How to manage users access to shared folders from the command line?
Solution 1:
User access to sharepoints will depend on permissions that are set on that sharepoint. You can use the 'ls' command to get that information using Terminal...Newer Mac products (10.4+) will use ACLs to control access to those folders. You can obtain infomation on both the POSIX as well as ACLs applied to folders by using this command:
ls -ale /Path/To/Folder
That command will list the directory contents in list view. Note that you will see the POSIX (legacy UNIX) permissions on the left hand side of each row. The permissions can be deciphered by examining the "Permissions Defined" section of this page. You will likely see output similar to the following:
allyourbasearebelongtous:folder eddie$ ls -ale
total 0
drwxrwxrwx 4 eddie staff 136 Oct 10 12:17 .
drwxr-xr-x@ 101 eddie staff 3434 Oct 10 12:16 ..
-rw-rw-rw- 1 eddie staff 0 Oct 10 12:16 testfile
-rw-rw-rw-+ 1 eddie staff 0 Oct 10 12:17 testfile_acl
0: group:staff inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
1: group:everyone inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity
You can see that the ACLs are listed out with their indexes (order of evaluation 0-n) on directories/files that have ACLs applied. You may also see that some files do not show ACLs associated with them (files that have ACLs applied show a "+" next to the file name when listed in Terminal). Both ACLs and POSIX permissions are evaluated when users attempt to connect to a sharepoint on the server. If the POSIX or ACLs conflict, you may see somewhat odd/undefined behavior.
For the most part, controlling access to sharepoints should be done by "group". I recommend setting up a group on the machine, adding users that should have access to that sharepoint to that group, and applying an ACL (that will inherit) to that sharepoint so that future files/folders created in that share have the same permissions set. An example of setting that inheritance for a group called "Accounting" on a single folder named "Data" is shown below:
chmod -R +ai "Accounting allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,directory_inherit,file_inherit" Data
Note that it may also be wise to coordinate the POSIX group permissions with the ACLs that are set to ensure secured access to those folders:
chmod -R admin:accounting Data
It may be a good idea to disallow other users into this share (for more strict security) using POSIX permissions. The "0" in this octal permissions mode specifies no read/write/execute permissions for other users (i.e., not admin user or accounting group):
chmod -R 770 Data
After you've setup that ACL on the folder, you can simply add future users to the "Accounting" group, which should then allow them access to the share. To add a user to a group from the command line, you can use dseditgroup. Here's an example of confirming whether or not the user is a member of the group:
dseditgroup -o checkmember -m newuser accounting
If the user is not part of the group, you can add them into it:
sudo dseditgroup -o edit -a newuser -t user accounting