contact subscribe

Share an iPhoto Library in Tiger Using ACL's.

ACLs (Access Control Lists) are a new form of permissions added to the Apple OSX Tiger operating system (10.4), providing more control over the various permissions affecting a file or directory. I first heard of this new feature in John Siracusa’s review of Tiger, which gives an excellent overview of the subject.

Seamless Sharing

ACL’s solve the limitations inherent to the user-group worldview of Unix permissions. Users and groups of an operating system can each be given independent control of a particular directory or file. Although this tool is primarily a feature for sysadmins, it is also useful for the layman. For instance, a user can seamlessly share an iPhoto library with other users—each now with unfettered access to photos and associated metadata.

The Traditional Solution

Sharing your iPhoto library previously involved the following:

  1. Move the iPhoto library to a public area, like /Users/Shared

  2. Change the “default” location of the library, ~/Pictures/iPhoto Library, to an alias (a symbolic link) that “points” to /Users/Shared/Pictures/iPhoto Library.

  3. Change the permissions of this new shared directory so that all can read and write to the directory and all files contained in it.

The Problem

There are problems with this approach. Changing file permissions so that everyone can “read” and “write” to this shared library only partially solves the problem, for any additional file or directory added by a particular user cannot be changed or modified by any other user. For example, were I to add a collection of photos, my wife might be able to “see” them, but she would not be able to manipulate them.

(Obviously in some/most situations, this is exactly the desired effect.) ;-)

The Solution With ACL’s

Access Control Lists make this easy. Let us assume two users—a husband and wife—want to both share the same iPhoto library. Their usernames (the account “short name”) are trent and megan, respectively. Here’s how it is done.

  1. Enable ACL’s on your computer. Type the following command in a Terminal window: sudo /usr/sbin/fsaclctl -p / -e. Verify that ACL’s are now enabled by typing: sudo fsaclctl -p /

  2. Move the iPhoto Library to /Users/Shared/Pictures.

  3. Create a symbolic link (alias) from both user directories to the new shared directory. The symbolic link should be the default location of the iPhoto library (~/Pictures/iPhoto Library).

  4. For each user (in our case, trent and megan), add the following Access Control Entry to /Users/Shared/Pictures by opening Terminal and typing the following command (copy and paste to a text editor to remove line wrap characters before pasting to Terminal):

    sudo chmod -R +a "megan allow read,write,append,delete,
    list,search,add_subdirectory,delete_child,
    file_inherit,directory_inherit"
    /Users/Shared/Pictures/iPhoto\ Library

And you’re done.

Additional Notes

Obviously step #4 is the crux. This command adds an Access Control Entry (ACE) to the ACL for each file and directory within our new iPhoto Library. The grammar for an ACE is simple: “entity allow/deny permission”. “megan allow read” grants megan permission to “read” the file/directory to which the ACE is applied. For more details on the details, read Grokking Darwin ACLs. In our case, we are giving every possible permission to our respective users to share the iPhoto library.

A careful reader of the above article will notice that I apply the ACE recursively (chmod -R) to the entire file structure under the shared iPhoto library, both directories and files. Each entry in an ACL, however, includes permissions intended “only” for files, and some intended “only” for directories. For example, the “read” permission in an ACL is intended only for files, and “add_subdirectory” intended only for directories. The chmod command is smart, however, and “translates” (or ignores) the various permissions dependent on whether it is a file or directory.

Why Won’t It Work With iTunes?

I have tried this above technique on an iTunes library as well, but to no avail. Enabling and adding ACL’s on an iTunes library does not have the intended effect. My guess is that, due to the pressure brought to bear on Apple by the music industry, Apple has wired iTunes to ignore ACL’s, as I could envision their use to facilitate illegal music file sharing.

I’d be surprised if there was any special logic in place for iTunes. The first rule of debugging problems like this is to keep in mind that all things being equal, it’s more likely that the user made a mistake setting permissions.

Remember, the default unix permission bits for the “Music” directory are:

gyrfalcon:~$ ls -ld Music drwx——— 6 peterb peterb 204 Jun 11 10:53 Music

Setting ACLs on a lower level directory won’t necessarily help if the user can’t walk the directory tree to get there.

I haven’t tried this myself, so I can’t be sure. But I’d still bet money on a simple permissions mistake.

Posted by: peterb at July 10, 2005 12:10 PM

trent, this is nice!

After installing Tiger, I was on the same trail, even asking on discussion.apple.com about how to accomplish this.

my only question is: are these ACLs inherited? i.e. if user ‘trent’ creates a new album directory, does that new directory inherit the ACLs from its parent?

in case of normal permissions, this would not be the case (umasks…) is there such a thing as umasks for ACLs?

I will update my guide with a link to this cheers -captnswing

Posted by: captnswing at August 11, 2005 06:01 AM

me again. works perfectly with iTunes as well. This is a real good way to share the iLibraries among several users. About the only drawback I could find is that only one instance of iTunes can be running at the same time

Posted by: captnswing at August 11, 2005 11:28 AM

This sounds wonderful!

Just one question - How could these permission changes affect an account migration later on? So if I need to copy my home directory(ies) (with or without my wifes) will this casue problems on the new machine?

Ok - two questions - is this opening any security holes (other than the obvious one to the second user)?

Posted by: Kazman at September 14, 2005 05:34 AM

Fantastic hint, thanks. This hint does work with iTunes too, but only after I allowed group read/write on the iTunes folder.

I also found a GUI called Sandbox (http://www.mikey-san.net/sandbox/) which makes playing with ACLs a bit easier.

Posted by: Mike at September 15, 2005 07:51 AM

I found a link to this discussion via macosxhints.com. I have been using a similar solution to the “traditional” umask solution above for iTunes with 2 differences. I don’t use iPhoto as it still doesnt support Fuji RAW :(

First, the music folder is setgid so folders and files inside it inherit the group writable permissions. It is also on a linux server running afpd (netatalk).

ls -al /mnt |grep music drwxrwsr-x 337 dan users 8192 Sep 14 21:25 music

Thus any user may add or delete albums and tracks from the repository.

Second, I am only sharing the iTunes music folder, not the iTunes Library file. This allows users to maintain their own playlists, ipods, ratings etc. If you try to use a shared Library file, only one user may have iTunes open at one time, which is a problem in my house.

The only crux with this solution, is that if one user imports an album to his library, the other users must also “add to library” that folder in order to access it via iTunes. Since users can delete or rename the files, the “keep music folder organized” can cause some confusion amongst the different libraries if, for example, one user changes the name of an artist or if one user deletes tracks from their library and selects “move files to trash”.

I intend to try out the ACL method as I imagine I could avoid the file deletion problem by ommiting the “delete” and “delete_child” fields from the ACE.

Posted by: dan at September 16, 2005 12:40 PM

Very nice! I’ve been trying to find a good solution for this for a day now. A lot of the other ones have you changing umasks or even recursively changing owners when iPhoto starts…not real clean.

This is perfect and elegant. Why didn’t I know about ACL before? Where have I been? :)

Posted by: Rob Madole at September 21, 2005 07:13 AM

Seems like you could also use umask, though this ACL setting seems like a fine solution too.

For group read-write perms, in the Finder,

In Terminal type: “sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 2”

And, for file created in Terminal (bash), globally:

Put “umask 002” in /etc/profile (with no quotation marks)

-x

Posted by: matx at December 2, 2005 04:32 PM

I am just begining to learn about permissions but want to try this. My girlfriend and I have wanted a “fix” to this issue and this looks like it is it. My question is why do I need step 3? Why can’t you just use the iTunes pref panel to set the path to the new library in /Users/Shared/Pictures?

Posted by: Lahz at December 5, 2005 10:32 AM

I used the approach on iTunes (placing the master Music directory at /Users/Shared/Music and creating symbolic links to it for each user’s Music directory. It works a treat. Perhaps it would work for Address Book and iCal as well … neater than having to use .Mac just to share information on the one machine.

Posted by: spin at December 28, 2005 08:46 AM

it works perfectly with iTunes, if I set the aliases to the 3 elements within the iTunes folder on Users/Shared, but it does not work if I link only /Users/Shared/iTunes. Very strange… iTunes reports that the folder is locked otherwise.

What worked for me:

  1. Move your iTunes folder to /Users/Shared
  2. do all of the above regarding ACLs on the folder /Users/Shared/iTunes
  3. Create aliases from the 3 elements in that folder (iTunes Music, and the xml files) and move them into the original iTunes folder, located in /Users/yourname/Music

Posted by: Matthias Isler at January 5, 2006 03:10 AM

I’m not having the same success as Matthias. I’m only trying to share the music folder (users want seperate libraries, but share a single copy of the actual files), but am not having any luck with ACLs.

I have a /Users/Shared/iTunes Music folder with aliases from the correct spot in my user’s home directories. The folder is root:wheel with 755 permissions, so without ACLs, my user can’t do anything. I then added the ACLs as shown below. Now my user can manipulate the files from Terminal.

iTunes for both users are able to see and play the music, but they cannot edit the files. Could someone try this setup and see if they can edit the ID3 data on a file (change the album name or something) and see if it works? If not… what is stopping it?

total 0 drwxr-xr-x + 266 root wheel 9044 Jan 7 22:09 iTunes Music 0: user:user1 allow list,addfile,search,delete,addsubdirectory,deletechild,readattr,readextattr,readsecurity,fileinherit,directoryinherit 1: user:user2 allow list,addfile,search,delete,addsubdirectory,deletechild,readattr,readextattr,readsecurity,fileinherit,directoryinherit

-rwxr-xr-x + 1 root wheel 3362583 Sep 11 14:21 10 S.O.S.m4a 0: user:user1 allow read,write,execute,delete,append,readattr,readextattr,readsecurity 1: user:user2 allow read,write,execute,delete,append,readattr,readextattr,readsecurity

Posted by: Amos at January 7, 2006 08:23 PM

Great tutorial, it works perfectly…but for one detail : now, it is impossible to have iPhoto opened in two sessions at the same time !

And I suppose the problem may happen as well with iTunes and that’s a big flaw. Nonetheless, very useful tutorial. :o)

Posted by: Eric Morand at January 10, 2006 07:26 PM

I have used your tweak with iPhoto 05, and it’s worked brilliantly. However, when installing the new ‘06 version, iPhoto wants to upgrade the library, but fails to do so because of a problem with permissions.

does anyone have a good idea of how to fix this? I would need either to revert the changes made following this guide, or, which would be better, some way of helping iPhoto to upgrade the library and still keep the ability to share the library between users.

thanks,

Posted by: Adam Nygren at January 22, 2006 10:32 AM

Managed to fix the problem mentioned above by simply copying the library to an external drive, then pointing iPhoto to use that folder as its library, after which the update went fine. However, some word on how to revert the ACL permissions would be of interest, i suppose.

Posted by: Adam Nygren at January 22, 2006 11:49 AM

to revert the ACL settings simply type “sudo chmod -R -a(…)” instead of “sudo chmod -R +a(…)”

Note the change between +/- a

That command erases the ACL entry or better said ACE.

Posted by: mactie at January 28, 2006 01:39 AM

I followed all of the steps for setting up the sharing Using ACLs putting my wife’s library into the shared users folder. When I’m logged in and open iPhoto, I get a message saying, “The main iPhoto Library folder you have selected appears to be locked or on a read-only CD” When I check the folders info, it does not indicate that it is locked. My wife’s iPhoto accesses the library fine. Where did I make a mistake?

Also, when I set up the sharing this way does that mean that my wife and I will have the same slideshows and albums in iPhoto?

Any help would be appreciated.

Kevin.

Posted by: kevin at February 5, 2006 10:46 AM

Kevin, You will have access to the same stuff in iPhoto if it works.

I have yet to experience the error you are receiving. I would double check how you have set permissions: are the ACL’s properly configured? Perhaps setting your directory and file perms to read, write, and execute for everyone might help (it certainly won’t hurt).

Posted by: Trent at February 6, 2006 04:37 PM

Thanks for getting back to me Trent.

I did as you said, setting the permissions correctly from my wife’s account. But then when I logged back in from my account, the settings reverted to read only.

Any ideas?

Posted by: Kevin at February 20, 2006 02:37 PM

I get invalid argument when I paste and run that. I have NO CLUE as to what any of that means, so it’s worthless to me.

Posted by: j at February 23, 2006 05:32 PM

j, take out the hard returns when you copy/paste that command line in. And, like, if you don’t know to do that, you probably shouldn’t be mucking about with perms. You can really fragg your system. Cheers.

Posted by: marcus at February 24, 2006 12:49 AM

Okay…

So, I’ve got my iTunes library working so that two user accounts can add new music to the library, and play music from the library. But ( and this is a big but ) is there any way to get the two user accounts’ iTunes to automatically syncronize?

Basically, I add music with account ‘A’ and it doesn’t automatically show up in account ‘B’s’ iTunes library. I have to manually import/add it to the library. Ideally I would like to see it automatically update on both accounts.

And if playlists could also be shared like that, it would be fab.

Posted by: Marcus at February 24, 2006 01:12 AM

I don’t know if the difference is I’m using iPhoto 6, but I fixed it in a much simpler way. All I did was move the library to the shared folder and modify permissions so that a group to which both my wife and I belong has read/write permission. Contrary to what you say, we can both modify photos that the other has added to the library.

Posted by: Tim at April 8, 2006 02:13 PM

I have followed the steps described in the tip and I keep getting the following error when I try to set the ACL for the iPhoto Library directory:

chmod: Failed to set ACL on file /Users/Shared/iPhoto Library: Operation not supported

Turning on ACLs worked fine so I am not sure why the acutal setting of the permission is failing. The only thing different about my setup is that I have the Users directory as a separate drive from the drive the OS runs on. Is ACL’s only being set for one of the volumes? Thanks for the help.

Posted by: Kenneth at April 12, 2006 11:25 PM

Kenneth, Does it work after you’ve added new photos? I think the problem may be that any new stuff you add has its group set to you - so everytime you add something new you have to reset the group.

That’s my theory, anyone want to confirm?

Posted by: wolfywolfbits at April 22, 2006 10:37 PM

To Kevin, who had the problem with a “locked” library. It’s three months later, and maybe you worked out what was wrong, but if you have the iPhoto library open in another account, it’s locked and won’t let you open it in a second account.

So make sure iPhoto isn’t running in another account.

Posted by: Paul at May 14, 2006 09:39 AM

Kenneth, you have to enable ACLs for your external drive. For example:

sudo fsaclctl -p /Volumes/External/ -e

Posted by: Bob Lee at October 8, 2006 04:07 PM

Post Your Comment




Remember Me?