Ask AFP548 May 5, 2005 at 11:40 am

Tiger ACL’s and everyone permissions

Q: Ok there has to be a way to do this… I just upgraded to tiger and I have some sharepoints that many users access. When a user creates a file or folder in the share point it gets the standard 755 umask. I used to be able to get around this by changing the AFP protocol to inherit permissions instead of POSIX behavior. Now the only way to get that functionality in tiger is to disable ACL’s!. When I use NT boxes I can add an “everyone” user into the ACL list. Does this exist in Tiger? Help!A: I believe what you’re looking for is actually are Access Control Entries (ACEs), which is an entry in an ACL that specifies access control entry for a group or a user. There’s a lot of information in the File Services PDF from apple, but briefly, Workgroup Manager supports both Explicit and Inherited ACEs. Specifically for what you’re looking for to be similar to the POSIX inherit permissions, would be to have your ACE apply to child folders and to child files.

No Comments

  • I am fully aware of the ACL/ACE relationship. However from what I have read
    there is no way to get new files and folders to inherit the “Everyone” privileges
    defined with chmod or Workgroup Manager. Thank you for your
    response however it is not the answer to my question.

    • In Workgroup Manager, highlight the Volume and you can then uncheck
      "Allow ACL’s on this Volume" and then you will be able to check "Inherit
      Permissions from Parent".

      But that’s the weenie way of doing it. ACLs will do it better, but you
      have to RTFM. 😉

      • Lord of the Macs

        Sorry, but But that’s not only the weenie way of doing it. It doesn’t work either.

        We just worked like this from the beginning and the problem (can’t stop the
        POSIX) is exactly the same.



        Open all Windows and you might catch a cold, but an Apple a day keeps the doctors away!

    • The ACL way, as far as I can tell, is to setup an ACE of the group that
      you want to have read/write access, and make sure it’s set to Apply to
      All Descendants. That should override whatever the POSIX permissions
      are set to. It does for us.

    • I have a number of scripts that run as cron jobs that chmod files in various
      folders to what that the pertinent group needs. I started doing this back when
      I had OS 9 clients that frequently dropped files on the server with messed up
      permissions.<BR>
      It’s a workaround, but I would expect it to work for fixing everyone inheritence
      problems as well.

  • OK. I see what he is getting at here.

    The "Everyone" setting in the POSIX section means anyone that isn’t the
    owner or in the owning group. It’s sort of a catch all.

    When you start setting up ACEs there isn’t one for "Everyone" because a non-
    descript group of users can’t have a GUID.

    The best thing I can come up with off the top of my head would be to create
    a global group, assign it the settings you want, and put its ACE at the bottom
    of the ACL. Other groups and users should go in the list above the global.

    The tricky part here would be that a deny in an ACE overrides anything else.
    So you couldn’t use them in the global group ACE.

    That or you could put your ACL controlled shares on one volume and your
    POSIX inheritance ones on another so that you can still use the inherit setting
    for those shares.

    I haven’t tested any of this yet, just spitballing


    Breaking my server to save yours.

    Josh Wisenbaker
    http://www.afp548.com

    • Yes, we are having exactly the same experience! I note several others on
      the Apple website are having the same problem. Hopefully this will be
      addressed soon as it is a real stinker for our office, where we must create
      new files and folders constantly. It is indeed ironic that Samba has no
      problem with these inherited permissions.

  • In some more testing I’ve found that there is a NetInfo group named
    ‘Everyone’ (GID 12) that seems to function just like you think it would.

    Anyone want to test this as well?


    Breaking my server to save yours.

    Josh Wisenbaker
    http://www.afp548.com

    • Hey,
      Thanks so much for this tip. It works great. But with a few visual qualms. If I
      create a new folder in a share point other users appear to have read only access
      to it, but if other users try and add files etc. it lets them add the files. Anyway its
      a solution. perhaps you could change the Answer section to reflect this solution?

      Thanks again this site is great!

  • I’m having the same problem.

    When I use WGM, I’m able to add AD groups via ACLS, I’m noticing the permisisons are not propagating to subfolders. When trying this via the command line, I get:


    # chmod +a "groupname allow write" file.txt
    # chmod: Unable to translate groupname to a UID/GID: Invalid argument

    I’ve tried all the above techniques, as well as using the numeric GID:


    # chmod +a "501:1385451171 allow write" file.txt
    # chmod: Unable to translate 501:1385451171 to a UID/GID: Invalid argument

  • Instead try: chmod +a “MYDOMAINNAME:Domain Users allow write” foldername

    Paul Suh was helping someone else who was running into this issue, and looked at the file_cmds source code in Darwin: http://www.opensource.apple.com/darwinsource/10.5.5/file_cmds-185.2/chmod/chmod_acl.c

    If you look at that, you’ll see that you can use the colon as a delimiter, rather than the backslash. As in DOMAIN:Domain Users or DOMAIN:Marketing Group.

  • Hello,

    I’m using instaDMG to create and deploy images over a network of Macs which will be making the transition from OS 10.5.x to 10.6.

    Is there a way, other than having two discrete instances of the program folder, to run multiple operating system images in tandem?

    Also, is there a way for one to redirect the program to get the InstaUp2DatePackages from a remote server?

    Thanks

Leave a reply

You must be logged in to post a comment.