(Or: What the heck are user accounts and privileges, and how do I use them to my advantage?)
It may seem odd to start a book about becoming a power user of Mac OS X with such boring topics as user accounts, file/folder organization, and file permissions. After all, you're in this to learn cool tips and tricks, not to learn about the boring guts of the operating system, right? Yet when it comes down to it, if you don't understand these topics, you'll never become the master of your Mac. In addition, in my experience working with users of OS X (especially those users who have come to OS X from previous versions of the Mac OS), one of the most frustrating-and common-issues they have is dealing with permissions (such as error messages telling them they can't do what they want to do because they "don't have permission"). This means that some of the most useful tips and tricks relate to permissions and user accounts.
In addition to gaining a better understanding of these issues, in this chapter you'll learn how to create and customize user accounts and groups, how to work with permissions, and how to use NetInfo Manager. You'll also learn about root access and the root account.
The Basics: Permissions, Accounts, and File Organization
Because of its Unix heritage, Mac OS X is a true multi-user operating system from the ground up. Yet some people have used Mac OS X for many months without fully realizing what this means-as the only user of their Mac, they press the power key, and it simply boots up and runs, much like a Mac running OS 8 or OS 9. To many other users, a multi-user OS just means that several people can use the Mac without sharing the same Documents folder and preference files.
The truth is that the multi-user architecture of Mac OS X offers so much more than separate Documents folders. It's a powerful system of files, folders, and volumes, with varying degrees of access to those items given to individual users. Everything from setting preferences to installing software, from opening files to emptying the trash is affected by this system; as a result, OS X provides levels of security and flexibility heretofore unseen on the Mac platform. Understanding the concepts of user accounts and permissions, and understanding the file structure of Mac OS X, are the first steps toward becoming a true Power User. In fact, understanding these topics is vital to mastering many of the topics discussed later in the book.
Because these issues are important, and because Mac OS X accommodates so many different levels of users, I'll start at a more basic level in this chapter than in subsequent chapters to ensure that I thoroughly explain these concepts. Consider this chapter the foundation on which you'll build your power user skills.
Permissions Explained
Users of Mac OS 9 and earlier may remember setting up File Sharing privileges-when File Sharing was enabled, each "shared" file had a set of privileges, set manually by the user sharing that file, that told the OS which remote users could access it. Because Mac OS X is based on Unix, it inherits the Unix system of file permissions (also called privileges). This system is similar to File Sharing privileges, except that in OS X every file and folder has a set of permissions (some set by users, but most set by the OS itself), and these permissions apply to everyone, whether they're connecting remotely or sitting in front of the host computer. To put it simply, OS X keeps track of which users can open each document, folder, or application and which users can edit each file. (In OS X, the terms you probably know as open and edit are technically called read and write, respectively.)
You can see an example of permissions by selecting a file in the Finder (a document in your Documents folder is a good one to choose) and then selecting File -> Get Info. In the resulting Info window, you'll see a section called Ownership & Permissions. Clicking the disclosure triangle will expand this section to show the permissions you have for this file; clicking the disclosure triangle next to Details will show the overall permissions given to the file. Figure 1.1 shows the Info window for a document from my Documents folder.
The owner of the file is me, frakes, and I have Read & Write access to the file. You also see two other sets of permissions: Group and Others. In addition to an owner (the user who controls access to the file-generally the person who created it), every file belongs to a group, which is simply a defined subset of all users who have their own access privileges to the file. The group is automatically set to the default group for the owner-in this case, frakes-and set to "Read only." These settings can actually be changed to provide certain other users with a particular level of access, without opening up such access to everyone. (I'll talk more about groups and group access-as well as why the owner and the group might be the same-later in this chapter, but for now just remember that they're there; they can be quite useful once you learn how to use them.) Finally, the Others permission setting is used to set privileges for users who are neither the owner of the file nor part of the group assigned to the file; think of this as "everyone else." The default setting for others is Read only. (See "What Permissions Really Mean" for more info on the various levels of access.)
Note Mac OS X permissions are not enforced under Mac OS 9. If you reboot into OS 9, you're free to do anything you want to any file you want-and so is anyone else.
Understanding what permissions are isn't too difficult; Comprehending how they work and why they work the way they do can be quite confusing. The first step toward that goal is understanding user accounts.
Understanding User Accounts
Mac OS 9 and earlier were essentially single-user operating systems. Sure, Mac OS 9 had the less-than-perfectly-implemented Multiple Users feature, but it was just that-less than perfect. Mac OS X is a true multi-user system, meaning that whether you realize it or not, you're no longer the only user of your machine. In the sections that follow, I'll explain what "multiple users" means in a practical way: how files and folders are organized, what users do and don't have access to, and more.
User Accounts and File/Folder Organization
At the topmost level of your Mac OS X hard drive (this is called the root level of the drive and designated in Unix terminology as /), you'll see a folder called Users. This folder contains all user-level files for all users of your computer. Within this folder, each user has their own individual folder, the name of which is their "short" username. (I'll talk more about short and long usernames in a bit.) This folder is called the user's home folder or directory (and is generally identified by the abbreviated pathname ~/). Thus, on my computer, my home directory is located at /Users/frakes. Within each home folder are several folders that were automatically created when the user account was created: Desktop, Documents, Library, Movies, Music, Pictures, Public, and Sites (Figure 1.2). In addition, a user's home folder can also contain any other files and/or folders that the user has placed there or that OS X has created there.
The important thing to note about home directories under OS X is that with the exception of the Public and Sites folders (which are accessible by other users), files, folders, or applications stored inside your home folder are for your eyes only, and unless you explicitly change their permissions, no one but you will be able to edit them, or even view them. Your user folder is yours and yours alone. In fact, the Desktop that you see is actually a folder called Desktop within your user folder. This means that, unlike OS 9, each user has their own Desktop. In fact, anything you save or copy to the Desktop will actually reside in the Desktop folder inside your home directory and, thus, will be visible and accessible only to you.
However, user folders aren't just for security. They also provide an enormous amount of flexibility between users. In addition to documents, folders, and applications, user folders also store each user's preferences (in ~/Library/Preferences). This means that any settings or changes you make to your Mac-your desktop picture, your email account information, your web browser bookmarks-will apply only to you, allowing each user to customize OS X to best serve their own needs. When you log in, the OS uses your preferences and restores the environment to exactly the state it was in when you last logged out. This is important to note because it means that as you go through this book, many of the neat tricks and customizations you find will only apply to your personal account, thus preventing you from annoying or disrupting other users.
Note When I said that all preferences apply only to the user who set them, that wasn't entirely true. There are a few exceptions to this rule; for example, network settings apply to all users and therefore can only be changed by an administrator.
User Levels
As I previously mentioned, every user of Mac OS X has their own account. Each of those accounts has one of two levels of access: normal and administrative.
Normal users Normal users (called Standard users in some places in OS X 10.3 and later) have full access to their own user folder and to other users' Public folders. They can also launch applications located in the /Applications directory and can change user-specific System Preferences (desktop picture, views, Dock settings, as well as their own account password). However, that's basically the extent of their access. Outside of their own user folder, they have only Read access (except for other user folders, for which they have no access at all). In fact, a normal user can't even create a folder or save a document outside of their own home folder. (And an administrative user can actually restrict the account of a normal user to have even less access; OS X 10.3 calls these users Managed or Simplified users. I'll talk about this functionality later in this chapter in "Creating, Editing, and Deleting User Accounts.") Admin users Administration users don't have complete run of the house, but they're much less limited than normal users. Admin users can install new applications in the /Applications directory, can change system-level System Preferences (Network, Accounts, Sharing, Software Update, etc.), can install system-wide add-ons, can create folders and save documents almost anywhere on the drive, and can use system-level utilities such as Disk Utility and NetInfo Manager. The first account created under Mac OS X (the one you created when you first installed OS X) is an admin-level account by default, since every Mac OS X computer must have at least one administrator.
You can view user levels in the Accounts pane of the System Preferences application (Figure 1.3). I'll talk more about using the Accounts pane when I talk about creating and editing user accounts, later in this chapter.
Despite having a higher level of access, not even admin users can access other users' private folders, nor can they make changes to certain system-level folders (such as much of the System folder at the root level of the hard drive)-at least not without help. Although I said there are only two levels of accounts in Mac OS X, this is technically not true. There's a third level of access in OS X called root access that has complete control over everything, regardless of permission or location. However, you can't simply assign root privileges to particular accounts; Mac OS X actually has a separate root account (which always exists but is disabled by default for obvious security reasons). To gain root access, you must actually log in as the root user or use one of several techniques for temporarily gaining root access from an administrator account; I discuss all of these procedures later in this chapter in "Getting to the Root of It."
Note Users can also authenticate, as described later in this chapter, in order to perform certain actions that they wouldn't otherwise be able to do.
It's important to understand the differences between these levels of access , as many of the tips discussed in this book require admin access, and some require at least temporary root access. As I mentioned in the Introduction, I've noted the level of access required for each procedure described in the book.
Other Uses for User Accounts (besides Other Users, That Is)
At this point you may be saying to yourself, "OK, I'm the only user of my computer, and I have admin access by default, so why do I need to know about user accounts?" That's a good question. In addition to the importance understanding user accounts and permissions has for fully understanding OS X as a whole, there are several reasons I recommend creating other user accounts that have little or nothing to do with multiple human users:
Troubleshooting Although Mac OS X is incredibly stable, the truth is sometimes things go wrong. When you experience a computer problem, the first step you should take toward finding a solution is to narrow down the possible causes. In Mac OS 9, you held the shift key down to start up without extensions; if your Mac then worked fine, you had isolated the problem to a startup file conflict. In Mac OS X, because each user account has a different set of preferences, support files, and startup/login files, the first thing you want to do is to find out if your problems are caused by your account or by a larger system issue. A helpful way to do this is to create a new account (right now, before you have problems), name it something clever (I call mine Troubleshooting User, or trouble for short), and then never use it ... until you have a problem. If that happens, log out of your own account, log back in under your troubleshooting account, and see if the problems are gone. If they are, you've just isolated your problem to something in your own account ( ~/Library files, Login/Startup Items, etc.), and that's where you should start looking for the cause. If the problems still exist, then at the cause is at the system level.
Tip In Mac OS X 10.3 (Panther), you can take advantage of Fast User Switching (discussed later in this chapter) to use your troubleshooting account without even logging out of your own account.
I also recommend that you give your troubleshooting account admin access, as discussed later in this chapter when I discuss creating and editing accounts. If you ever find yourself in an emergency where you need admin access but you can't log into your normal admin-level account, having an extra admin account can be a lifesaver.
Testing software If you're an aspiring power user, chances are that at some point you've downloaded "beta" software (or even-gasp-"alpha" software). In other words, you've tried out software that isn't quite ready for prime time. Although a lot of beta software is very stable, some isn't, and you may have experienced crashes or other problems. Even if you're not that brave, at some point you may have installed software just to check it out and later decided that you didn't really like it, but you couldn't figure out how to get rid of all the support files that the software installed. My approach to these situations is to create an extra user account just for testing software. You can run the alphas, betas, and "just curious" software from this account until you've either decided you want to use it in your main account or decided you want to get it off your Mac as soon as possible. Whatever you decide, your personal account-the important one you can't afford to screw up-should be unaffected. (One exception is if the software in question installs system-level files or otherwise affects the entire system. Even multiple users can't help you out in that case.)
Guests We've all had a friend who needs to borrow our laptop to type up a report, or asks to use our computer to do their taxes, or is just hanging out and wants to surf the Web. We let them (because we're nice people, of course), but the next time we sit down at our computer we find that our Desktop is a mess, or our application preferences have been changed, or, worst case scenario, an important document was accidentally deleted! A great solution is to create an extra account, call it Guest (or something a bit more clever), and then set it up for just these situations. I've got my guest account configured with limited access (see "Creating User Accounts" later in the chapter) and with just the essentials in the Dock: Web browser, word processor, spreadsheet, etc. You can even set up the guest account without a password so that anyone visiting or borrowing your computer can simply click the Guest icon at login and be on their way.
(Continues...)
Excerpted from Mac OS X Power Tools by Dan Frakes Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.