MacOS – Network Share set permissions don’t work

macospermissionsharingterminal

I'm trying to use set default permissions for directories and files but not having much joy. What I am trying to share a specific directory on a local external drive connected to the server internally. Everyone in the group has access to the drive and can view all the files.

However once a new file is created by mac08, the group permissions are not set and only that user has access to modify it.

Here is an example of two txt files. The one created by mac08 has 644 permissions and all other users like mac07 etc. can't write to the file.

I have a group called staff and have added everyone to it, but new files created don't follow.

drwxrwxrwx+ 159 root  wheel  5406 22 Aug 11:08 PROJECTS
 0: group:Staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity

New file created:

-rw-rw-rw-@ 1 root   wheel     351 22 Aug 23:17 test4.rtf
 0: group:Staff allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity
 1: user:aserver allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity
 2: user:ckadmin allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity

-rw-r--r--@ 1 mac08  wheel     352 22 Aug 23:26 testet11.rtf
 0: group:Staff allow read,write,append,readattr,writeattr,readextattr,writeextattr

I can manually update the permissions through the Get Info window but this requires me to reset permissions every time a person saves a new file to the drive. Any idea what it could be?

Best Answer

To create a properly working Projects share do the following:

On your external disk create a folder "Projects". Share this Projects with default permissions in Server.app > File Sharing. The default permissions are 755, the default owner is the user who created the folder and his primary group (e.g. adminuser:admin):

drwxr-xr-x+   6 adminuser  admin  -       204 Aug 23 10:54 Projects
 0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

In this folder create another folder with the name Projects. Change the permissions to 770 and the group to staff:

mkdir Projects
chown adminuser:staff Projects
chmod 770 Projects

The permissions now look like this:

drwxrwx---+   6 adminuser  staff  -       204 Aug 23 10:54 Projects
 0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

Then add an ACL for the group staff:

chmod +a "group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" Projects

with the result:

drwxrwx---+ 2 adminuser  staff  -   68 Aug 23 11:09 Projects
 0: group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

The complete path to the Projects folder (containing a test folder and a test.txt file - Data is the name of my volume on the external disk) is then:

/Volumes/Data/Projects/Projects:
total 0
drwxrwx---+ 4 adminuser  staff  - 136 Aug 23 11:24 . #this is /Volumes/Data/Projects/Projects
 0: group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
drwxr-xr-x+ 6 adminuser  admin  - 204 Aug 23 11:09 .. #this is /Volumes/Data/Projects
 0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
drwxr-xr-x+ 2 adminuser  staff  -  68 Aug 23 11:24 test
 0: group:staff inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
-rw-r--r--+ 1 adminuser  staff  -   0 Aug 23 11:24 test.txt
 0: group:staff inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity
 1: user:_spotlight inherited allow read,execute

Now any subsequent file and folder of /Volumes/Data/Projects/Projects can be modified by any user in the group staff. You may tweak/tighten some of the permissions by not adding them (e.g. readextattr and writeextattr)

Related Solutions

Files locked in public folder when sharing via file sharing

The default permissions for newly created (/copied) items allow read and write access only to the owner (whoever created it), read-only access to everyone else. The best way around this is to create an access control entry on the folder, and set it to be inherited to items created in (/copied into) it. 'Course, the Finder doesn't give you access to the inheritance controls, so you have to go to the command line:

chmod +a "group:staff allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" ~/Public

Note that this gives read & write access to all accounts in the staff group (which basically means all user accounts); if you want a bit more control, create a group in System Preferences > Users & Groups, and add just yourself and your friend's account to it, then use "group:yourgroupname" in the above command. Also, the inheritance only applies to items as they're created, so it won't apply to files and folders already in your Public folder; if you want it to apply to existing items, add chmod's -R option (chmod -R +a ...)

No right to open file once copied on the desktop

It sounds like you are using a non-server Mac to act as a server. Is this correct? If so I highly advise you to upgrade to some version of OS X Server.

If I am correct, your issue is caused by using standard Mac (or POSIX) permissions to handle your file share. This is the only option you have for a standard Mac when sharing files. This causes permissions issues, whether you are using AFP or SMB protocols (though SMB is worse in this respect).

If you can upgrade to OS X Server, you will want to first clean up permissions on the folder you wish to share (thus fixing any existing issues). Then create users & groups to model your organization structure. From there you will create a new file share using the Server app. Don't change any of the default permissions it gives. Instead click the "+" button to add a new Access Control Entry. This is a special type of permission that OS X Server can grant, and it resolves all of the permissions issues a standard Mac will give you in such a setup.

Peachpit Press offers a great write-up of all of this in their OS X Server manuals as well, though I couldn't find anything to link to directly. I hope this helps.

Best Answer

Related Solutions

Files locked in public folder when sharing via file sharing

No right to open file once copied on the desktop

Related Question