I have two user accounts set up on my mac. User drew
I use for most things, but if I'm making a screencast I'll switch to the demo
user. I know that the demo
user has a clean desktop, and the font size is larger than usual in my terminal and text editors, making everything a bit more legible when capturing the screen. When I record a screencast as the demo
user, I save the file to /Users/Shared/screencasts
. As I understand it, the /Users/Shared
directory is supposed to be accessible to all user accounts on the mac. If I created and saved a screenflow document as the demo
user, I should be able to read and write that file when logged in as user drew
.
That was the theory, but it didn't always work out that well in practice. I would occasionally find that a directory was only writable by one user or the other. Perhaps I'd open a screenflow document as user drew
and attempt to export the video to the same directory, only to find that the directory was owned by demo
, meaning that I couldn't create new files in that directory when logged in as user drew
.
Ideally, I'd like to be able to set the permissions on the /Users/Shared/screencasts
directory, and have all files and directories created beneath it inherit those permissions. This seems to have done the trick:
$ chown -R demo:staff /Users/Shared/screencasts
$ chmod -R +a "group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Users/Shared/screencasts
In the first command, the owner is set to demo
and the group is set to staff
for the screencasts
directory, as well as all files and subdirectories contained below it. Both demo
and drew
users are already in the staff
group. If I can make it so that the staff
group has read, write, and execute (where apt) rights for all files/directories, then I'll have what I need.
The second command assigns an access control list (ACL) for the staff
group on the screencasts
directory (and all of its children). I've included a lot of flags, but the ones to note are file_inherit
and directory_inherit
. If I create a file or directory inside of the screencasts
directory, then it will inherit the same ACL flags.
To inspect the ACL, you can run the ls
command with the -e
flag. For example:
$ ls -ale /Users/Shared/screencasts/
total 0
drwxr-xr-x+ 2 demo staff 68 19 Feb 18:56 .
0: group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-xrwx 11 root wheel 374 19 Feb 18:56 ..
As well as seeing the usual line of info about each listing, there's an extra row giving details about the ACL. The screencasts
directory has r-x
mode set for the group, so you might think that users in the staff
group would be unable to add files and directories to the screencasts
directory. But the ACL includes the flags: add_file
and add_subdirectory
, which means that users in the staff
group can do those things.
I could demonstrate as user drew
:
$ whoami
drew
$ cd /Users/Shared/screencasts/
$ mkdir -p foo
$ touch foo/bar
$ ls -ale foo
total 0
drwxr-xr-x+ 4 drew staff 136 19 Feb 23:10 .
0: group:staff inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-xr-x+ 4 demo staff 136 19 Feb 19:38 ..
0: group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
-rw-r--r--+ 1 drew staff 0 19 Feb 23:10 bar
0: group:staff inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity
The directory foo
and the file bar
are both owned by user drew
, but they're assigned to the group staff
. And since the demo
user is in the group staff
, it gets all of the privileges listed in the ACL.
Further reading: