How to set permissions like "For all users" with Sandbox

Perhaps you can explain what the "For all users" folder is? Is this a default Sandbox creation? Likely you just need to set the appropriate permissions and/or ACLs on your folder...

Hi.

What goal are you trying to accomplish? Are you trying to create a folder that has open permissions and can be accessed by other users?

My goal is to create a folder in the root directory which has the same permissions like the Shared folder in the Users folder.

Oh, I see. That folder is not using ACLs, so Sandbox isn't going to help you there. That directory has the posix sticky bit set on it, which is what prevents users from deleting things they don't own.

So to create a similar folder in your root directory, you can do this:

sudo mkdir /test_folder

sudo chmod 777 /test_folder

sudo chmod +t /test_folder

sudo chgrp wheel /test_folder

(note, the last step sets the group owner to wheel to match what is set on my /Users/Shared folder. Check to see what yours is and use that).

Using "chgrp", you can change the group to whatever you want. Note that if you want to restrict that directory to a group, you'll need to modify the "chmod 777" in my above steps to not give permissions to "other" (i.e. instead of chmod 777 it would be chmod 770).

You might want to review the man page for chmod and/or chgrp for a refresher on setting and using posix permissions...

I don't mean to disagree with the "crowd". but Sandbox is a beautiful method of controlling access to your folders.

For a simple demo, find and select any folder you do not have access to normally. Open Sandbox, navigate to that folder (inspect folder) and select it. Press the " + " sign on the lower right hand corner, the add new access control entry box opens, select "allow permissions", for user ID select your user ID, select all read permission, select save. You should see your new list of permission listed.

Open finder to the folder you just set the acl's on, you will see that you can access it now.

Sandox allows you to make multiple custom entries for each user, or you can blanket every user by assigning acl's to the "everyone" user.

Experiment, feel free to play, as long as you are not playing on system folders and use common sense you shouldn't be able to do any real harm, and the best part is, to undo permissions, simply remove the acl's, it is not neccessary to jack with posix permissions as acl permissions take precedence over posix permissions.

Kj

To do what this OP wanted, I couldn't figure out how to get Sandbox to do it.

In the OP case, all he needed/wanted was the sticky bit set, which is exactly the same configuration as the Shared folder in /Users. If you get an ACL configuration that does what the sticky bit allows, then by all means post the steps here.

entry - allow permissions
user - <user name>

read settings: list folder contents, traverse file.

write folders: create files, create folder.

inheritence: apply to all

You should be able to delete any files or folders you create, because they will belong to you.

you can create a acl entry like this for each user.

Kj

Thanks KJK555. But the user needs to be known a prior though, right? That is, the folder isn't really open for all, just the users that are setup prior to them creating content. That's the one (only?) "benefit" of the use of the sticky bit, and I presume the reason /Users/Shared is pre-configured that way.

Message was edited by: glsmith

Well, sandbox sets ACL's not posix permissions. The sticky bit is a posix permission. Sand box will allow you to do something similar to the sticky bit using ACL's, but the exact duplication of the sticky bit is not possible, but something just as useful or more useful can be easily implemented.

To set the sticky bit you will need an app called FileXaminer or the Terminal.app command line.
to set the sticky bit simply put "1" in front of the the permissions number when you run chmod on the command line, here is an example:
chmod 1775 /users/data/shared #assigns permissions 775 and the sticky bit#
chmod 775 /users/data/shared #assigns permissions 775 without the sticky bit#
note: note actual use of the chmod and chown commands will, in most cases require the sudo (super user do) command to be used with them. example:
sudo chmod 1775 /users/data/shared #assigns temporary super user priviledge#

The way I set my shared user's directories with ACL's is this:
first I created folder /users/data -permissions=777 (everyone).
I had three users so I created folders for each in /users/data:
/users/data/user1 #this is just example-substitute real user name#
/users/data/user2
/users/data/user3 #etc,etc,#
set the posix permission on each user folder 700 (owner:read,write,execute)
set the owner and group on each one accordingly:
chown user1:staff /users/data/user1 #substitute real user name#
chown user2:staff /users/data/user2
chown user3:staff /users/data/user3 #(etc,etc)#

Now each user has their own data folder they can read and write to at will (when they are logged in to their user account).
They can safely create and maintain their data and no one can delete it.
Since these are shared data accounts. other users will need to read the data, this is where the ACL's come in.
You will need to use Sandbox to place ACL's for each allowed user, on each of the user directories:

0: user:joe inherited allow list,add file,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit
1: user:mary inherited allow list,add file,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit
2: user:sue inherited allow list,add file,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit

Basically with the above ACL's the only thing the allowed user can't do is delete files. They can copy files, they can add files, etc. This behavior is somewhat similar to what can be accomplished with the sticky bit, but much more controlled and structured. That is the beauty of using ACL's.

Using SandBox you can taylor the permissions as you see fit for each every user. You can set permissions for an administrator to delete files as well. You can take away or add permissions for each user as you see fit. let your imagination be your guide.

ACL's weren't meant to replace posix permissions, but rather to allow administrators to fine tune user permissions.

Kj

Do you know how to set this sticky bit in Sandbox? I didnd't found a way to do that.

It's not possible in that app.

Ehm - by the way, how can I add a specific user / group via Terminal?

See my post above. Use the "chgrp" command.

Is it true that after changing the permissions via Finder and/or Terminal one has to set the sticky bit again?

Yes, this might be true if the sticky bit is removed and not re-added when the new permission mask is applied.

By the way, in comparison with the operating system Windows XP from Microsoft, it is a system default that users cannot delete these files and folders who are created by another user

The same is true on the Mac, and by using ACLs, file flags and sometimes POSIX mode bits you can do very powerful things with access controls in OS X. Don't compare the Mac's permissions functionality to what you've seen in this thread. You asked about a very specific permissions setting (that of the /Users/Shared/ folder), which has a very specific use.

For generalized access controls, POSIX permissions are usually sufficient. When you need greater flexibility, OS X ACLs are there for you...