Fast User Switching Rocks
I turned on fast user switching in today to try out some new software I didn’t trust with my normal administrator account. This proved surprisingly useful. I love being able to switch to a clean account while keeping other tasks running in the background. It’s also useful for problems like checking out a site with various different configurations of browsers. As a book author, it helps me set up a really clean default environment to take screen shots in. As a developer it enables me to test my software with various preferences and configurations. As a speaker, it will let me set up custom demo environments, and present to audiences without showing my embarassingly messy desktop to the world. I haven’t tried this yet, but it might let me do some simple load testing by hitting a server from multiple accounts at once.
Why didn’t I figure this out sooner? Perhaps because Apple marketed it as helping families with multiple people per computer instead of its use for a techie with multiple computers per person.
Fast user switching is not perfect. I would change a couple of things if I could. First I’d rather not have to type my password every time I switch users. Secondly I wish there were a simpler way to allow account A to access all the files of account B. If there is, I haven’t figured it out yet. I sometimes have to manually move files into the Shared or Public folders to allow different accounts to see them. I’d ratehr be able to be able to say “Give me access to home directory B” from account A, type in B’s user name and password, and then not be bothered about permissions again. But overall fast user switching is still, a huge improvement over constantly logging in and out, in the process shutting down, saving, and relaunching all the various applications.
February 7th, 2006 at 11:07 PM
Umm, this is Unix. If you want access to other people’s home directories, use the chmod(1) command, then ln -s to create a symlink from A’s directory to B’s for convenience.
February 8th, 2006 at 3:00 AM
Hi,
>First I’d rather not have to type my password every time I switch users.
Just make your demo user not have a password, it won’t ask you for the password.
>I wish there were a simpler way to allow account A to access all the files of account B.
Use AFP to mount the other drive or use FTP.
February 8th, 2006 at 6:11 AM
Having a passwordless user on a network connected machine is a little too dangerous for my tastes. What I want is way to only enter the pasword once, rather than every time I switch to that user.
February 8th, 2006 at 6:13 AM
Fast user switching doesn’t work over network home directories, so using AFP or FTP may not solve the problem. In any case, the AFP and FTP routes may be slower, and involve more work to set up.
I personally have a /Groups/Family folder, along with a unix group family:family, of which we’re all members. The permissions on /Groups/Family are og+rwxS which means that files put in there automatically pick up the group membership of :family, such that others can read/write them as well. That’s the whole point of the /Groups structure; to be able to have files that can be shared between different groups of users (they don’t necessarily have to correspond to unix groups; and for that matter, they don’t really need to be in the /Groups location either, but it’s kinda customary).
Failing that, you don’t even need to put them outside of your area; just make sure that they’re appropriately readable/writable. I suspect that there’s an ‘addgroup’ or ‘groupadd’ command in the Terminal, but NetInfo Manager.app is the way to change groups for a non-directory enabled Mac. You can see all the groups in there, and their memberships, and it’s fairly easy to change (once you get used to the UI, which is a little dated and clunky).
Lastly, if you’re going down the AFP route (which might not be a bad idea to share your /Group/Family by AFP, as I do) then I can’t recommend Share Points Mounter enough. It’s a lot easier than making the entries in the NetInfo directory yourself, and then you can access those shared files from across the network too.
Alex.
February 8th, 2006 at 2:16 AM
It’s a little more complicated than that. First of all I don’t necessarily want to make everything world readable and writable, or make the changes on a permanent basis. Nor do I want to have to do this for each and every file and directory. I just want to be able to grant access to one account’s privileges for one session, and without changing my UID.
Secondly, it’s Unix but it’s also Mac OS X, and that’s a little different. For example, one thing I can do is move the directory I want to work on from several accounts into ~/Public. Suddenly, magically, that directory and all its contents is now accessible from all accounts. I move that directory out of the Public folder and it stops being accessible. As near as I can tell at no point are the permissions of the items in the folder changed. I’m not sure how this magic happens, Access Control Lists perhaps? But I want something like that that doesn’t require me to move things into and out of the Public folder.
February 8th, 2006 at 6:34 AM
OK. Maybe this is how Public works. Let’s see if I can decode that string og+rwxS.
o other (i.e. all users)
g group
+ add the following permissions:
r read
w write
x execute
permissions to the file Furthermore the
S sticky
bit is set. Therefore, users will not be allowed to delete the files that don’t belong to them regardless of the other permissions.
I can see the usefulness of that, but it doesn’t really give me what I’m looking for.
February 8th, 2006 at 1:21 PM
To get exactly what you originally described, you’d need to use groups. I don’t think there are any other options, because Unix permissions are only for owner (which you aren’t), group (which you could be), and other (everyone else). Since the original rqmt is to NOT allow full public access, that leaves groups.
A strategy that might work is:
1) create a nonce group.
2) you join the group.
3) you add B to the group.
4) you change B’s home dir permissions bits to:
rwxrwx—
5) you change the group of B’s home dir to ‘nonce’ group.
Step 4 might also applying rwx to several sub-dirs in home that typically have owner-only access. And you’d have to perform step 5 on those same dirs, so both you and B (members of the ‘nonce’ group) can gain access under the group permissions.
All these steps require super-user privileges, so you’d have to gain that before any of the above was done.
When you’re done accessing B’s files like this, you should change the groups and permissions back, and then remove the group.
The only other approaches I can think of involve a setuid-B proxy process, which would then act on your behalf, while appearing to the Unix permissions system as B. Main problem with that is convincing the Finder to use the proxy process.
In Terminal, the ‘su username’ command is exactly this kind of user-proxy process.
By the way, I think ~/Public works the way it does simply because it has public permissions granted. That, coupled with the fact that it’s only usually only an account’s home-level dirs that deny public access, so when you create a new folder, it usually has rwxr-xr-x, so moving it into ~/Public ensures the root sub-tree is public-access, and mving it into, say, ~/Documents blocks public-access because the sub-tree root ~/Documents has rwx——.
Do a little exploring with ls -l.
February 8th, 2006 at 8:53 PM
HFS+ on Tiger definitely supports ACLs.
There’s an article on them here:
http://www.afp548.com/article.php?story=20050506085817850
I think to get what you want you probably need to invest the time to understand them, because the traditional Unix User+group+other model isn’t going to be flexible enough for you.
Read the comments though… sounds a little buggy!
February 12th, 2006 at 7:14 PM
One idea that didn’t work was sharing the directory. Seems I can connect to another host and get complete access to those files, or I can connect to this computer from another host and get complete access to this account’s files. However, on the same computer I can’t connect to another user’s network shared directory.
February 14th, 2006 at 4:33 AM
Concerning the sharing (AFP) option, the Finder doesn’t allow you to connect to “yourself”. You could use other sharing techniques but, as Alex Bewitt said, it’s not a good path.
The Unix way is not a “one click” path but if you can use the Terminal and/or NetInfo Manager, it’s really the easiest and most secure way (you chmod g+rx or rwx only the places you want to). If you plan on “sharing” (I mean reading and writing) some directories, don’t forget to set the umask and NSUmask, especially for the “testing” user.
For more info. see http://www.macosxhints.com/article.php?story=20031211073631814
By the way, for a security point of view, you can use a non-admin user as your “main” account, MacOsX let’s you work fine and if you need to change something in /Application you can always confirm the login/password and “su” for this operation. It’s a good way to know that some action is messing out of your account space. If you work a lot with the Terminal, you can add this non-admin user to the sudoers (with visudo). And of course, you can now fast-switch to this admin account for long admin tasks.
Thx a lot for your articles.