Permissions are annoyingly complicated, often because of Access Control Lists.
PathFinder from CocoaTech provides more extensive info on permissions than Finder, and has a trial period, but basically Terminal is required to get complete information.
There are actually three levels of obstruction to complete file control in OS X: permissions, access control lists and flags. The "ls" binary program ("list directory contents [Unix equivalent to Windows "dir"]) requires command line flags to show all restrictions. After starting Terminal, type:
cd /Volumes
/bin/ls -AFleO
This shows the current permissions, flags and Access Control List entries for each volume attached to the OS. On my system, this produces:
drwxr-xr-x 30 root wheel - 1088 May 6 23:17 AltBoot/
drwxrwxrwx 46 root wheel - 1632 May 16 11:43 BackGround1/
drwxrwxrwx+ 37 root admin - 1326 May 24 14:07 BackGround2/
0: EBC292CE-0E64-4416-A676-288A96E46764 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
lrwxr-xr-x 1 root admin - 1 May 14 20:40 Ground@ -> /
drwxrwxrwx+ 13 xxxxxx staff - 510 Feb 22 17:46 GroundTM/
0: EBC292CE-0E64-4416-A676-288A96E46764 allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
drwxrwxrwx 11 xxxxxx staff - 442 Feb 22 17:46 VMware4/
That long list of characters after "BackGround2/" is an ACL entry. The dashes on the file line are where any flags would be listed. The system flag can be set in multiuser mode, but can ONLY be unset in single user mode. My father managed to get that flag set on some of his pictures, and it took me a long time to find out why I couldn't delete or change the owner on those files. And he would never touch Terminal in any way.
Use the manual page command man chflags
to get more info on how to set and unset the flags. If all you see is dashes, then no flags are set.
To remove the ACL entries, the command for my example would be "sudo /bin/chmod -NR Background2/
", which would ask for an administrator password. CAUTION ! Bad things can happen when you are the super user. See man chmod
for more info on ACL entries. (I am putting /bin/ before the commands because only the Apple supplied programs in the /bin directory can affect ACLs. There are GNU programs which can be added to OS X and have the same names, but cannot present or modify ACL entries. These are available from MacPorts MacPorts.org.
While still not understanding the reason this occurred, I was able to make the problem go away by explicitly adding the user to the inherited group in Workgroup Manager, verifying it with dsmemberutil
, reconnecting to the AFP share, disconnecting, and then removing the explicit group assignment. After all that, dsmemberutil
still shows that the user is in the group.
Best Answer
Ok, so turns out that all I needed to do was
sudo chown root:admin /Volumes/External_HD/Users
Obviously, the checkbox next to "Ignore ownership on this volume" should be un-ticked. You can only see this on Get Info of the Volume: