Propagating Permissions

Disk Utility permission fix is only for "system" folders, it woun't touch folders created by you or volumes with no system.

This goes mostly for pre Tiger:

Inherited permissions can be used to "keep them in line". You can also for example run: sudo chgrp -R <groupname> on a folder and it will set all folders and files in that branch recursively to have that groupname permission setting.

Same goes for chown and chmod.

These commands are still there in Tiger but ACL support have been added.
Haven't used that yet. Try: man chmod in Terminal to see the new possibilities.

Setting inherited permissions for a volume with "jumbled" permissions and then applying these commands usually helps keeping the permissions "straight" onward. The GUI in ServerAdmin (pre Tiger) couldn't do it "all the way" and some files/folders wasn't changed depending on previous permissions (if "you" weren't allowed to change them).
I think WGM in Tiger can/is allowed to do more to permissions using the propagate "tool". Haven't studied it in detail yet though.

(ONE thing to remember is permissions isn't "seen" correctly over the network (AFP). You can't see ACL permissions (correctly) on a mounted volume in a client Finder window (yet), works only by using "show info" for a volume/folder/file on the server itself.)

In Tiger it gets a little (?) more complicated since you also have ACL permissions to deal with. In Tiger you can choose from using either inherited permissions (pre Tiger style) or ACLs (which can be or is inherited) + (or only) standard Posix permission by volume. Volume default is Posix and volume is "handled" by ACL's.

Posix is old school UNIX permissions - no inherited permissions.

There is also a GUI tool: BatchMod, that can help with setting permissions.
But I don't think it's updated for Tiger (ACL's) yet though.

Well Tiger is still pretty new and I haven't got too much experience of permission problems with it yet.

Hi, C! I don't have Tiger and don't know as much as LC, but if this is a one time deal, the unix way of changing permission from the command line is using chmod, chown, and chgrp as LC mentions...

If you are new to the command line, you should also know how to list your files and stuff, too. I'll go into detail for other folks in our listening audience, too. Here's some of the commands I wish someone would have told me when I first started on the command line...

ls -l
= list, long (which will show you permissions); leave off the -l for just names; you'll see something at the front of each file/folder that looks something like this...

drwxrwxrwx

think of this as d - rwx - rwx - rwx such that the 1st column is what type of file this is (d=directory, -=file, l=link, etc.) and then 3 sets of 3 which show read, write, and execute permissions for (1) the User/Owner, (2) the Group, and (3) Others

You can also look at this numerically where READ = 4, WRITE = 2, and EXECUTE =1 such that drwxrwxrwx is 777 (4 21=7 for User, and then the same for Group and Other), drwxr-xr-x is 755, drwxrw-r-- is 764, etc.

cd
= change directory; you can do this one directory at a time and go deeper and deeper or you can skip levels go directly deep by using paths
e.g.
cd Documents
cd Letters
cd Wozniak
or
cd Documents/Letters/Wozniak

To backup a directory, use .. such that from the Wozniak folder, if you want to go back to the Letters folder, you would type

cd ..

The long/true path to your Desktop would probably be something like /Users/myusername/Desktop

So if there were a folder called "messedup" on your desktop and you want to 'fix' its permissions, you could do something like this...

sudo chown -R mysername:mygroup /Users/myusername/Desktop/messedup/
sudo chmod -R 755 /Users/myusername/Desktop/messedup/

Or you could just navigate to the desktop and skip the long path stuff...
sudo chown -R myuserame messedup
sudo chmod -R 755 messedup

The -R notations are called flags and they allow you to specify additional options for unix commands. The -R means recursively so that it and everythng it contains will all have the same permissions. Notice that I also left off the :group option in the chown username:groupname command in the later examples.

And then, to find out more about a particular unix command, you can try to access its manual, e.g. man ls, man chmod, or man chown.

I find command line usage a necessity now, especially when something goes wrong. When everything goes right, you can ignore its there, but when it comes to fixing stuff, I often end up having to go to the command line anyway.

Good luck!
--ST

...or simply use:

chmod -R u=rwx,g=rx,o=rx /Users/myusername/Desktop/messedup

...or any combination of (r)ead, (w)rite, or e(x)ecute for (u)ser, (g)roup, or w(o)rld. You could also simplify the expression to "u=rwx,go=rx", or "u=rwx,go=u-w" for -rwxr-xr-x

I find this easier to work out than converting bits. You can do neat tricks like g=u-w to set Group to whatever User permissions are, minus Write privileges, or combine "ugo=rwx" to give all privileges to all and sundry (as an example).

See the examples at the bottom of the manpages for chmod (type "man chmod" in Terminal, then press spacebar to page through to the end, and "q" to exit).

Craig,

I ran into this exact problem last week. I would attempt to propagate my ACLs in Workgroup manager but some folders wouldn't get the new ACLs. POSIX permissions were set correctly. The problem was having to do with trying to propagate to files/folders that were in use or locked by another user. I made sure everyone was logged off the server then re-propagated the ACLs.

I don't know how to propagate from the command line but I imagine it would be in the command line manual. If not run 'ps auxwww' on your server while Workgroup Manager is propagating to see what command it runs to propagate.

-
Troy Stanger

Hi Craig,

I have run into the same problem with my server. I have been using the Set Permissions feature of Passenger ( http://macinmind.com) Now I know that it is not command line but it works and saves me alot of trouble and typing.
Just my 2 cents.

Mike O'Hara

I would be careful setting absolute permissions on files and folders recursively.

The examples above:

sudo chmod -R u=rwx,g=rx,o=rx /Users/myusername/Desktop/messedup

sudo chmod -R 755 /Users/myusername/Desktop/messedup

...would set every folder and file to be executable. You probably don't want the files to be executable- you could be causing a potential security problem.

A safer use of the chmod command would be....

sudo chmod -R u rw,gor /Users/myusername/Desktop/messedup

I was having a similar problem.

On panther server we were able to copy backed up user folders back into the newly created user folders on a newly rebuilt server as root and then propagate the permissions through their home folders on masse.

With tiger server i found we were not able to do this. When i selected a folder and tried to propagate the permissions from the get info window the button was greyed out.

I removed the "enable acls for this volume" setting in the sharing pane of work group manager and was then able to get the propagation of permissions to behave as they did in panther.

For what we need posix is fine and we dont need acls.

Mark