Share an iPhoto Library in Tiger Using ACL's.
ACLs (Access Control Lists) are a new form of permissions added to the Apple OSX Tiger operating system (10.4), providing more control over the various permissions affecting a file or directory. I first heard of this new feature in John Siracusa’s review of Tiger, which gives an excellent overview of the subject.
Seamless Sharing
ACL’s solve the limitations inherent to the user-group worldview of Unix permissions. Users and groups of an operating system can each be given independent control of a particular directory or file. Although this tool is primarily a feature for sysadmins, it is also useful for the layman. For instance, a user can seamlessly share an iPhoto library with other users—each now with unfettered access to photos and associated metadata.
The Traditional Solution
Sharing your iPhoto library previously involved the following:
Move the iPhoto library to a public area, like
/Users/SharedChange the “default” location of the library,
~/Pictures/iPhoto Library, to an alias (a symbolic link) that “points” to/Users/Shared/Pictures/iPhoto Library.Change the permissions of this new shared directory so that all can read and write to the directory and all files contained in it.
The Problem
There are problems with this approach. Changing file permissions so that everyone can “read” and “write” to this shared library only partially solves the problem, for any additional file or directory added by a particular user cannot be changed or modified by any other user. For example, were I to add a collection of photos, my wife might be able to “see” them, but she would not be able to manipulate them.
(Obviously in some/most situations, this is exactly the desired effect.) ;-)
The Solution With ACL’s
Access Control Lists make this easy. Let us assume two users—a husband and wife—want to both share the same iPhoto library. Their usernames (the account “short name”) are trent and megan, respectively. Here’s how it is done.
Enable ACL’s on your computer. Type the following command in a Terminal window:
sudo /usr/sbin/fsaclctl -p / -e. Verify that ACL’s are now enabled by typing:sudo fsaclctl -p /Move the iPhoto Library to
/Users/Shared/Pictures.Create a symbolic link (alias) from both user directories to the new shared directory. The symbolic link should be the default location of the iPhoto library (
~/Pictures/iPhoto Library).For each user (in our case, trent and megan), add the following Access Control Entry to
/Users/Shared/Picturesby opening Terminal and typing the following command (copy and paste to a text editor to remove line wrap characters before pasting to Terminal):sudo chmod -R +a "megan allow read,write,append,delete,
list,search,add_subdirectory,delete_child,
file_inherit,directory_inherit"
/Users/Shared/Pictures/iPhoto\ Library
And you’re done.
Additional Notes
Obviously step #4 is the crux. This command adds an Access Control Entry (ACE) to the ACL for each file and directory within our new iPhoto Library. The grammar for an ACE is simple: “entity allow/deny permission”. “megan allow read” grants megan permission to “read” the file/directory to which the ACE is applied. For more details on the details, read Grokking Darwin ACLs. In our case, we are giving every possible permission to our respective users to share the iPhoto library.
A careful reader of the above article will notice that I apply the ACE recursively (chmod -R) to the entire file structure under the shared iPhoto library, both directories and files. Each entry in an ACL, however, includes permissions intended “only” for files, and some intended “only” for directories. For example, the “read” permission in an ACL is intended only for files, and “add_subdirectory” intended only for directories. The chmod command is smart, however, and “translates” (or ignores) the various permissions dependent on whether it is a file or directory.
Why Won’t It Work With iTunes?
I have tried this above technique on an iTunes library as well, but to no avail. Enabling and adding ACL’s on an iTunes library does not have the intended effect. My guess is that, due to the pressure brought to bear on Apple by the music industry, Apple has wired iTunes to ignore ACL’s, as I could envision their use to facilitate illegal music file sharing.

I’d be surprised if there was any special logic in place for iTunes. The first rule of debugging problems like this is to keep in mind that all things being equal, it’s more likely that the user made a mistake setting permissions.
Remember, the default unix permission bits for the “Music” directory are:
gyrfalcon:~$ ls -ld Music drwx——— 6 peterb peterb 204 Jun 11 10:53 Music
Setting ACLs on a lower level directory won’t necessarily help if the user can’t walk the directory tree to get there.
I haven’t tried this myself, so I can’t be sure. But I’d still bet money on a simple permissions mistake.
Posted by: peterb at July 10, 2005 12:10 PM