Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 55

Thread: File Sharing

  1. #1
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Lightbulb File Sharing

    I'm just now learning all the vagaries of File Sharing in OSX. We have five Macs here that used to all run OS 7, 8 or 9. Now we have one iMac that runs OSX. When I installed the software, I tried to set-up users in the control panel the way I had before, so that everyone else on the network could connect to the iMac and get to the graphic files I create there.

    I found instead that when someone connects to the iMac from another machine, they get put into that users own folder and the only stuff they can see is what's in their folder. You can't use aliases to give them access to other folders, or even an external hard drive that I used to share with no problems.

    It's going to be a real pain in the ass if the only solution is for me to place a copy of whatever graphics I create for a particular person in their user folder. I try to maintain a heirarchy of folders that keep graphics with their particular projects, so anyone who needs to access a project folder can just go to the Projects folder and look through what they need. Am I no longer going to be able to do this with OSX?

  2. #2
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,122

    Default

    We'll make Jazzbo answer this one the easy way. But I believe that if you store those files in anyone's Public Folder they are available to everyone.

    Rick



    [This message has been edited by ricks (edited 07 February 2003).]

  3. #3
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    In the Sharing Preferences panel, if you switch on "Personal File Sharing", anyone who authenticates with the Mac OS X machine will be offered all users' Public folders for mount, as well as their own home directory.

    If you store everything you want to share in your Public folder, all they have to do is to select your account and, voila, they've got read-only access to everything, except for your globally-writeable Drop-Box folder inside Public (which they can write to but not read from).

    There are ways to set links in your other folders such that the real folder is under Public for general access but you can conveniently navigate via your Pictures, Documents, or whatever structures.

    You can also set up a generic, "service" account whose Public folder is dedicated to the sharing of team-used documents. (There are interesting security and concurrent-write issues to globally shared read/write-access. We can delve into that if you need it.) This is also an extremely useful way to have a Public folder available on a partition other than where you have your users' home directories, and so dedicate a volume to nearly nothing except sharing docs.

    In brief, define a new account in Accounts with a useful account name ('graphix') and descriptive long name ("Graphics Project"). Don't give it Admin privs and do give it a decently obscure password. Then, in NetInfo, switch its home directory to /Volumes/BigStore. Make a Public folder on BigStore and double check that it's writeable only by you (the owner). I can offer more coaching if you want to follow this path.

    Jazzbo


    [This message has been edited by Jazzbo (edited 07 February 2003).]

  4. #4
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    (After five or six false starts, I think I've finally got that last posting reading right. Sheesh!)

  5. #5
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Default

    Thank you very much Jazzbo. I do believe I'll need a small amount of coaching here, but since it's Saturday I'm gonna have to wait until Monday to try any of this. I was hoping someone would say "Oh, yeah, that's something lots of people get hung up on, here's the easy work-around to make everything just like it was before." Guess nothing can be "just like it was before" where OSX is concerned.

    In the meantime, here's the aspect I'd like to address first, whether or not it's do-able: The internal hard drive on the iMac is only 6GB, and it's divided in two by the OSX and OS9 volumes. Considering how much is taken up by both the OSX and OS9 systems, I don't have a whole lot of room to store the graphics we created in the recent past. Obviously some projects get backed-up and removed when they get old, but we still have a lot that needs to stay current, and they're stored on an external USB hard drive formatted in OS9. Can I set up a generic "service" account's Public folder on that drive?

  6. #6
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    Okay, I finally figured it all out. The drill's but slightly different than I'd thought, but basically lines up closely enough.

    1. In the Accounts preference panel, define the new service account. All I'm loading in here are samples I toyed with

    Short: graphix
    Long: Graphics Project
    Password: a strong pw unless we're going to disable it in NetInfo(see below)
    Not selected for Winders login nor for Admin access

    2. In NetInfo Manager (Apps->Utils->NetInfo Manager):

    a. Unlock using the icon in the bottom left corner.

    b. Open the "users" table, then the entry for your service account (graphix in my example).

    c. Change home directory to /Volumes/volname of the external drive

    Note: spaces are spaces, don't escape them with \ as you would in Terminal

    d. Change the password field to NP if you don't want it ever to be authenticated

    This is a cool trick. The string stored in NetInfo's password field is the result of encrypting the password against itself (eg. the password string is both encryption key and value) and attaching the "seed" number used in the encryption algorithm when storing the result in the passwd file. So if you store a string in there that cannot be generated by encryption, you have an account with no usable passwd. Any two-chars like 'NP' fall outside the algorithm, disabling authentication for this account while still retaining automatic system services based on it.

    e. Save and exit from NetInfo Manager

    3. As yourself (it's your computer, after all!), create a Public directory (folder) at the top of the other volume and drop a couple of files in there for testing purposes.

    4. Make sure Personal File Sharing is enabled in the Sharing prefs panel.

    Restart the computer to clear NetInfo and File Sharing tables. You might as well wait for the restart to finish and then login.

    The new graphix share will be presented on AFP connections (including Chooser based or afp: urls from other OS X hosts) by non-Admin accounts per your NetInfo database.

    NOTE: If you authenticate over AFP as an Admin user, you're presented with all Volumes and your home as available mounts. Since the graphix Public mount is inside one of those, the server won't list it independently of its parent volume which you, as an Admin user, own.

    Test: In Chooser on an OS9, select your machine and hit the radio button for "Guest" access when the authentication window comes up. You should see your new graphix account in the list. Select and mount it. Open up the newly-mounted graphix AFP disk and you should see the files we dropped in there for testing purposes. Drop your mount and go have a coffee break: all's complete.

    Loading: Henceforth, whatever you arrange in the external volume's Public directory is shared out on Guest and non-Admin authenticated AFP connections to your machine.

    Warning!! To get rid of a 'graphix' service account like the above, you want to change its home directory in NetInfo back to something innocuous first. What I do is to change it back to /Users/graphix, as it was when I used Accounts to create it. Then, exit NetInfo, for complete safety reboot the system, and then Delete the obsolete graphix account in the Accounts pref panel. Going through this longish drill makes sure that the external volume you were serving via this account's home directory setting isn't associated with the account when you delete it.

    Jazzbo


    [This message has been edited by Jazzbo (edited 08 February 2003).]

  7. #7
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    Bump. (That took substantive enough editing after the initial posting that I'm using this bump posting to warn anyone who read an earlier version to re-read it.)

  8. #8
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    Just wondering...

    Why not just install a new 7200 HD and forget the USB? If it is a 6G drive, that means it is at least 3 years old...as this sounds to be important production work, I would spend the 100 bucks for the speed and size increase.

    IMO, you will notice a difference in performace over the old OEM. Just "rebuilt" a bondi imac - new 40 gig 7200 HD, added RAM, new battery - and the user claims it is faster... USB is max 11M per second (probably more like 7-9), but you should get 20-30M per second on a new drive.

    Besides room for your work, OS X can use lots of room to stretch it legs, right J? If you partition, you can use something like CarbonCopyCloner to backup the important stuff automatically.

    Just a thought.

  9. #9
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    Yep, it's true that OS X likes a lot of disk space around. Especially when you run PShop or other intesive graphics programs. Disk space is gobbled up for virtual memory, not to mention PShop's management of workspace files.

    Jazzbo

  10. #10
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,122

    Default

    anarch,

    ?You partitioned a 6 gig and installed OSX? I don't know how you did that without making the OS9 partition tiny. My plain jane Jaguar installation occupies more than 4 gig of disk space with the installers apps and no users files at all. That doesn't leave much room on a non partitioned 6 gig drive.

    ?My very first thought is that you need a 20 or 40 gig internal drive for any growth potential at all. That size drive costs 50 or 60 bucks and would resolve the headroom issues. USB should have never been invented as far as hard drive connectability is concerned. 1.2 MB/sec max. Too slow for a CD burner let alone useful throughput for a hard drive. Having never hooked up a USB drive I have no idea the system limits of the bus but I would stand behind my original advice that an internal drive upgrade makes it moot.

    Best of luck on your project, glad Jazzbo is in the house to give real help.

    Rick

  11. #11
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Default

    Guys, would you all do me a big favor and kindly SHUT UP about how I'm not supposed to be able to run OSX with so little RAM and hard drive space?

    Seriously, I'm getting that feeling like I'm Bugs Bunny in a Looney Toon, and he walks off a cliff but doesn't fall, and someone says to him "You're defying the law of gravity!" and Bugs says, "Nyeah, I never studied law, doc!" As in- I'm able to do this because I didn't know I wasn't supposed to be able to do this. But I do appreciate everyone's suggestions to make this machine work better. I'll get to my reasons "why-not" in a minute...

    I divided the 6GB into even 3GB partitions. I can't remember how much room there is left on the OSX partition but it's enough for me to run Photoshop. I haven't tried the iApps yet, they might fail, but they aren't important to the job obviously. And I've already set up a half-dozen accounts and downloaded Safari, Chimera, Transmit and the Wacom tablet driver. Plus saved a small amount of work that I did in the past two weeks. I'll have to check my remaining hard drive space and get back to ya.

    As for why I don't upgrade the hard drive inside the iMac, there are a few reasons, none of them good enough on their own, but taken together they've set my mind against the idea, at least for the near future.

    1- I've taken apart a lot of Macs, but the iMac isn't one of them. Ordinarily I would relish the challenge of upgrading a machine I hadn't tried, but since this is a company machine... I was nervous enough upgrading the RAM in our Avid Media Composer's beige G3 last month.

    2- Buying a new hard drive is incredibly difficult with our company's new online PO procurement system. I was humongously stunned when I managed to convince them to open a MacWarehouse account last fall for the purpose of buying a new hard drive for my other graphics computer (which only had a 4GB). This soon after having bought one, they'd deny a request for another with extreme prejudice. Now, I could remove the one from the USB external case and reformat it to be the internal one. Not a bad idea, except for #1 above and #3 below...

    3- I got enough Mac upgrade projects going on right now as it is! This OSX installation, my first, was the final step in a lengthy process of backing up two entire Macs full of data at the office (the moderators have been reading those travails in the TechnoTribe forum). I'm finally able to turn my attention back to my personal projects- finishing a Mac I'm building for a friend, finishing another I'm building for my entertainment center (a multimedia station interfacing through my TV), and even trying to fix a floppy drive in an old Mac SE! As long as I don't have to, I want to spend as little time as possible getting this machine back to "the way it used to be", or at least as close as possible. I wanted OSX on it so I could finally get my feet wet with it, and use Photoshop 7, but I'm not in the mode yet where I feel the need to crank up this iMac to its max capability.

    And on top of all that- I want to try to spend more time here on these forums answering people's questions and less time asking my own!

    Which reminds me- I gotta tell you guys about my experience at the Apple Store Genius Bar today. Right after I read all the steps of Jazzbo's latest post...

  12. #12
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Default

    OK, after having studied that document for awhile- I think I understand enough of it to give this topic a rest for the rest of this weekend, and just wait until Monday when I go back to try all of this. Sounds like a very workable solution, thank you very much Jazzbo.

    I was at the Apple Store in Durham, NC today, because my lovely wife (whom I've always referred to on these boards as PeeCee Girl, for a self-explanatory reason) is actually considering buying an Apple product- albeit an iPod, for her first MP3 player. I'm trying to convince her to go with the regular version to connect to the multimedia station I'm building, instead of a Windows version for her computer, and at the moment I'm winning that argument (mostly because she doesn't want to spend $50 on a FireWire card).

    Anyhow, while she was browsing I went back to the Genius Bar to ask a guy about this very question we've been discussing. Partly to test him, partly to see if they said anything I hadn't heard yet. But his answer truly jarred me- he told me this was "definitely a billable service question"!

    Before I went into the store I'd considered asking them how they got to be "Apple Geniuses", for lack of a better title- do they take some kind of test? Can I give it a shot? You know, just to see where I stand. After his response I realized I had no interest in seeing if I could handle being an Apple Genius- I wouldn't! It would be impossible for me to do anything but answer any person's question to the best of my knowledge, or at least try to find out. Charge $75 to someone for asking a question as simple as mine? I thought these guys were there to help anybody and everybody who needed it regarding Apple machines. A little to his credit, he did suggest that I try the forums at Apple Support first, before I called Applecare. Still, it makes me wonder what kind of questions an Apple Genius is allowed to answer for free... "Um, where's the eject button for the DVD drive?"

    He also said that, off the top of his head, he didn't know how to do it.

  13. #13
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    It's such a shame you ain't got no Mac projects to keep ya busy! (R, r, r)

    In all fairness to an "Apple Genius", whatever that might mean, your question really is more of a pro- OS X Server deployment thing than a standard desktop-user thing, which is really the focus of the in-store techies.

    It took me over an hour to develop my strategy, do a preliminary write-up, decide I needed to test it, carry out six or seven cycles of config, test, fail, reconfig, test, fail, ..., test, succeed until I was certain that what I had was right, and then finally get the article rewritten to explain it (best as I can tell) clearly. And I don't consider myself a slouch at this stuff. (Humble, no? ) There's a lot more arcana behind it than I would expect from floor experts.

    Jazzbo

    [This message has been edited by Jazzbo (edited 08 February 2003).]

  14. #14
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Default

    Well then, I suppose I should apologize in absentia to the Apple Genius, and also thank you more profusely for all the work you've put into this Jazzbo.

    I guess I will have to plead "lack of understanding" on my part as to how difficult this would be to accomplish. The reason I had no idea how hard it would be is because, honestly, it was so MUCH easier to make this work in OS9. Go into Users&Groups, set up the users accounts, set the File Sharing permissions on the appropriate volume accordingly, I'm done.

    I understand Apple is much more concerned about security now, and that's the reason for the more involved process you had to come up with (again, mucho mondo thanks Jazzbo). It just seems to go against Apple's paradigm of simplicity in the Mac universe.

  15. #15
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    You hit the nail on the head spotting the "security" side of it.

    The Users&Groups implementation in OS9 was merely a convention overlaid onto a single-user OS, and offers no true user- and group-affliation security. The Unix side of the move to OSX meant that this change in the paradigm gives us a true multi-user, multi-group file control mechanism.

    As simple as one wants to make it, at the fundamental file-access level, the Unix defenses remain intact, and that's why it's a lot more complex to design what, on the surface, sounds like a simple porting-forward of "simple" file-sharing in OS9. I think that most Mac users were surprised under OSX to have a password required when installing software on "their" Macs, but that's fundamental to Unix: there are assets only the "root" user can change, and it's requisite for authentication to be carried out.

    I certainly wasn't fishing for effusive thanks when I laid out what it took for me to come up with my suggestions (though I appreciate it and you're most welcome!). I wrote the process up mainly to expose its complexity in OSX's multi-user security environment.

    Besides the raw enjoyment I get from coming up with a candidate solution for you, it's something I've wanted to scope out for a few months now. Friend at work trying to do these things; eFriend trying 'em; deployment on my own home net; et cetera u.s.w. Besides the fact that you had a real, immediate need for a usable approach, the way you posed the question triggered the possible solution in my thinking. So instead of strapping on the Solo and spraying more weeds, I got to play with working it out!

    Anyhow, as regards in-store Genii, this particular task was deceptively complex. It "smells" easy, but it's not. It was as quick for me as it was partly because I've been on Unix almost as long as I've been on Macs. OSX married my two favorite OSes! It was not the first time I considered this one, but it was the first time I came up with a possible solution.

    Cheers!
    Jazzbo

    [This message has been edited by Jazzbo (edited 09 February 2003).]

  16. #16
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,122

    Default

    "It just seems to go against Apple's paradigm of simplicity in the Mac universe."

    ?Bill Gates copied that Universe and sold it to Ted Turner who donated it to the United Nations who used it as a test case to prove that war is obsolete. Apple had to start over.

    Rick

  17. #17
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Default

    quote:

    Bill Gates copied that Universe and sold it to Ted Turner who donated it to the United Nations who used it as a test case to prove that war is obsolete. Apple had to start over.



    You forgot Michael Jackson was involved in there somewhere. And what about the Illuminati?

    Jazzbo, your explanation of how the Unix chassis on which Mac OSX was built was a great reminder of how different everything is now, despite how similar it seems. I do have some moderate experience as a Unix administrator- actually IRIX, the OS for SGI machines- as we have an Indy that I use for animation. But it's a similar situation to the iMac- I'm the only true user, but others have to be able to access it over a network to retrieve files.

    In the SGI's case, I did something very similar to what you laid out for me- created one single "GrafxServer" account and let everyone FTP into that to get what they needed. However, I did not have to put everything I made for them in that account's directory (usr/people/GrafxServer)- once they logged in over FTP, they could access any directory I gave them permission to, including on an external hard drive.

    Eventually, however, I found a problem that really got in the way- if someone put a file in the graphics directory that I later wanted to delete, I didn't have permissions to do it- my user hadn't created the file, the GrafxServer user had. And if they uploaded a whole directory, I couldn't even write into that directory with my user. I always had to re-login as root. (I can't log in as root to use the animation software, I have to login as the user the software is permissioned to. It's really bizarre how the company (Chyron) created the license for this software).

    So eventually I just allowed everyone to login through FTP on the same account that I use for the animation software. That way, everything we create is under the same user, and I can do what I need to administrate what they create without logging out and logging back in.

    Of course, I recognize that this is the kludge that kludges kludge, and is extremely insecure. If I had any thoughts that one of the people who uses my graphics in our office might go in and muck around with stuff on the SGI, I'd make everyone log in under different passwords and restrict their access. Likewise for the iMac. In fact, before I installed OSX, I didn't make anyone use a password to access the iMac via File Sharing.

    The good thing is that everyone else in the office (who don't use my graphics) are all on Windows machines, most of them still running 95 (!), and usually have a hard time figuring out how to print stuff or save an attachment from email, so I have no fears that any of them would try and get into one of my machines. Sometimes I wonder about our corporate office in Baltimore, they've got a lot of IT people up there running the network for our offices, but I don't think even they have any real idea how to gain access to the Macs. It seems to me they've got their hands too full just keeping Novell running.

    You know, that's actually a good question- now that one Mac is running OSX, if someone out on the network really wanted to gain access to it, what could they do? I've only enabled Personal File Sharing.

    [This message has been edited by the_anarch (edited 09 February 2003).]

  18. #18
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    If FTP is still a good approach for your users, you can also enable that on OSX, by the way (cf. Sharing prefs). It wouldn't surprise me to find that if the client is Fetch on an OS9, it'll recognize the Mac nature of the filesystem on the OSX ftp server and transfer Mac files complete with resource forks. Or, it might spot the Unix nature of OSX instead and not work that way. Worth a quick testing run.

    --

    Did you ever play with setuid or setgid attributes in Unix? A neat trick in a shared Unix directory structure runs like:

    1. Make sure all valid users are affiliated with a specific group you define for file management in the shared area. Let's make one up and call it 'graphgrp'.

    In NetInfo, edit the groups table, define the group with a number not used elsewhere in the table, and add all the users into it.

    The easiest way to find out all the groups you have (on a standalone OSX) is nidump group . and just scan the report.

    The easiest way to set up a new group is to duplicate and modify an existing one. Use the 'guest', 'staff', or 'admin' group as your source, since they already have users defined in them, and the list of users is what you need to change and expand after renaming it 'graphgrp' and setting its numeric gid. Don't forget to include your own account in the new group!

    2. Set up the file ownership of the common work area to match that group. I'm going to assume that you have a disk volume named 'Graphics' that you want to share: chgrp -R graphgrp /Volumes/Graphics

    3. Make all files on the volume group-writeable: chmod -R g+w,o-w /Volumes/Graphics

    Note: this also makes all files unwriteable by users other than the owner and those in the group (the o-w part).

    4. Set the 'setgid' filemode bit for the volume: chmod g+s /Volumes/Graphics

    You either need to do all the above while logged into the desktop as root or you need to logout and back in after the NetInfo step of creating the new group and putting yourself in it.

    Time to test! Log in as yourself, copy a file into the volume, then check its permissions (Cmd-I in Finder will report it). It should be group-writeable and affiliated with the new group.

    ---

    All the above can be done to any directory, whether it's the top of a volume or not. Just replace "/Volumes/Graphics" in my sample commands above with the directory (folder) in question. Also, since it's down at the Unix file-access management level, it doesn't matter whether your users come in via ftp, scp, telnet, NFS, or any other method. I believe it'll provide the same group-write access via AFP, as well, but you'll have to apply it to the Public folder for it do its thang.

    Final tweak: if you include the 'guest' user in the new group, I believe that Guest AFP access will *also* allow for writing files within the scheme.

    At this point, since you yourself are in the group, you can add/delete/modify files originally installed by any other user in the group: all files and directories will be writeable by anyone in the group. If you have resource areas where users should NOT be able to write, alongside group-writeable assets, we can lay that out, too.

    Jazzbo

    quote:
    Michael Jackson defenestrated the Sacred Chao.

    All Hail, Eris!

    The Mgt.



    [This message has been edited by Jazzbo (edited 09 February 2003).]

  19. #19
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    "You know, that's actually a good question- now that one Mac is running OSX, if someone out on the network really wanted to gain access to it, what could they do? I've only enabled Personal File Sharing."

    Since OSX defaults with nearly every sort of inbound network access disabled, AFP is about the only intrusion point for those who can't get at the desktop. I assume you're running with a password-required screen saver setting.

    Enable ftp and password-cracking will also provide a path in. OSX helps in that all your standard subdirectories (Docs, Pix, Movies, ...) other than Public are set to disallow other users to navigate, so whatever you store there is only accessible to you or root, even on a desktop login or ftp session.

    Actually, I just thought of one other physical security aspect. Without a case lock and a hardware password, the machine can always be booted from a CD-ROM which provides automatic root access, and disks can be stolen.

    Jazzbo

    [This message has been edited by Jazzbo (edited 09 February 2003).]

  20. #20
    Join Date
    Jan 2001
    Location
    Austin, TX, Los Estados Unidos de Mac
    Posts
    672

    Default

    OK, I just turned on FTP access and tried logging on for the first time. I was able to use the computer's network address, even though it's served by DHCP.

    Now, I'm wondering, if the address changes under DHCP (which I thought it would, but I haven't been checking), then would that mean anyone else who wants to access this machine via FTP would have to call me to find out what today's address is?

    Also, I checked my free space on the OSX volume- 1.04GB free out of 3.18GB total. Not much at all, but there's still 2.5GB left on the internal OS9 volume that I can use for Photoshop scratch. As far as I can remember I did a normal OSX install. I wonder why such a big difference between Rick's machine and mine.

    I'm gonna go work on setting up those accounts to access the external disk now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •