Q: Ok there has to be a way to do this… I just upgraded to tiger and I have some sharepoints that many users access. When a user creates a file or folder in the share point it gets the standard 755 umask. I used to be able to get around this by changing the AFP protocol to inherit permissions instead of POSIX behavior. Now the only way to get that functionality in tiger is to disable ACL’s!. When I use NT boxes I can add an “everyone” user into the ACL list. Does this exist in Tiger? Help!A: I believe what you’re looking for is actually are Access Control Entries (ACEs), which is an entry in an ACL that specifies access control entry for a group or a user. There’s a lot of information in the File Services PDF from apple, but briefly, Workgroup Manager supports both Explicit and Inherited ACEs. Specifically for what you’re looking for to be similar to the POSIX inherit permissions, would be to have your ACE apply to child folders and to child files.
I am fully aware of the ACL/ACE relationship. However from what I have read
there is no way to get new files and folders to inherit the “Everyone” privileges
defined with
chmod
or Workgroup Manager. Thank you for yourresponse however it is not the answer to my question.
In Workgroup Manager, highlight the Volume and you can then uncheck
"Allow ACL’s on this Volume" and then you will be able to check "Inherit
Permissions from Parent".
But that’s the weenie way of doing it. ACLs will do it better, but you
have to RTFM. 😉
Sorry, but But that’s not only the weenie way of doing it. It doesn’t work either.
We just worked like this from the beginning and the problem (can’t stop the
POSIX) is exactly the same.
—
—
Open all Windows and you might catch a cold, but an Apple a day keeps the doctors away!
The ACL way, as far as I can tell, is to setup an ACE of the group that
you want to have read/write access, and make sure it’s set to Apply to
All Descendants. That should override whatever the POSIX permissions
are set to. It does for us.
I have a number of scripts that run as cron jobs that chmod files in various
folders to what that the pertinent group needs. I started doing this back when
I had OS 9 clients that frequently dropped files on the server with messed up
permissions.<BR>
It’s a workaround, but I would expect it to work for fixing everyone inheritence
problems as well.
OK. I see what he is getting at here.
The "Everyone" setting in the POSIX section means anyone that isn’t the
owner or in the owning group. It’s sort of a catch all.
When you start setting up ACEs there isn’t one for "Everyone" because a non-
descript group of users can’t have a GUID.
The best thing I can come up with off the top of my head would be to create
a global group, assign it the settings you want, and put its ACE at the bottom
of the ACL. Other groups and users should go in the list above the global.
The tricky part here would be that a deny in an ACE overrides anything else.
So you couldn’t use them in the global group ACE.
That or you could put your ACL controlled shares on one volume and your
POSIX inheritance ones on another so that you can still use the inherit setting
for those shares.
I haven’t tested any of this yet, just spitballing
—
Breaking my server to save yours.
Josh Wisenbaker
http://www.afp548.com
Yes, we are having exactly the same experience! I note several others on
the Apple website are having the same problem. Hopefully this will be
addressed soon as it is a real stinker for our office, where we must create
new files and folders constantly. It is indeed ironic that Samba has no
problem with these inherited permissions.
In some more testing I’ve found that there is a NetInfo group named
‘Everyone’ (GID 12) that seems to function just like you think it would.
Anyone want to test this as well?
—
Breaking my server to save yours.
Josh Wisenbaker
http://www.afp548.com
Hey,
Thanks so much for this tip. It works great. But with a few visual qualms. If I
create a new folder in a share point other users appear to have read only access
to it, but if other users try and add files etc. it lets them add the files. Anyway its
a solution. perhaps you could change the Answer section to reflect this solution?
Thanks again this site is great!
I’m having the same problem.
When I use WGM, I’m able to add AD groups via ACLS, I’m noticing the permisisons are not propagating to subfolders. When trying this via the command line, I get:
# chmod +a "groupname allow write" file.txt
# chmod: Unable to translate groupname to a UID/GID: Invalid argument
I’ve tried all the above techniques, as well as using the numeric GID:
# chmod +a "501:1385451171 allow write" file.txt
# chmod: Unable to translate 501:1385451171 to a UID/GID: Invalid argument
Instead try: chmod +a “MYDOMAINNAME:Domain Users allow write” foldername
Paul Suh was helping someone else who was running into this issue, and looked at the file_cmds source code in Darwin: http://www.opensource.apple.com/darwinsource/10.5.5/file_cmds-185.2/chmod/chmod_acl.c
If you look at that, you’ll see that you can use the colon as a delimiter, rather than the backslash. As in DOMAIN:Domain Users or DOMAIN:Marketing Group.
Hello,
I’m using instaDMG to create and deploy images over a network of Macs which will be making the transition from OS 10.5.x to 10.6.
Is there a way, other than having two discrete instances of the program folder, to run multiple operating system images in tandem?
Also, is there a way for one to redirect the program to get the InstaUp2DatePackages from a remote server?
Thanks
Sorry, posted in the wrong area. apologies