MacOS – Controlling File Permissions on a Windows File Share

file-sharingmacospermissionsmb

I'm using a Mac running Mountain Lion (10.8.3) with file sharing enabled to Windows users.

Whenever a Windows user copies a file into the share on the Mac (Windows file sharing), the permissions of the file are 600, meaning that other users of the Mac cannot access the file.

Files copied from Mac clients (using AFP) have 644 permissions, which is perfect.

Is there a way to configure the permissions that are set by Apple's Windows file sharing?

Incidentally, I never had this problem previously with Snow-Leopard.

Best Answer

This is probably related to the "safe save" feature of SMB shares in OS X.

To allow group access enter in Terminal:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

Source: OS X Server: When saving files on SMB shares, the permissions might be changed so that only the owner can read or write

Then modify/add an ACLs for the shared folder:

chmod +a "everyone allow list,search,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" <Shared_Folder>

and if additional permissions are necessary for a group

chmod +a "<group_name> allow list,search,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit,<additional_permissions>" <Shared_Folder>

and reboot - I don't know if it's sufficient to simply restart File Sharing in the Server.app.

The ACLs also have to be applied to all already existing subsequent items in the shared folder to make them accessible for network users.

Related Solutions

MacOS – Files created by Windows on Lion SMB shares have 600 permissions

I think this could be a bug. I'm seeing the same behaviour in Mountain Lion too.

I've ensured that the file sharing settings are correct. Go to the folder in Finder and verify that the user has correct permissions, including creating files locally, which result in the correct (644) permissions. Go to System Preferences -> Sharing and select the share, and verify the user is in the list with read&write permissions.

Using the command line tool:

$ dscl localhost -list /Local/Default/SharePoints

to list shares, and:

$ dscl localhost -read /Local/Default/SharePoints/<sharename>

I can see:

dsAttrTypeNative:smb_createmask: 644
dsAttrTypeNative:smb_directorymask: 755

Yet files created by windows users end up with 600 permissions and are not readable by others.

While not an answer, hopefully it will give someone a step closer to finding it.

MacOS – OSX 10.7 File Sharing does not respect Group: Everyone “No Access”. Share publicly displays

Any folder added to your shared folder list is broadcast publicly. If you don't want it to be visible to guest users, remove it from your shared folder list. You will still be able to access it by logging in as a registered user, using your user name and password. If you log in as a registered user, you will be able to see all your files, but a guest can only see files in the shared folder list.

Best Answer

Related Solutions

MacOS – Files created by Windows on Lion SMB shares have 600 permissions

MacOS – OSX 10.7 File Sharing does not respect Group: Everyone “No Access”. Share publicly displays

Related Question