Tutorial: File sharing in OS X
<p>In order to share files on a network in the past "classic" Mac operating system, you had to access and set up items in several locations. First, you needed to enable file sharing in one location, then add users in another location, and finally navigate
In order to share files on a network in the past "classic" Mac operating system, you had to access and set up items in several locations. First, you needed to enable file sharing in one location, then add users in another location, and finally navigate to individual folders in the finder to set up sharing for those locations. Because of the multiple steps for sharing items, people could lose track of the shared folders, and the permissions that each user had for the specific share point.
As with many aspects of the system, Apple has gone through extensive efforts to refine this process in OS X, and make file sharing straightforward and simple. They have done a fairly good job at it, both in the default setup for file sharing and in allowing you to customize the file-sharing setup on your computer, by making sharing both configurable through one interface and also intuitive.
File sharing in OS X is very similar to file access when you're sitting at the computer; in fact, the Unix structure of OS X makes access permissions to resources the same for both local and network environments, so items you have access to locally should be available to you when you are on the network, provided they're either set up as share points or within another share point. Conversely, items you are restricted from accessing locally will not be available to you via the network either.
By default, with file sharing enabled and upon successful network log-in, you should be able to access your home folder, any available "public" folders, and the root of the file system (Macintosh HD) if you are an administrator. For standard accounts you will only be able to see shared folders and your home folder. In addition, you will also see any customized mount points that your account has been given access to (ie: external hard drives or secondary hard drives).
In this tutorial we will cover the default behaviors of the OS X file-sharing setup, as well as how to create and manage custom share points.
Connection options
There are three primary methods of file sharing that are built into OS X. These are the default AFP (Apple Filing Protocol), which evolved from and may still be referred to as "Appletalk" in some circles. In addition to AFP, you can connect to Windows shares and also share to Windows computers using the SMB (Server Message Block) protocol. The open-source solution for SMB that Apple implements is called "Samba." Beyond these, Apple also supports the legacy FTP (File Transfer Protocol) and NFS (Network File System) protocol. We will not cover FTP and NFS in this tutorial.
These protocols are accessible to and used on all IP-based networks, which include Airport, Ethernet, and FireWire (yes, it does more than just connect hard drives and camcorders). Therefore, if you have two computers connected via any one of these methods, and have them set up properly with an IP address, you should be able to share files between the computers. Most routers will automatically set up the network for you, but if you don't have a router, enabling the ports in the Network system preferences and connecting the cables should set up self-assigned IP addresses that will work.
LAN versus WAN
Of the connectivity options, some will allow you to share over the Internet, and others are restricted to local networks (direct computer-to-computer connections). All options will allow local-network connections, but only Airport and Ethernet will allow you to connect from the Internet, though this may require you to have routing properly set up or the use of a Dynamic DNS option such as Apple's Back to My Mac. While FireWire networking is fast, it is limited to local networks so you will only be able to use it if you connect two Macs.
In addition, if you use multiple connections keep in mind that OS X will prioritize them based on the service order in the Network system preferences. Therefore, if you have both Ethernet and FireWire connected and set up to use, and have Ethernet above FireWire in the Network system preferences, OS X will establish the connection using Ethernet and not FireWire when using automatic network detection. Therefore, setting service order in the Network system preferences may be needed if you've got more than one connection being used. This can be beneficial if, for example, you're attempting to connect directly using fast gigabit Ethernet instead of your default (and slower) Wi-Fi connection.
The setup
OS X comes set up to give local accounts complete access to the system via the network. Permissions and share points are automatically set so every user's home folder, their public folders, and the root of the drive are all shared. The system then restricts access to these shares based on account type. While there are ways to change this default behavior, we don't recommend doing so unless there are specific reasons.
So let's first enable file sharing.
All file sharing is set up and managed completely in the "Sharing" system preferences pane, which is a much simpler approach to the multiple locations needed to be accessed in the classic Mac OS. In this pane all you need to do is check the "File Sharing" option, and the default AFP-based file sharing will be enabled. For Windows sharing or FTP access, click the "Options" button and check the corresponding protocol you wish. If you enable the SMB protocol, you will need to specify which local accounts will have access to this system from Windows machines.
With the "File Sharing" option selected, you have two columns for setting up share points. These are the folder list for all the share points, and the corresponding user access settings for each share point. That's all you need to set up shared files and folders for yourself, other accounts on the system, guests, and other people you specify. By default you already have access to all the folders on your system if you're an administrator, but for ease of access you can select any folder to share directly.
Let's now set up a shared folder.
The first thing you'll need is the folder to share, so if you don't have one picked out, create one on your desktop (or any location of your choosing) called "Shared Stuff", then follow these steps:
- In the "File Sharing" system preferences, click the " " button under the folder list.
- Navigate to the "Shared Stuff" folder, highlight it, and click "Select", which will add it to the "Shared Folders" list.
NOTE: Optionally, you can just drag the "Shared Stuff" folder to the "Shared Folders" list. - Highlighting the folder in the list will show the user access permissions for that folder, which you can change. Keep in mind that these access permissions are the same permissions as when you use the "Get info" window in the Finder since OS X uses the same permissions for both local and network access to resources. Therefore, if you change them in the Finder they should appear in the "Shared" settings, and vice versa. Use the drop-down menu for the four available options: Read, Write, Read and Write, and No Access.
A little about permissions
OS X is based around user accounts and permissions restrictions. That is how account functionality is defined, and how you prevent and grant access to network share points. It's all in the permissions, so let's take a look at them and what they mean.
In Unix-based systems, for every file or folder there are three primary attributes: Owner, Group, and Everyone (Everyone else). The owner is the account that created the item, the group is the group of accounts that are associated with the file, and the everyone category is all others. These attributes can be changed, and you can add more than one individual user or group to a file or folder; however, by default only the first three are defined.
By giving combinations of "Read" and "Write" permissions to users and groups, OS X can control access to a particular resource. As they are presented, the options given to OS X users are rather limited, and are based off older "POSIX" permissions. In reality, permissions can be much more complex since OS X supports the modern Access Control List (ACL) method of permissions which can grant or deny a variety of permutations of access settings such as folder creation, file creation, ownership, file deletion, and permissions inheretance. These attributes make ACLs much more complex than POSIX permissions, but by default OS X limits user access to the features that ACLs have to offer.
Who is "Everyone"?
As we mentioned above, the Everyone group is anybody who is not defined either by the owner or the group, or any other person in the permissions list (the list can be expanded). Technically, "Everyone" should be "Everyone Else" or "All Others", but for some reason Apple has kept "Everyone" as the notation for this group. This group is important for restricting access to people who do not have user accounts, and while it encompasses more than the guest users, it does include them and can be seen as the way to regulate guest access to a share point.
Now that you have the "Shared Stuff" folder shared, let's customize who has access to this folder. By default you should have at least your name and "Everyone" listed in the "Users" list, but you may also have a group or "Unknown User" listed as well. Unknown users are generally accounts that have been disabled or removed at some point, and these entries can be removed from shared resources without any problems (as long as your name is associated with the file and you have read and write access to it, you will be able to access it). You will not be able to remove your name (the owner) and "Everyone" from the share point.
For now, on the "Shared Stuff" folder let's simplify things by removing all users except for your name and "Everyone", and then give yourself "Read & Write" access and "No Access" for the "Everyone" group. With this setup only you will be able to access the shared folder, and all others will be denied access. This is a good starting point for all shared folders you set up, because it will ensure you to specify exactly who has access to the folder, instead of having to worry about what accounts may be members of a specific group, and whether or not random people can write files to your drive (ie: wondering who "Everyone" is). You've enabled access to this folder via the network, but you and only you have access to it.
Sharing with other people
Now let's look at the options for sharing the folder with other people. There are two categories of "other" people in OS X: The first is other locally defined non-guest accounts on the system, and the second is the guest account, which can be accessed without authentication.
Guest accounts are "Sharing only" accounts unless you specify otherwise, which mean they cannot log into the system and manage files and folders. You can enable local log-in for guest accounts so they can create files (which will be deleted upon log out) and have a temporary working environment, but we will not be doing that here. Instead, for now the guest account is open to anyone who can see your computer, but is highly restricted.
Despite the limitations, guests can write to your system but only to the "Drop Box" folder in any active account's "Public" folder. This can be changed in the Sharing system preferences by removing your public folder from the sharing list, or optionally by changing the permissions on the "Drop Box" folder in the Finder (using the Everyone permissions options). If you do not want guests to be able to write files to your system (even in known locations), be sure to change this behavior for every local account on your system. Beyond this, however, by default guests cannot write to any part of your system.
In OS X, you have the option to create multiple "Sharing Only" accounts similar to the guest account, so you can specify different permissions for some people while still keep the guest account restricted. This is convenient if you want one person you know to have access to a folder on your disk from their computer, but not allow that person to have a full local account on the system. It also allows you to give different people different passwords for network access instead of relying on the same guest account and having them all have access to the same folders. Here's where customization can be fun and convenient.
Lets now add a "Sharing only" account.
To add multiple users to a share point, click the " " button below the "Users" list. This will present a list of available users from a variety of resources. If you are a member of an Open Directory Domain, you will see "Network Users/Groups" available in this list, and you will also see all the contacts from your address book and local users and groups available. These options are all user directory databases that hold information you can use to create "Sharing only" accounts for use with share points. If you have a contact available, you can select it and then click the "Select" button (or you can click "New Person"). Providing a password will then give that person a "Sharing only" account, which they can use to log into your computer from the network and access any shared folders you've specified for that account (in this case, the "Shared Stuff" folder).
Keep in mind that "Sharing only" accounts will only have access to the computer via AFP (only from another Mac); Windows sharing currently does not support log-ins from these accounts. Additionally, once you create a new sharing account, be it from an existing contact or by clicking the New Person button, you will add a new local account to your system that will show up in the "Accounts" system preferences as "Sharing only". Like any local account (Sharing only or otherwise), you will need to use the Accounts system preferences to remove it once it's been created.
Logging in
Now that you've got your shared folder set up, you can log into your system to access the folder from another computer on the network. On a Mac running Leopard, your system should appear in the Finder sidebar, or in the network browser by clicking the More button on the sidebar (if available). Select the computer, and by default the current system will try to log in using the current user account. If the credentials are correct, then it will work, but if not it will revert to the guest account. You can change credentials by clicking "Connect As" and providing new credentials in the log-in dialog box. This is how Sharing only users will log in to your system.
On OS X 10.4 "Tiger" systems, you will need to go to the Network browser at the root of your drive, and find your shared system. Then select it and click the Connect button to change credentials.
There may be times when the automatic discovery of computers on the network doesn't work properly, and you will need to specify an address. This is also true when a computer is not on your current network, and you need to connect by using the URL or IP address of the computer. In these cases, you will need to use the Finder's "Connect to Server..." option that's available in the "Go" menu. In the resulting window you can enter the full address of the computer you are trying to connect to, as follows:
For connecting to Macs:
afp://computer
For connecting to Windows:
smb://computer
The "Connect to Server" window is more versatile than it appears, and will allow you to specify a variety of protocols to connect with, including "VNC" (screen sharing) and "FTP" (for connecting to any FTP server), as well as those mentioned above. You can also choose to store favorite server addresses in the list, or easily access recently specified servers using the clock menu next to the address field.
For logging in to your Mac from Windows machines (remember, only local accounts can do this, and not Sharing only accounts), try to find your machine in the Windows network browser or optionally open a folder in Windows and in the address bar enter "computer".
In all of these addresses, "computer" is either the local computer name (found at the top of the "Sharing" system preferences), the complete fully qualified domain name URL for the server, or the computer's IP address (found in the "Network" system preferences). Pressing enter should prompt you for a log-in and password.
Resources