods I've already covered, and you've read all my dire warnings, and you still want to enable the root account, here's how. (To be fair, there are a few tips in the book where it's either necessary or just easier to use the root account. I just want the seriousness of doing so to sink in.) Like many things in OS X, there are several ways to do it.

Logging In as Root

After you've enabled the root account, you'll probably want to do something really silly like… oh, logging in as root (just kidding about the "silly" part). To log in as root, first log out of your current account (or start up the machine if it's not already booted). At the login screen, depending on your settings in the Login Options tab of Accounts preferences, you'll see either a list of users, or a name and password field. If you see the name and password field, type in root as the username and the new root password you just created in the password field. If your computer is set up to show a list of users, the last user should now say Others… Clicking that button will give you a name/password window that you can use to log in.

Switching to Root for an Entire Terminal Session

If you've enabled the root account, you can actually log into a Terminal session as the root user. To do so, type: su <RETURN>. You will be asked for a password; instead of your adminlevel account password, this is the root account's password. Once you've provided it, you will be logged into Terminal as the root user until you end that session (type exit to return to your normal account in Terminal). For most users this method is identical to using sudo -s as described earlier except that the root user account itself must be enabled to use su. The main difference between in terms of what you can do is a small subset of advanced Terminal commands that can only be executed from the root account. If you have enabled the root account, logging into Terminal as the root user makes these commands available to you.

It is important to point out that when you use this method, although your home folder in the Finder is still /Users/yourusername, your home folder in the current Terminal session is instead the root account's home folder, located at /private/var/root.

I Forgot My Root Password!

So you've enabled the root account, but you seem to have forgotten the password. Fortunately (or unfortunately, if you're security-conscious), Apple has made it relatively easy for an admin-level user to reset the root account's password. Here are the two easiest ways to do so:

1. In Terminal, type sudo passwd root <RETURN>. If you haven't used sudo in the last few minutes, you'll be asked for your password to authenticate. Once the command runs, you'll see the following text:

        Changing password for root.
        New password:
        Retype new password:
   

   Type your new root password, then retype it to verify (if you don't type exactly the same thing, you'll have to do it over).

2. Boot from the Mac OS X Install CD. Once the OS X Installer appears, select Installer ➣ Reset Password.

Default Permissions

At this point you know what permissions are, but you may be wondering how a file or folder gets its privileges in the first place. Files and folders created by the OS are given various permissions based on where they are installed and the purpose of the enclosing folder (see "Why Are There So Many Copies of So Many Folders?" earlier in this chapter). However, for files created by users, the answer is much simpler. Files are owned by the user who created them (with Read & Write access), inherit the group of the enclosing folder, and provide Read-only access to other users.

Creating a file means saving it to disk, whether that's by saving a new document from within an application or by downloading a file from the Web. This act of creating is the key—moving a file from one folder to another retains its original permissions, but copying the same file changes its permissions, as illustrated by Figure 1.12.

Figure 1.12: A file's permissions change when it is copied

The original file was created by jennifer in /Users/jennifer/Documents, then moved by jennifer to /Users/jennifer/Public. Since I (as an "Other") had access to read the file, I copied it from jennifer's Public folder to my own Desktop. As you can see, the file's owner changed when I copied it. This change is important because it illustrates that if you don't want other users to be able to access your files, you need to put those files in a folder others cannot view (Read), or you need to change permissions to give other users No Access.

Changing Permissions

There are a number of reasons why you might want to change the permissions on a file, a folder, or even on a volume. Most users will at some point want to open up access to a file or folder so that others can use it, or restrict access to it so that no one else can view or open it. In addition, if you're an admin user, you'll inevitably be faced with a situation where you need to open, edit, move, copy, or delete a file or folder, but you can't because you "don't have permission." Admin users often find themselves in this position when they want to delete a file or folder, or when trying to work with files or folders in a location where they are generally not allowed (in the /System/Library folder, for example).

Thanks to improvements in the Finder under OS X 10.2 and later, there's no longer a need to use Terminal or third-party utilities to change permissions—you can do it all right from the Finder. Simply click the file or folder and then choose File ➣ Get Info (or press command+I). In the resulting Info window, click the disclosure triangle next to Ownership & Permissions to expose the permissions pane. You'll see the privilege information we talked about earlier in the chapter. What you can do here depends on your user level.

• Normal users Normal users can change the access level of all three privilege categories (Owner, Group, Others). However, they cannot change the owner or group a file belongs to. To change an access level, simply click the Access pop-up menu and choose the desired level of access (Figure 1.13). The new permissions apply immediately.

  
  Figure 1.13: Changing the level of access Others have for a file

• Admin users Admin users can change everything a normal user can change; in addition, they can change the owner and group to which a file, folder, or volume belongs. In order to modify these additional fields, you first need to click the closed padlock icon; the first time you do this you'll be asked to enter your username and password in order to authenticate your account. Then simply click the Owner or Group field and choose the desired owner or group from the pop-up menu. As a security precaution, if too much time has passed since the last time you authenticated, after making the change you'll be asked for your name and password again. (This extra security exists to prevent an ill-intentioned passerby from giving themselves access to your entire system if you step away from your computer.)

If you select a folder in the Finder and use the Get Info command, you'll see one additional option in the Owners & Permissions pane: a button that says "Apply to enclosed items…" Clicking this button will apply the permissions you've set for the folder to all items within that folder. I emphasized the word permissions because it does not propagate any changes you made to the owner or group settings. If you'd like to make such changes to the entire contents of a folder, you'll need to use Terminal.

Throughout the book, you'll find lots of places where I mention changing permissions. For example, file sharing, remote access, system security, and Finder troubleshooting are all topics that are privilege-related, and all may require you to use the Get Info window to change permissions. In fact, in just a few pages I'll be talking about groups and group permissions. Suffice it to say that being familiar with permissions and how to change them will serve you well, not just for the rest of this book, but in everyday use.

When Privileges Go Bad: Permissions Problems

There are a number of situations where you'll find that a file, a folder, or multiple files or folders have obtained incorrect permissions. Symptoms of such faulty privileges can include printing problems; problems launching applications (even if they've been installed in /Applications); problems connecting to the Internet; an inability to work with a file that you should be able to access; or slow system performance. A couple of specific examples are "type -192" errors when using Disk copy, and "type -108" errors when printing. Some of the causes for these types of problems are software installers that incorrectly change permissions; files' being moved, created, or installed while booted into Mac OS 9; disk problems or file corruption; or something as simple as user error (i.e., "oops, I didn't mean to change that"). Regardless of the cause, you'll want to change the permissions to the correct ones in order to set things right.

For individual files for which you know the correct privileges, the solution is as simple as opening a Get Info window and choosing the correct values (as described in "Changing Permissions" section). However, at times you'll find more serious permissions problems: multiple files with incorrect permissions, or system-level files for which you have no idea what the "correct" permissions should be. In these situations, more drastic action is needed. Luckily, Apple has provided the solution for these problems and, unlike in of OS X 10.2 and later, has included the tools both on your Mac OS X Install CD and right on your computer in the form of a new and improved Disk Utility application.

To repair permissions while booted into OS X, launch Disk Utility from the Finder (/Applications/Utilities/Disk Utility) and click on the First Aid tab in the main Disk Utility window (Figure 1.14). Select your Mac OS X volume in the disk/volume panel on the left, and then click the Repair Disk Permissions button in the First Aid panel on the right. You may be asked for your admin username and password for the process to proceed. This process will reset all system files and Apple-installed software to their original and correct permissions (which will probably take a while, especially on large volumes with lots of files). The only caveat to such a repair is that some third-party software installers purposely modify the file privileges of system-level files. If these altered permissions are necessary for the third-party software to work, you may experience problems with that particular third-party software.

Figure 1.14: Using Disk Utility to repair permissions

Although Apple recommends repairing permissions when booted into OS X, if a permissions problem is preventing your Mac from booting at all, you can also repair permissions from the OS X Install CD. To do so, reboot your computer from the CD (hold down the C key during startup). When the Installer screen appears, choose Installer ➣ Disk Utility. Run Repair Disk Permissions normally, and when it is finished, quit Disk Utility and then quit the Installer; this will restart your Mac.

Creating a Group

Apple's solution for creating and editing groups in OS X is NetInfo Manager. While this method isn't the most intuitive process, it works. You can also create and edit groups using the excellent donationware, SharePoints. I'll explain both methods here.