0

I have configured the workgroup manager on Mac OS X Server (10.5.8) with 5 network users in 2 groups. Now I notice that when a network user makes a new folder, the folder is created with read & write permissions for that user, but the group to which the user belongs (as well as "everyone") has only read permissions and other network users are not able to add files or change things in the folder.

I found something about changing the umask by adding a launchd-users.conf file configuring the umask default setting. I did that on the server but that doesn't change anything.

It's a very annoying issue and I hope it's easy to fix. I'm not an expert, so I'm not sure if you know enough with the details above. If necessary I can provide further details.

Thanks a lot!

Time To Learn
  • 99
  • 1
  • 2
  • 5

2 Answers2

0

The basic problem is that the standard unix (/posix) permissions have no good way to control inheritance. Fortunately, there is a solution: grant access to the group via access control list (ACL) extended permissions, which do allow inheritance.

I don't have a 10.5 server handy, but I think the interface is pretty similar to 10.6: in Server Admin -> server name in the sidebar -> File Sharing icon in the top bar -> navigate to the folder/share point you want to grant group access to. If necessary, select the Permissions tab under the file navigator. Click the "+" button uder the permissions list to open the users & groups floating window, select Groups in the window, then drag the group you want to grant access to into the ACL (not POSIX) part of the permissions list. Change the Permission for the new ACL entry to "Read & Write", then click Save.

Note that the new ACL entry should have "Applies To" set to "This folder, Child folders, Child files, All descendants", which is what you want; but that only actually applies to new files/folders as they're created. To apply to the current contents, pull down the "action" (gear icon) popup menu under the permissions list, select "Propagate permissions", and propagate the ACL permissions to the current contents of the folder.

Gordon Davisson
  • 118,432
  • 16
  • 123
  • 151
  • Thank you for your answer! I tried exactly what you proposed and just let user "John" that is part of the "ACCOUNTING" group create a new folder from his computer on the shared disk that has got the new ACL settings. When I go to the server and check the folder rights again I see that user "John" has read & write permissions, group "ACCOUNTING" only has read permissions. Everyone also only has read permissions. So the issue stays the same. Do I have to restart the server or something in orde to make the changes work? It seems that it's not executing properly yet. – Time To Learn Nov 13 '13 at 15:03
  • When you see ACCOUNTING with only read permissions, is that in the ACL or posix permissions? If it's in posix, that's normal; in posix, the group will always get read only access on new items. But there should *also* be an inherited ACL granting the group read & write access; is that not happening? If not, please describe the folder structure & where the file is being created in more detail. – Gordon Davisson Nov 13 '13 at 17:14
  • is my answer sufficient enough for you? – Time To Learn Nov 14 '13 at 14:30
0

I made a new testfolder and ran the ls -le command on the higher level folder and got this as a result:

drwxr-xr-x+  2 stein       ACCOUNTING   68 Nov 14 09:18 Testfolder
 0: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 2: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 3: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 4: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 5: group:ACCOUNTING inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 6: group:ADMINISTRATION inherited allow list ,add_file ,search ,delete,add_subdirectory ,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit

I think these are the ACL permissions right? I'm not sure how to get the POSIX permissions via command line? If this is not what you need to know, can you let me know how to get the information you need, as I'm not an expert obviously.

When I told you before what the group and user permissions were, I just right mouseclicked the folder and checked "get info". I don't know if these are the POSIX permissions or not. If I check the info: I see "spotlight" about 4 times, the group "ACCOUNTING" once with custom rights and once with "Read" rights, the user "John" that created the folder with "Read & write" rights, "everyone" with "Read" rights...

Gordon Davisson
  • 118,432
  • 16
  • 123
  • 151
Time To Learn
  • 99
  • 1
  • 2
  • 5
  • The "rwxr-xr-x" ... "stein ACCOUNTING" part is the posix permissions -- it grants read only access to the ACCOUNTING group. The following lines are all access control entries, which are much more specific about what kinds of access they grant; ACE #5 grants ACCOUNTING both read and write access. Net result: ACCOUNTING has read & write access, just as intended. The Finder may be confused by it, but it looks like it should work. – Gordon Davisson Nov 14 '13 at 15:44
  • Hmmm you're right, it seems to be working now. It wasn't at first, but if I try again it looks okay. Thanks mate! – Time To Learn Nov 14 '13 at 16:16