5251 Views 7 Replies Latest reply: Mar 4, 2008 3:43 PM by Kevin Neal
I think your problem would be better understood if we had an example model. Here's an example of what I think you're describing:
You have a share point located at /Volumes/Disk/Shared, and the POSIX permissions are as follows:
POSIX Owner: root
POSIX Group: admin
POSIX bits: 0770 (read/write for owner and group only)
Now you want to create a folder inside of Shared called "Accountant Access," and you want the user "accountant" to be able to read and write to that folder, but not to its parent (Shared). Further, "accountant" is not a member of the POSIX group "admin," but is a member of the group "accountants."
So you're making /Volumes/Disk/Shared/Accountant Access a share point nested inside of the Shared share point. No problem there. You've set the Accountant Access permissions as follows:
POSIX Owner: root, POSIX Group: admin
POSIX permissions: 0770
One ACL entry for the user "accountant" (or the group "accountants") granting all Read and Write controls with file and directory inheritance.
Here's what the behavior is going to be:
Accountant will have no access to the Shared share point, but he/she should have access to the Accountant Access share point. Both should show up in your share points listing in Server Admin (or via *sharing -l*). When accountant connects to your server, he/she should only be able to mount the Accountant Access share point; in other words, he/she could not mount the Shared share point and then navigate to the Accountant Access folder within it.
Now if you didn't make the Accountant Access folder a nested share point - meaning that you'd only share the Shared folder - then your accountant user would not be able to mount that share point unless you:
1. Adjusted the permissions on the Shared folder to grant at least read-only access for accountant. You could do this by changing the POSIX permission bits to 0775, which would allow POSIX everyone read and execute (search) access. Since you don't have guest access enabled, and since you're only sharing via AFP, this may fit your needs unless you need to block access for other groups or users. (In which case you could apply an ACL Deny entry for those.)
2. You could change the POSIX group assignment from "admin" to "accountants," and change the POSIX permissions to 0750 or 0755 (giving the POSIX group read-only access). Keep in mind that newly-created files or folders in this share point would get POSIX permissions of 0755 or 0644 due to the POSIX umask. Therefore, if you need more control over who reads and writes certain files, consider simply adding an ACL entry for the user "accountant" or the group "accountants" which grants that user read only permission. To ensure that the permission is indeed read-only (in case the owner of another folder/file changes the POSIX permissions for example), you could add an ACL entry that denies write commands for the "accountant" user or "accountants" group. There really are several ways in which you can accomplish this, but the main thing to remember is that the "accountant" user needs at least read permission to the Shared folder in order to access the Accountant Access subfolder, where he/she may have read/write access.
Also keep in mind that, regardless of permissions, these rules stand:
1. If you enable/disable ACLs for a volume, restart your server.
2. If you nest share points and if the connecting user is able to mount both (again, regardless of permissions), then the mounted nested share point is the item to which the connecting user has access. Access to that folder in the enclosing share point will be blocked until the nested one is unmounted. (This prevents accessing the same folder in two places.)
If I understand this right then it is not possible to achieve this:
I have an external drive connected to my server called "backup". On this volume I have two folders called: admin and user. I've set up two users in Server Preferences: admin and user. Now I'd want to have the "admin" user accessing and seeing the whole volume "backup" and the user "user" just to access the nested "user" folder on the backup volume but not be able to see the "backup" volume as sharepoint.
So user "admin" sees following sharpoints:
User "user" sees just this:
Thanks in advance!
As long as the Effective Permissions don't allow user to at least read the share point "backup," then that share point will not be mountable by user. It will appear dimmed in the list presented to user, if at all. If you want to specifically deny access for "user," use a Deny ACL entry for the backup folder, but don't set that recursively, and don't propagate - doing so will deny access to the enclosed user folder, too.
I have a similar problem with Leopard and ACL's in my case I too have it working perfectly for tiger clients, but if the same user logs into a Leopard client the ACL's behave completely differently, in my case ignoring a deny delete sub file and folder ACL. And where its purpose in my case is to prevent certain users being able to delete files this is very bad news!
Leopard client ACL is so buggy its unusable in my situation