Setting the umask for Individual Users | Apple Mac OS X Server

124

ÂThe following file (-) displays read, write, and executable permissions for owner (rwx), but no permissions for group (---) or others (---):

-rwx------

ÂThe following file (-) displays read and write, but no executable permissions for owner (rw-), group (rw-), and others (rw-):

-rw-rw-rw-

ÂThe following file (-) displays read, write, and executable permissions for owner (rwx), but only read and executable for group (r-x) and others (r-x):

-rwxr-xr-x

ÂThe following file (-) displays read, write, and executable permissions for owner (rwx), but only read for group (r--) and others (r--):

-rwxr--r--

See the ls man page for more information about viewing permissions.

Setting the umask for Individual Users

The global umask setting determines the permissions of new files and folders created by a local user.

$ sudo defaults write -g NSUmask -int value

Use one of the following values to set the permission level:

Value	Permission Level
63 (octal equivalent 077)	Only the user can read newly created files.

23 (octal equivalent 027)	User and members of the user’s default group can read newly
	created files.

18 (octal equivalent 022)	All users can read newly created files.

The default umask setting, 022, removes group and world write permissions, but allows group and world read permissions. With a umask setting of 027, files and folders created by a user will not be readable by every other user on the computer, but will still be readable by members of his assigned group. The owner of the file or folder can still make it accessible to others by changing the permissions in the Finder’s Get Info window or by using the chmod tool.

To set the NSUmask settings for all local users to octal 027 (decimal equivalent 23):

$ sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 23

Note: The path above refers to the .GlobalPreferences defaults domain, not to the file

.GlobalPreferences.plist, which might accidentally be filled in while using the shell autocomplete feature.

Chapter 8 Working with Users and Groups

Image 124

Apple Mac OS X Server Setting the umask for Individual Users, Use one of the following values to set the permission level

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Installing Server Software Locating Computers for InstallationSpecifying the Target Computer Volume Preparing the Target Volume for a Clean Installation Setting Network Preferences Configuring Network InterfacesViewing or Changing Media Settings Managing Network Port Configurations Working with Disks and Volumes Mounting and Unmounting VolumesMounting Volumes Unmounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Glossary AppendixIndex Contents About This Guide Using This Guide Commands and Other Terminal TextCommand Parameters and Options Understanding Notation Conventions Default Settings Commands Requiring Root Privileges Install Mac OS X Server and set it up for the first time Create and manage users, groups, and computer lists. Set upThis guide Tells you how to Earlier versions of the server Manage directory and authentication services Set up and manage QuickTime streaming services This guide Tells you how to Executing Commands Opening Terminal Specifying Files and Folders Path string DescriptionTest.c file in the current folder Folder Redirecting Input and Output Modifying Flow ControlRedirect Description Using Environment Variables Following command in a Terminal window Executing Commands and Running Tools Correcting Typing Errors Repeating CommandsIncluding Paths Using Drag and Drop Searching for Text Within a File An example of a configured crontab file Terminating CommandsScheduling Tasks Viewing Command Information Sending Commands to a Remote ComputerTo access a man $ hdiutil help $ dig -h $ diff --help Executing Commands Understanding Secure Shell How SSH Works Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints What is an SSH Man-in-the-Middle Attack? Controlling Access to SSH Service Connecting to a Remote Computer Using SSHTo access a remote computer using ssh You’re prompted for the user’s password Using Telnet To enable Telnet accessTo disable Telnet access To access a remote computer using telnet Installing Server Software To use installer to install Mac OS X Server software Locating Computers for Installation Specifying the Target Computer Volume Preparing the Target Volume for a Clean InstallationTo list volumes available for server software To list computers on the local network Installing from Multiple CDs Automating Server SetupRestarting After Installation Creating a Configuration File To save a configuration file during server setup Installing Server Software and Finishing Basic Setup Working with an Encrypted Configuration File Customizing a Configuration FileTo provide a passphrase in a file To provide a passphrase interactively Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Configuring the Server Remotely from the Command Line Storing a Configuration File in an Accessible Location Using the serversetup Tool Changing Server SettingsUsing the serveradmin Tool Viewing, Validating, and Setting the Software Serial Number General and Network PreferencesTo display the server’s software serial number To set the server software serial number To check for available updates To install an updateUpdating Server Software To validate a server software serial number Moving a Server Installing Server Software and Finishing Basic Setup Restarting a Computer Automatic RestartTo restart the local computer To restart a remote computer immediately Shutting Down a Computer Changing a Remote Computer’s Startup DiskManipulating Open Firmware Nvram Variables Monitoring and Restarting Critical Services Folder Usage Restarting or Shutting Down a Computer Viewing or Changing the Computer Name Viewing or Changing the Date and TimeTo display the computer name To change the computer name Viewing or Changing the System Date Viewing or Changing the System TimeViewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Viewing or Changing Sleep Settings Viewing or Changing the Energy Saver SettingsViewing or Changing Automatic Restart Settings Changing the Power Management Settings Viewing or Changing the Startup Disk Settings Viewing or Changing the Sharing Settings Viewing or Changing the International SettingsViewing or Changing Remote Login Settings Viewing or Changing Apple Event Response Disables the buttons and 1 enables the buttons Viewing and Changing the Login SettingsTo view the current setting Setting Network Preferences Configuring Network Interfaces Viewing Port Names and Hardware Addresses Managing Network Interface InformationViewing or Changing MTU Values Managing Network Port Configurations Viewing or Changing Media SettingsCreating or Deleting Port Configurations Activating Port Configurations To change the order of the port configurations Managing TCP/IP SettingsChanging a Server’s IP Address Run the changeip tool To change a server’s IP addressTo change the IP address of a standalone server To list TCP/IP settings for a configuration To view TCP/IP settings for port en0To view TCP/IP settings for a particular port or device To change TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Working with VLANs Enabling TCP/IPIeee 802.3ad Ethernet Link Aggregation Configuring a Network Interface Configuring Ethernet Link Aggregation Managing AppleTalk Settings Managing Snmp Settings Installing Snmp Open the /etc/hostconfig file Locate the lineStarting Snmp Immediately above it, add this line Configuring Snmp To start the snmp agent manuallyTo identify the process id To stop snmpd Collecting Snmp Information from the Host To view the snmp.conf fileTo start snmpd, execute this as root Other options in the menu you were working in are Managing Proxy Settings Viewing or Changing FTP Proxy Settings Viewing or Changing Web Proxy Settings Viewing or Changing Secure Web Proxy SettingsViewing or Changing Streaming Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Socks Firewall Proxy Settings Managing AirPort SettingsViewing or Changing Proxy Bypass Domains Computer Name Managing the Computer, Host, and Bonjour NamesHostname Managing Preference Files and the Configuration Daemon Command displays 0 if the name was changedBonjour Name To display the server’s Bonjour name To set the hostname of a system Changing Network LocationsTo get the hostname of a system To view the current locations This example, the network location will switch to AirPortComputer will respond with output similar to the following Mounting and Unmounting Volumes Understanding Disks, Partitions, and the File System Mounting Volumes Unmounting VolumesTo unmount a volume To view a list of currently mounted file systems To enable diskspacemonitor Displaying Disk InformationMonitoring Disk Space To display disk information Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To mount a drive To get mount info about a partitionTo erase and repartition a disk To format a Mac OS Extended volume as case-sensitive HFS+ Command DescriptionPartitioning and Formatting Disks Partitioning a Disk Checking for Disk Problems Labeling a DiskFormatting a Disk To fomat a disk Checking to See If Journaling is Enabled Enabling Journaling for an Existing VolumeTo see if journaling is enabled To enable journaling Enabling Journaling When You Erase a Disk Understanding Spotlight TechnologyDisabling Journaling Enabling and Disabling Spotlight To enable Spotlight on your server Performing Spotlight SearchesRestart your server To view the metadata of a file Managing RAID Volumes Controlling Spotlight Indexing To image a boot volume Imaging and Cloning Volumes Using ASRTo repair a failed mirror To restore a volume from an image Working with Users and Groups Understanding Accounts Administering and Creating Accounts Creating a Local Administrator User Account for a ServerTo create a local administrator user account To create an local administrator user with a specific UID Creating a Domain Administrator User Account To create a domain administrator user account Checking a User’s Administrator Privileges Creating a Nonadministrator User AccountTo find the Guid of the administrator user To see if a user is a server administrator Specify the user ID, replacing 1234 with the new user’s ID 102 Retreiving a User’s Guid Removing a User AccountTo retrieve a user’s Guid Review the Guid for a particular user Disable the user account by entering the following command Revoking a User’s Right to Access His or Her AccountTo prevent a user from logging To reenable a user account that is disabled To terminate all of a user’s processes Checking a Server User’s Name, UID, or Password To change a user account attribute to a new value Modifying a User AccountAttribute Description Creating a Mobile User Account To create a mobile account Managing Home Folders To flush the cacheCreating a User’s Home Folder To create a home folder for a particular user Administering Group Accounts To create a home folder for users in the local domainMounting a User’s Home Folder To mount a user’s shared home directory on an AFP server Creating a Group Account To add a group account Removing a Group Account You can remove group accounts by using the dscl toolTo remove a group account Adding a User to a Group You can add users to a group using the dscl toolTo add a user to a group Removing a User from a Group You can remove users from a group by using the dscl toolTo remove a user from a group Review the new settings of the group To create a nested group Creating and Deleting Nested GroupTo verify a nested group Editing Group Records To unnest a groupTo display the information about a particular group To delete a group Viewing the Workgroup a User Selects at Login Creating a Group FolderTo create a group folder See the CreateGroupFolder man page for more information Importing Users and Groups To import users and groups Writing a Record Description Creating a Character-Delimited User Import FileNumber of attributes in each account record 121 Using the StandardGroupRecord Shorthand Using the StandardUserRecord ShorthandAn example user account looks like this Some examples of permission settings Setting PermissionsViewing Permissions Setting the umask for Individual Users Use one of the following values to set the permission level Use the chmod tool to change permissions for an item Changing PermissionsSee the chmod man page for more information Securing System Accounts Changing the OwnerChanging the Group Securing Initial System Accounts To disable root login Enter the root password when promptedSecuring the Root Account Restricting Use of the sudo Tool Securing Single-User Boot To set the Open Firmware password for increased security Setting Password PolicyComputer should restart and display the login window To change a user’s password To view the global password policyTo set the minimum password length to 5 characters To set a more secure global password policy Access the help prompt and enter the command name Finding User Account InformationSee the pwpolicy man page for more information To query for a user by name 132 Working with File Services Managing Share Points Listing Share Points Creating a Share PointTo list existing share points To create a share point To change share point settings Modifying a Share Point Managing the AFP Service Starting and Stopping AFP ServiceChecking AFP Service Status Viewing AFP Settings Changing AFP Settings List of AFP SettingsTo change a setting To change several settings Allow an administrator user to masquerade as another user Authentication mode. Can beWhether the AFP service should restart automatically when Location of the error log Record user logins in the activity log Login greeting messageLast time the login greeting was set or updated Default = -1unlimited List of AFP serveradmin Commands To list connected users Listing Connected UsersValue returned by getConnectedUsers Disconnecting AFP Users Sending a Message to AFP UsersTo send a message To disconnect users Canceling a User Disconnect To cancel a user disconnectComputer will repond with the following output Value Description To list service statistic samples Listing AFP Service StatisticsComputer will respond with the following output Viewing AFP Log Files To view the latest entries in a logTo display the log paths Value displayed by Managing the NFS Service Starting and Stopping NFS ServiceChecking NFS Service Status Viewing NFS Service Settings Managing the FTP Service Starting FTP ServiceStopping FTP Service Checking FTP Service Status List of FTP Service Settings Changing FTP Service SettingsParameter ftp Description Directory in which the FTP content is stored Displays a banner message that appears whenPrompted to log in to the FTP. Customize to your Own preferences Viewing the FTP Transfer Log List of FTP serveradmin CommandsChecking for Connected FTP Users Managing the SMB/CIFS Service Starting and Stopping SMB/CIFS ServiceChecking SMB/CIFS Service Status Viewing SMB/CIFS Service Settings List of SMB/CIFS Service Settings Changing SMB/CIFS Service SettingsParameter smb Description Browser service. Can be set to Advanced pane of Windows service settings in the ServerLow errors and warnings only Medium service start and stop, authentication failures Server’s NetBIOS name. Can be set to a maximum Pane of the Windows service settings in the Server AdminWindows service settings in the Server Admin This corresponds to the Wins Registration Off and Enable List of SMB/CIFS serveradmin Commands Listing SMB/CIFS Users Disconnecting SMB/CIFS Users Listing SMB/CIFS Service StatisticsTo list SMB/CIFS connections Computer responds with the following output Viewing SMB/CIFS Service Logs Location of the SMB service logLocation of the name service log Managing ACLs Using chmod to Modify ACLs Following are the permissions applicable to foldersTo grant a user write permission for a file To deny a guest read permission for a file To view the ACL of a file Output should look like the following 160 Working with the Print Service Understanding the Print Process Performing Print Service Tasks Starting and Stopping Print ServiceTo start print service To stop print service Viewing Print Service Settings Checking the Status of Print ServiceChanging Print Service Settings Print Service Settings Parameter print Description Queue Data Array Parameter printDescription Command printcommand= Description Managing the Print ServiceFollowing is an example of a queue array parameter block Pausing a Queue Listing QueuesListing Jobs and Job Information To pause a queue To hold a job Holding a JobTo release the job Viewing Cover Pages Viewing Print Service Log FilesTo obtain a list of available cover pages 170 Understanding the NetBoot Service Starting and Stopping NetBoot ServiceTo start NetBoot service To stop NetBoot service Viewing NetBoot Settings Checking NetBoot Service StatusChanging NetBoot Settings Changing General Netboot Service Settings Volume parameter arrayParameter netboot Description Storage Record Array Filters Record Array Image Record Array To enable NetBoot Enabling NetBoot 1.0 for Older NetBoot ClientsPort Record Array Booting from an Image Using hdiutil to Work with System ImagesWorking with System Images Updating an Image Using asr to Restore System Images Imaging Multiple Clients Using Multicast asr Choosing a Boot Device Using systemsetup To configure a client to receive a multicast stream Understanding the Mail Service Postfix Agent Cyrus Mailman Managing the Mail Service Starting and Stopping Mail ServiceChecking the Status of Mail Service Viewing Mail Service Settings Mail Service Settings Parameter mail Description Default = 500s Default = 1sDefault = domain Default = += Default = 0s Default = postfixDefault = 1000s Default = -=+ Default = flock Default = flushDefault = 60s Default = postdrop Default = 10s Default = /usr/binDefault = mail Default = none Default = smtp Default = 7dDefault = qmgr Default = fcntl Default = error Default = showqDefault = 5d Default = host Default = incoming Default = activeDefault = deferred Default = bounce Default = virtual Default = $homeDefault = rewrite Default = 600s Default = 30s Default = hashDefault = Default Default = c Default = cyrus Default = auxprop 193 Listing Mail Service Statistics Mail serveradmin CommandsTo list samples Viewing the Mail Service Logs Default = srvr.logTo display the log locations Location of the server log Backing Up the Mail Files Reconstructing the Mail Database Generating a CSR and Creating a Keychain Setting Up SSL for Mail ServiceEnter a key size at the next prompt, and then press Return 199 Accessing the Server Certificates Obtaining an SSL CertificateImporting an SSL Certificate into the Keychain To import an SSL certificate into the keychain Creating a Password File See the certadmin man page for more informationTo create a password file To list the certificates stored in the System keychain Configuring Mailboxes Enabling Sieve Scripting To enable Sieve support Reload the mail serviceEnabling Sieve Support Sample Sieve Scripts Self-Defined Forwarding Script Basic Sort and Anti-Junk Mail Filter Script Sieve Scripting Resources 206 Understanding Web Technology Files Location Managing the Web Service Starting and Stopping Web ServiceChecking Web Service Status Viewing Web Settings Serveradmin and Apache Settings Changing Web SettingsChanging Settings Using serveradmin Web serveradmin Commands Viewing Service LogsViewing Service Statistics Listing Hosted Sites Value you want to display. Valid values V1-Number of requests per secondV2-Throughput bytes/sec V3-Cache requests per second Addsite File Example Script for Adding a WebsiteAddsite.in File Tuning the Server Performance To run the script Working with Application Servers and Java Apache TomcatJBoss Server To start Apache Tomcat To install the default database MySQL DatabaseTo start JBoss, enter the following To stop JBoss, enter the following To set the root password To create a databaseTo set the network option To start mysqld Working with Network Services Managing Network Services Managing the Dhcp Service Starting and Stopping Dhcp ServiceChecking the Status of Dhcp Service Viewing Dhcp Service Settings Changing Dhcp Service Settings Dhcp Service SettingsTo see a list of available service settings To change a single Dhcp setting About Subnet IDs Dhcp Subnet Settings ArraySubnet Parameter General pane of the subnet settings in the Server Not set defaultWins pane of the subnet settings in the Server Lease time in seconds Corresponds to the NetBIOS Scope ID field in the Wins Adding a Dhcp SubnetTo add a subnet Domain name such as apple.com To add a static map Adding a Dhcp Static MapAbout Static Map IDs List of Dhcp serveradmin Commands Viewing the Dhcp Service LogCommand Dhcpcommand=Description Determine the location of the Dhcp service logs Managing the DNS Service Starting and Stopping the DNS ServiceChecking the Status of DNS Service Viewing DNS Service Settings Changing DNS Service Settings DNS Service SettingsList of DNS serveradmin Commands Viewing the DNS Service Log Configuring IP Forwarding Managing the Firewall Service Starting and Stopping Firewall Service Checking the Status of Firewall ServiceViewing Firewall Service Settings Firewall Startup Firewall Service Settings Changing Firewall Service SettingsParameter ipfilter Description Ipfilter Groups with Rules Array Defining Firewall RulesAdding Rules by Modifying ipfw.conf Unmodified ipfw.conf file Adding Rules Using serveradmin Ping cracker.evil.org to determine its IP addressTo add a rule An example of this would be similar to the following Firewall serveradmin Commands Ipfilter Rules Array Managing the NAT Service Viewing Firewall Service LogUsing Firewall Service to Simulate Network Activity Location of the ipfilter service log Starting and Stopping NAT Service Checking the Status of NAT ServiceViewing NAT Service Settings Changing NAT Service Settings NAT serveradmin Commands NAT Service SettingsParameter nat Description Viewing the NAT Service Log Port Mapping Managing the VPN Service Starting and Stopping VPN ServiceChecking the Status of VPN Service Viewing VPN Service Settings Changing VPN Service Settings List of VPN Service SettingsDefault = Keychain Default = IPSec Default = Manual Default = L2TPDefault = PPP Default = Dsacl Default = Mppe Default = PptpDefault = EAP-RSA List of VPN serveradmin Commands Viewing the VPN Service LogVPN Service Log on this Restarted. See Using the serveradmin Tool on Location of the VPN service log Configuring Site-to-Site VPNSite-to-Site VPN Adding a VPN Keyagent User Setting Up IP Failover IP Failover PrerequisitesIP Failover Operation Hardware Requirements To enable IP failover Enabling IP Failover Notification Only Configuring IP FailoverPre and Post Scripts To restore the NAT service to its default configuration Restoring the Default Configuration for Server ServicesEnabling PPP Dial-In To restore the Dhcp service to its default configuration Re-create the two default recordsTo restore the Qtss service to its default configuration To restore the DNS service to its default configuration To restore the VPN service to its default configuration Testing Your Open Directory Configuration Using General Directory ToolsUnderstanding Open Directory Testing Open Directory Plug-ins Changing Open Directory Service SettingsModifying a Directory Domain Registering URLs with SLP Configuring Ldap PasswordOptionsStringLDAPTimeoutUnits Default = minutes LDAPServerBackend Managing OpenLDAP Standard Distribution Tools Configuring slapd and slurpd DaemonsTool Used to Delay Rebind Idle TimeoutIdle Rebinding Options Searching the Ldap Server 256 257 Using Ldif Files Managing NetInfo Configuring NetInfoAdditional Information About Ldap Managing Open Directory Passwords Open Directory Password ServerViewing or Changing Password Policies Enabling or Disabling Authentication Methods Kerberos and Apple Single Sign-On Backing Up the Kerberos DatabaseTo dump the KDC’s database To load KDC data from a dumped file To add a service principal Principal ManagementTo add a principal To delete a principal Using Directory Service Tools Operating on Directory Service Directory DomainsUsing kadmin to kerberize a service To kerberize a service from a terminal running on that host Finding Network Information Manipulating a Single Named Group Record Adding or Removing Ldap Server Configurations Configuring the Active Directory Plug-InTo add an Ldap server To remove an Ldap server 266 Performing Qtss Service Tasks Understanding QuickTime Streaming Server Starting and Stopping the Qtss Service Checking Qtss Service StatusViewing Qtss Settings Changing Qtss Settings Qtss Settings Descriptions of SettingsDefault = qtaccess Look in the sample file for Default = admin Default = digest Default = qtss Managing QtssListing Current Connections Logs on For connections v1, this is integer average number Viewing Qtss Service StatisticsConnections Send a HUP signal to this process Forcing Qtss to Reread its PreferencesTo force Qtss to reread its preferences List the Qtss processes Configuring Streaming Security Resetting the Streaming Server Admin User Name and PasswordTo set up Sites/Streaming/ in older home folders To reset the user name and password Controlling Access to Streamed Media Creating an Access File Between terms, make sure you enclose the entire message Quotation marksPath and filename of the user file Qtusers Accessing Protected Media Adding User Accounts and PasswordsAdding or Deleting Groups Making Changes to the User or Group File Manipulating QuickTime and MP4 Movies Creating Reference MoviesCreate QuickTime Atom ref movie with extension .qtl Create XML text ref movie with extension .qtl 280 Configuring the Log File Configuring Your System Logging Local Logging Configuring Remote Logging on a Client Computer To enable remote logging on a client computerConfiguring Remote Logging on a Server Remote Logging Or match a single host like this Open /etc/rc and locate the following line PCI RAID Card Command Reference 286 287 288 Glossary Computer account See computer list Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 Access Securing Chgrp tool ACL access control list136 Example Stopping service Naming 41 Restoring images Logs Lpr Backup Cyrus Mail files Dynamic Host Configuration Protocol. See Dhcp Error messages command not found Executing commandsImage Booting from 176 updating Disk journaling Kerberosautoconfig tool 261 keychain Backing up Principal management 262 tools and utilities 302 QuickTime Streaming Server. See Qtss Used by ldapsearch 255 scheduling tasks AFP DNS 239 Terminating commands Time, viewing or changing 57 Stopping serviceViewing service logs Tools for remote configuration