Shared file access location with write permission for all users on Mac

Question

ask_apple07 OP

Created Aug ’21

Replies 2

Boosts 0

Participants 4

Hello,

We're developing an executable that will generate a file or folder in a shared place that all OS users may access.

Given that our executable may be launched by any Mac OS user, we were unable to locate a single directory with write rights for all OS users in which our executable might create a file or folder.

According to the documentation, /Library/ appears to be the location where application-specific (or system-specific) resources should be stored. However, when we looked at the folder's permissions, we saw that they don't have 766 rights for others. The number of rights was 755 (rwxt-xr-x). We can't use /users/ because we don't want to associate these files with a specific OS user.

https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW1

Question:-

(1) Is there a directory on the MAC with 766 rights (other than /tmp or /var/tmp/ or /users/os user>/public) so that all os users may access to read and write files and folders?

(2) Why is the behaviour of /Library/ on the Mac different from the documentation?

Boost

Answer 1

dazuelos OP

Aug ’21

Why wouldn't you create such a folder: /Library/Application Support/application_name

like this:

_App_dir_name="/Library/Application Support/application_name"
/usr/bin/sudo mkdir ${_App_dir_name}
/usr/bin/sudo chmod 2766 ${_App_dir_name}

This is the way many application are managing their globally used files. Look for example at:

/Library/Application Support/Apple/Photos/Print Products

0

Answer 2

DTS Engineer OP

Apple

Aug ’21

Why is the behaviour of /Library on the Mac different from the documentation?

There’s a bunch of reasons but it basically boils down to:

/Library had wider permissions in the past.
The File System Programming Guide has not been updated recently (hence it being in the Documentation Archive).

Is there a directory on the MAC with 766 rights … so that all os users may access to read and write files and folders?

Well, not 766 but rather 777 (plus sticky), namely /Users/Shared:

% ls -ld /Users/Shared 
drwxrwxrwt  6 root  wheel  192 18 Jun 07:48 /Users/Shared

Having said that, I think that dazuelos has the right idea here. If your product supports the completely unmoderated exchange of data between users, you should require an admin user to set it up. Imagine your product is deployed in a managed environment, like a lab at a university. What sort of control will the site admin expect to have? And if you require a world-writable directory, what are the opportunities for abuse (petty vandalism, personal abuse, active attack on the system, and so on)?

IMO it’s better to create a daemon that ‘owns’ your data and have the client use IPC to instruct the daemon to modify it. That allows you to implement better access control features.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0