User profile for user: MrLinguaFranca
MrLinguaFranca Author
User level: Level 1
0 points

Why is Admin Approval Needed to Share Folders Between 2 Standard Accounts?

Dear OS X users,

Please give this question due consideration because it's a fundamental question about the underpinnings of OS X which I've asked many people but no one seems to have a good answer. I have 3 accounts on my Mac. They are as follows:
- pete (standard account)
- wanda (standard account)
- mac admin (admin account)

It's logical that if Mac Admin creates a file/folder, he needs to set the permissions for it so that others can read/write to it. But imagine Pete and Wanda collaborate together on a project. Imagine Mac Admin creates a folder called /Swap with read-write permissions for all. Pete then creates a sub-folder without setting any particular permissions and then logs out. Then imagine Wanda logs in and wants to access the Pete's newly created folder. When doing so, an authentication prompt appears asking Wanda to enter an administrator's login details.

*Why doesn't it ask for Pete's authentication details? Why does it need an administrator's login details? Mac Admin has nothing to do with it.*

Now if you extrapolate this scenario to include a business enterprise where you may have lots of groups/teams with members all collaborating. It's ridiculous to involve an administrator for every trivial request of this kind e.g. a file permission change.

Please don't simply recommend sharing via USB or upgrading to Leopard. (I hated Leopard and 'upgraded' back to Tiger). I'm looking more for explanations than workarounds.

Thank you in advance.

MrLinguaFranca.

Macbook 13" 2.16Ghz 2Gb RAM, Mac OS X (10.4.11)

Posted on May 15, 2008 5:04 AM

Reply
3 replies
User profile for user: J D McIninch
J D McIninch
User level: Level 5
4,091 points

May 15, 2008 6:18 AM in response to MrLinguaFranca

The short answer, of course, is that admin privileges are not needed (so long as you are the owner).

The long answer is that administrator privileges are required to change the owner of a file or folder, or to change the group of a file or folder (if you are not the owner or aren't a member of that group). To change the permissions on a file, one must be an administrator or the owner of the file.

In your scenario, Pete creates a folder, but forgets to make the folder read-write for others. Wanda is prompted for the administrator password because she doesn't have permission to access the folder until Pete says so. The default behavior on the Mac is to secure the folder.

The reason it doesn't ask for Pete's authentication details is the same as if it were Windows, Linux, Solaris, etc. Wanda is asking permission to override Pete's settings. If Pete wanted Wanda to access the file, he would have done so. So, logically, Wanda requires administrative privilege to supersede Pete's wishes. Wanda should NEVER have to be party to Pete's credentials because doing so compromises Pete's account entirely (nor the administrator's credentials -- if the folder has permissions that deny her access, she needs someone to grant the access, not someone else's credentials so that she can grant access to herself by assuming the role of the other party).

This is different from the case when you are accessing a network share. In that scenario, the connection to the remote machine does not know who's accessing the share and must require authentication to determine who it is dealing with. The correct way to implement network shares would be to have Wanda always authenticate as her self and never use the credentials of another. Once she's logged in as herself, the remote server can determine what she's permitted to access on the basis of her identity and the permissions on the files.

This is how file security works (not just OS X).
Reply
User profile for user: Clea Rees
Clea Rees
User level: Level 4
1,245 points

May 15, 2008 8:31 AM in response to MrLinguaFranca

The previous comments are good ones. I take it, though, that what you want is that any folder or file created in the swap directory be automatically readable and writeable by everybody. Is that correct?

It is true that you could do this (I think) on Leopard because Leopard has ACL support enabled (Access Control Lists). You do not have to upgrade to Leopard to enable this support, however. Tiger can support ACLs - it is just that the file system has this support disabled by default and you have to turn it on in order to use it. Unlike Leopard, Tiger does not offer a GUI interface to manipulate ACLs, so you have to set it up at the command line. It is perfectly doable if you want to do it, though.

Otherwise, Pete (as the owner of the file) just has to remember to make the files and folders he creates writeable by Wanda. He can do this by making them writeable by everybody. Alternatively, mac admin could create a group with Pete and Wanda as members. Then Pete could make his creations writeable and readable by that group rather than by everybody. (If there are only the three users, this isn't an issue, of course.)

- cfr
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Why is Admin Approval Needed to Share Folders Between 2 Standard Accounts?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up