[beverson]

Okay, so at work we can't afford to pony up for X Server. However, we do have X client. What I want to be able to do is set up about five or six specific user accounts, one general use account for the staff that aren't full time, and have them all have access to only one folder on the server, which won't be their home folder. I know I should use SharePoints, but I'm not sure of everything I should do. For instance, I easily figured out how to turn off public shares. But how do I turn off the home folder for AppleShare users? These users will never be logging in to the server directly, so they don't really need a home folder -- just access to this single shared folder that everyone needs to be able to use.

A little background: we used to be a 9-only shop, but recently bought some new iMacs which can of course only boot into X. I'm trying to convince everyone to move to X, and I think I've about got the sys admin convinced on the server at least. A few of the full-time staff will be hesitant to switch, so I want them to be able to use 9 still. And more importantly, the system should overall function similarly to the way it does now (using OS 9 file sharing and no home folders to be found). We have one server volume we use to share all files in the office, and a dedicated G4 that does the file sharing. I don't want people to have to see home folders, or if they have to see them in the Chooser/Connect To Server, then they shouldn't be able to mount them. Keychain and aliases may help here, but I want the transition to be as seamless as possible. Additionally, I seem to remember an issue with X limiting you to 10 concurrent users (unless you buy the unlimited seat version of Server), but I thought this could be gotten around using admin accounts. I feel comfortable giving some or all of the permanent staff admin accounts (5 computers), and then the remainder of the computers (7) can use the general-use login.

So, will this all work? And how is the best way to do it?

[beverson]

Okay, I tried some things out and need to refine my question now. I discovered that if I change permissions on the home directory, I can keep the general use user from even seeing its home folder in the Chooser/Connect To Server windows. Perfect. Anyone see any big negatives to this config?

Now, I can't really check the user limit problem right now, but tonight after everyone goes home or tomorrow morning before they come in I will. If I do have to use some admin accounts to get around the 10-user limit, is there a way to keep them from seeing, or at least mounting, the various local drives connected to the server (only the boot drive right now I think). This server volume will of course only be a shared folder on a local drive of the server. I haven't wanted to mess with permissions on the boot volume outside of user folders other than mine as I'm afraid I myself won't be able to access it since I'm also obviously in the admin group. Maybe logging in as root to the server and doing it all that way? Could be dangerous though.

[Rainy Day]

I don't want people to have to see home folders, or if they have to see them in the Chooser/Connect To Server, then they shouldn't be able to mount them.

It seems to me that a simpler thing to do would be to delete the home directory and replace it with a symbolic link to the shared folder (do a man ln in the Terminal). This should work for you since these users will never log-in. (A symbolic link is similar to a MacOS alias.) But i haven't tested this idea, so YMMV.

You want to be careful about who you give an Admin account to. I'm not sure the Admin accounts are going to do what you want, but if you must hand them out, you can remove users from the sudoers file, thus limiting their ability to administer the computer (see man sudoers for more info on this).

[chris v]

Can you try just changing their home folder to the desired one in NetInfo Mgr?

I did this for my FTP user, and it works great. When people login as FTP, they go directly to my drop box.

Not sure about locking them out of access to volumes, buy maybe try changing permissions on the volumes folder to others: none.

CV

[beverson]

Originally posted by chris v:
Can you try just changing their home folder to the desired one in NetInfo Mgr?

I did this for my FTP user, and it works great. When people login as FTP, they go directly to my drop box.

Not sure about locking them out of access to volumes, buy maybe try changing permissions on the volumes folder to others: none.

CV

Hey, good suggestion. I changed the home folder of the new admin account in NetInfo, and now they too can get to the main shared folder.

The only problem is they can also see the boot volume and any other volume mounted on the server. I'm not sure I could safely change the /Volumes dir any more than I could / for the same reasons -- this account is an admin account so I can get around the 10-user limit. Of course the system has to own the boot volume, and if I change the group access from admin on that volume, then I'm pretty much screwed in logging into Aqua from any account other than root.

What if I created a new group, in essence a new admin group, containing only myself and root, and using that group to change permissions on the boot volume and volumes dir? Does this present any problems I'm not anticipating?

[beverson]

Hmm -- well I fiddled some more tonight, and found that OS X doesn't really like it when you mess with the permissions of /. Luckily, I was smart enough to mess around on a FireWire drive which is basically just a rescue disk. I was able to temporarily keep admin users from seeing files on / remotely (they could still mount it, but it showed up as a folder with the "do not enter" sign on it, and was totally inaccessible. This did not keep the user from accessing the shared mountpoint I wanted them to access (good), but also didn't keep them from accessing any mounted volumes other than / (bad). Two separate times, I was eventually unable to log into Aqua as anyone, even root, because the login window wouldn't run (I'm assuming because it had lost permission for something it needed, or the process couldn't be run at all, again because of permissions). So, this is clearly not the best solution.

I'm sort of resigned to leaving things as-is then, and giving the admin accounts to only the most trusted staff (also disabling that account in sudoers, though none of these people even know the first thing about UNIX, but of course better safe than sorry). However, I'm still looking for suggestions if anyone knows how to beat this system.

[chris v]

I don't think you can do what you want with an admin. account. Otherwise, you won't be able to admin the machine except with root.

In order to lock out my FTP user, I didn't change the permissions of /, but I changed all the sub directories (Applications, and all the data folders on my data partition )to group: admin: read/write and others:no access. But then, I'm the only user on this machine.

You might be able to modify accesc for whole groups in NetInfo, but I just don't know.

I just don't think you're going to be able to lock out an admin user and be able to admin your machine. I have been wrong before, though.

CV