How to manage users access to shared folders from the command line

afpcommand linefile-sharing

Using the sharing or dscl commands I can not figure out how to add users associated to shares. The current local-admin account has access to all shares, but I'd like to add a different user account the ability to access some of the AFP shares.

Strangely, I can't even figure out how to list who currently has access to each of the AFP SharePoints.

So, looking for command line solution to the following two questions:

1) how to list current users associated to a particular sharepoint?
2) how to add a user to a sharepoint?

Best Answer

User access to sharepoints will depend on permissions that are set on that sharepoint. You can use the 'ls' command to get that information using Terminal...Newer Mac products (10.4+) will use ACLs to control access to those folders. You can obtain infomation on both the POSIX as well as ACLs applied to folders by using this command:

ls -ale /Path/To/Folder

That command will list the directory contents in list view. Note that you will see the POSIX (legacy UNIX) permissions on the left hand side of each row. The permissions can be deciphered by examining the "Permissions Defined" section of this page. You will likely see output similar to the following:

allyourbasearebelongtous:folder eddie$ ls -ale
total 0
drwxrwxrwx    4 eddie  staff   136 Oct 10 12:17 .
drwxr-xr-x@ 101 eddie  staff  3434 Oct 10 12:16 ..
-rw-rw-rw-    1 eddie  staff     0 Oct 10 12:16 testfile
-rw-rw-rw-+   1 eddie  staff     0 Oct 10 12:17 testfile_acl
 0: group:staff inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 1: group:everyone inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity

You can see that the ACLs are listed out with their indexes (order of evaluation 0-n) on directories/files that have ACLs applied. You may also see that some files do not show ACLs associated with them (files that have ACLs applied show a "+" next to the file name when listed in Terminal). Both ACLs and POSIX permissions are evaluated when users attempt to connect to a sharepoint on the server. If the POSIX or ACLs conflict, you may see somewhat odd/undefined behavior.

For the most part, controlling access to sharepoints should be done by "group". I recommend setting up a group on the machine, adding users that should have access to that sharepoint to that group, and applying an ACL (that will inherit) to that sharepoint so that future files/folders created in that share have the same permissions set. An example of setting that inheritance for a group called "Accounting" on a single folder named "Data" is shown below:

chmod -R +ai "Accounting allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,directory_inherit,file_inherit" Data

Note that it may also be wise to coordinate the POSIX group permissions with the ACLs that are set to ensure secured access to those folders:

chmod -R admin:accounting Data

It may be a good idea to disallow other users into this share (for more strict security) using POSIX permissions. The "0" in this octal permissions mode specifies no read/write/execute permissions for other users (i.e., not admin user or accounting group):

chmod -R 770 Data

After you've setup that ACL on the folder, you can simply add future users to the "Accounting" group, which should then allow them access to the share. To add a user to a group from the command line, you can use dseditgroup. Here's an example of confirming whether or not the user is a member of the group:

dseditgroup -o checkmember -m newuser accounting

If the user is not part of the group, you can add them into it:

sudo dseditgroup -o edit -a newuser -t user accounting

Best Answer

Related Solutions

MacOS – User management for an AFP share

Can’t share the boot drive root dir with authorization for “everyone” set to “no access”

Related Question