I have a multifunction printer that has a SMB-capable scanning unit. I want to have the printer send scans to an SMB share on my iMac running macOS High Sierra (10.13).
I do not want to store my main user account's credentials on the device (embedded software and its security issues…), so I created a dedicated, restricted user account just for that purpose. This account is used to upload the scans to a shared folder. This results in the following permissions:
/Users/Shared/Scans $ ls -al
total 216
drwxrwxr-x+ 4 jstarek wheel 136 16 Dez 16:41 .
drwxrwxrwt 10 root wheel 340 16 Dez 16:15 ..
-rw-r--r--@ 1 jstarek wheel 6148 16 Dez 16:34 .DS_Store
-rw------- 1 scanaccount wheel 99403 16 Dez 16:41 SCAN_000275.pdf
I would like to have the permissions on those incoming files to include r for the wheel group. This is easy to do on Linux file systems using ACLs, and I guess one could alter the umask, too… but I'm looking for a targeted way to effectively change the umask for just this directory.
Since the sender is a embedded server in the printer, I can not change anything in the configuration of the sending side.
Best Answer
Well, macos support acl's too.
http://ahaack.net/technology/OS-X-Access-Control-Lists-ACL.html
https://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-acls/
1) I'm not understanding this list too well. Why does SCAN_000275.pdf show up owned by scanaccount? The user seems to be jstarek. I'd expect ., .DS_STORE, and SCAN_000275.pdf all to be owned by the same user.
2) Shouldn't you be able to configure SMB to give permissions to let the user access the share? Isn't this what is done via system preferences via share?
I'd thought this would have worked.
3) My understanding is that group wheel is some privileged group. I wouldn't expect that on a normal user. I wouldn't be giving wheel any more privileges. I wouldn't be putting group wheel on an id when you are concerned about security. Is this an admin user? Why?
Interesting project.
Robert