ACLs, I don't need no ACLs?

Question

Level 1

1 points

ACLs, I don't need no ACLs?

I have been asked to help support a Xserve running 10.4 Server because I am very familiar with 10.3 Server. This group has had this server for years and have never been able to share files. They have four users all setup as Administrators, there are two internal hard drives, one with the Server software and the other with many job folders. Two of those folders are the ones mostly used for storing customer files by job number. Whenever anyone saves a file to these folders nobody else can modify them, only read them. They must all be able to Read & Write to all these files no matter who created or modified them.

Root is the owner with R&W, admin the group with R&W and Others is None. The four users are setup in the ACL list with Allow, Full Control and Applies To This folder, Child files, Child folders, All descendants. I would think these settings would allow any of them to do anything they want but it's not working that way. I think I understand the basic principle of ACLs but in this case they are probably overkill and they have a new very confusing drop down menu associated with them that doesn't seem to work. Any help or guidance would be greatly appreciated.

G5

Posted on Mar 24, 2009 7:59 AM

Reply

Answer 1

Best reply

MrHoffman

Community+ 2024

Level 10

116,463 points

Mar 24, 2009 9:31 AM in response to MacDaddi

In Leopard, this is all available in and usually (at least here) managed via Server Admin. Configure the access via the File Share setting. Server Admin > Select Server > Select File Sharing > Select Permissions. (IIRC, it was similar in Server Admin on Tiger Server, but don't have a Tiger Server box handy to check that.)

You may (will?) have to go reset existing files in the share via chown and chmod, or via the GUI.

Otherwise, configure the users with the same group, and then use the group access mask via POSIX permissions or via ACL to enhance access on the various objects. A trip or three through chmod is usually sufficient. But without more details on what you're trying to do with the ACLs and with how the box is currently configured for shares and groups and such, it's hard to say what's going wrong here.

In the unlikely case you haven't already realized this and haven't already found this manual, there are a number of ways to do this (SMB, AFS, etc) and the [File Services Administration (v10.4) manual|http://manuals.info.apple.com/en/File Servicesv10.4.pdf] covers most (all?) of the options here in fair detail.

If the folks here are just looking to share files, a NAS box might be cheaper and easier to manage.

Reply

Answer 2

Mar 24, 2009 9:38 AM in response to MacDaddi

Hello, it sounds like your ACL are correct. Have you tested them using the effective permissions inspector? Also, test them by creating a folder in the shared area manually on the server and verify its permissions are what is set in the Workgroup Manager 10.4

The problem is, when a user creates a file, either on their computer or this shared volume, it uses the default UMASK set on the computer. Therefore, if you look at the individual permissions of each file on the shared volume, you will find that the owner of the file is not root and that it is actually the user who put the file there and the group/everyone may also be different - very different.

You may need to propagate the permissions and replace the permissions of the child objects with the permissions set at the root share level to get everything up to snuff.

Reply

Answer 3

MacDaddi Author

Level 1

1 points

Mar 24, 2009 11:32 AM in response to MrHoffman

MRHoffman,

Thanks for the link I only found this in a very "light" version with illustrations on Apple's web site. The XServe is the only option at this time. The ACLs were previously setup on this Mac and I'm not sure they need to be present to just share files, Read & Write, amongst 4 users. I think they are causing most of my permission problems.

Reply

Answer 4

MacDaddi Author

Level 1

1 points

Mar 24, 2009 11:56 AM in response to Justin Andrews

Justin,

I believe I used the effective permissions inspector correctly with each user and that looks correct. I made several folders at different levels of the folder paths and they are wrong. It seems to me that once you enable the ACLs all bets are off as to what is going to happen. The folder at the top level looks like this:

ACL
GV_Production IT Allow Full Control This folder, Child files, All Descendants
B9D65CC0-9DC8 Allow Full Control This folder, Child files, All Descendants
GV_PrepressIT Allow Full Control This folder, Child files, All Descendants
Patty Allow Full Control This folder, Child files, All Descendants
Reed Allow Full Control This folder, Child files, All Descendants
Victor Allow Full Control This folder, Child files, All Descendants

POSIX
root Allow Read & Write This folder
admin Allow Read & Write This folder
Others Allow Read & Write This folder

I have tried propagating the permissions many times and then I try and make a new file or folder and only the person that created it can read and write, the rest can just read. I don't understand why root is the owner at this level, if have never seen that before. What are these long number files that appear in the User or Group area throughout the folders? These files are accessible using AFP, SMB and FTP if that makes a difference. Everywhere I look I see inherited set to No which seems like a problem.

Is it possible just to turn off the ACLs and set the owner to whoever put my four users in a group and give them read and write and set Others to none and then propagate everything? This just seems like at the top level the ACLs matter but when you do a Get Information at the file level you still only see Owner, Group, Everyone and the ACLs don't matter.

I'm sorry I'm rambling at this point but I've been working on this for two days now and it shouldn't be this difficult.

Reply

Answer 5

Mar 24, 2009 12:12 PM in response to MacDaddi

Well, you're right - it shouldn't be as difficult as it sounds it is for you. Make sure everything is up-to-date.

An alternative is to assign UMASK values to each client machine and the server. This will mean every-time a file is created it will be created using the local UMASK.

Follow the steps here, you'd want your UMASK to be 0 (so it assigns 777 POSIX permissions):
http://www.macosxhints.com/article.php?story=20031211073631814

Again, you have to do it on the clients, and you can do it on the server too.

Reply

Answer 6

MacDaddi Author

Level 1

1 points

Mar 24, 2009 1:19 PM in response to Justin Andrews

Justin,

Is assigning UMASK values necessary because I want to disable ACLs and just go old school in order to share files? I am really confused, isn't the basic purpose of a file server to share files with read & write access, why do you have to jump through hoops to preform this absolute basic and critical function which Panther Server does automatically? I know you didn't write the software but if I'm reading this correctly this is junk.

Reply

Answer 7

davidh

Level 4

1,890 points

Mar 24, 2009 4:10 PM in response to MacDaddi

It's not junk, but it will seem that way if you insist on it.

I never had any such issues with 10.4 server filesharing, period.
For complex permissions situations, ACLs will do better for you.

Otherwise, disable ACLs on the volume where the shared data is housed,
and use the "Inherit Permissions from parent" option. NOTE that this option might not be available
as long as/while ACLs are enabled.

An *important, if not vital* tip is to avoid sharing the top-level of a drive. Leave the drive permissions as-is, and create a new folder (eg, "Data") and put the files within it, set desired permissions for Owner, Group & Other on that folder (and propagate them), and use Server Admin to setup that folder as the sharepoint.

Reply

Answer 8

MacDaddi Author

Level 1

1 points

Mar 25, 2009 6:48 AM in response to davidh

I never have either that's why this has got me so stumped. I did go back to just using straight POISX and eliminated the ACLs since this is such a simple straight forward setup. You are correct that the Inherit Permissions from parent option only becomes available when ACLS are disabled. I put my four users in a group and they have Read/Write to everything, Owner has Read/Write to everything and Others are none. I propagated that down to everything and it seemed to work. When Victor makes a folder or adds a file, Patty can open it but can make no changes still.

Not having setup this server initially, I don't know what was changed to the top-level folder of the drive. I'll try making a new one and copying everything over and then do your suggestion. Thanks for the help.

Reply

Answer 9

MacDaddi Author

Level 1

1 points

Mar 25, 2009 2:47 PM in response to MacDaddi

Putting everything in a folder on the hard drive and sharing it instead of the hard drive itself was the first step in the right direction. Getting rid of all the ACLs, rebuilding the account and forcing everything to inherit permissions from the parent did the rest. Thanks everybody for taking the time to help.

Reply