ACL problem: want to prevent user(s) deleting files in a given folder

Question

Level 1

9 points

ACL problem: want to prevent user(s) deleting files in a given folder

Mac OS Server 10.5.7

We have a shared folder "student" and would like to allow a particular user (e.g. student) to have read and write access inside that folder, but be unable to delete anything inside; that particular user also can't be allowed to delete or move the folder itself.

I have tried setting creating custom ACL permissions for that user on the folder by deselecting "delete subfolder and files" and propagating. However, this just seems to have the effect of denying permission to write to that folder at all when logged in as that user.

Am I missing something obvious or is there a terminal workaround. Any suggestions would be gratefully received.

Xserve, Mac OS X (10.5.8)

Posted on Aug 12, 2009 7:26 PM

Reply

Answer 1

Aug 12, 2009 10:35 PM in response to junglejimnz

You can try this in Terminal:
sudo chmod +a "everyone deny delete,deletechild,file_inherit,directoryinherit" /Path/to/directory.

If you try and delete the folder or file, an admin password will be required.

Alternatively, if you know the short username of the account, you can replace everyone with that short username.

Reply

Answer 2

junglejimnz Author

Level 1

9 points

Aug 19, 2009 2:22 PM in response to Community User

Thanks macwiz. I have tried your suggestion but I'm back to square one. I still have my original problem of not having write access to the shared folder over the network.

I've tried this on several servers running Mac OS 10.5 and frustratingly my original problem is duplicated on all servers. I'm curious if this is a known bug / unexpected behaviour/ limitation? If its the latter then surely that's a very serious flaw?!?

Comments welcome.

Reply

Answer 3

Aug 19, 2009 3:47 PM in response to junglejimnz

I'm not sure why, as all that ACL does is deny delete permissions. Run this command in Terminal on the directory you are having issues with:
ls -aled /Path/to/directory

Post the output. Thanks.

Reply

Answer 4

junglejimnz Author

Level 1

9 points

Aug 19, 2009 7:52 PM in response to Community User

Here are the results:

drwxr-xr-x+ 2 admin admin 68 Aug 13 11:09 /path/to/directory
0: group:everyone deny delete,delete child,file_inherit,directoryinherit

Any ideas? Your time is appreciated!

Reply

Answer 5

Aug 19, 2009 8:06 PM in response to junglejimnz

Ah yes, the folder is owned by the admin group.

Try changing the owner to the student account and running these commands:

sudo chown student:staff "/Path/to/directory"
sudo chmod -a# 0
sudo chmod +a "student deny delete,deletechild,file_inherit,directoryinherit,chown,writesecurity" /Path/to/directory

(replace student with the short username of the student account).

That should make them the owner, deny deletion of items, keep write access, and change them from altering security settings.

Reply

Answer 6

Aug 19, 2009 8:17 PM in response to junglejimnz

The ACL that was applied specifically denies the ability to delete any objects in the folder but does not grant the permission to write to the folder or child objects. Without an ACL that grants those privileges the POSIX permissions take precedence and deny the 'write' permissions to any user but the owner of the folder.

In Terminal.app do (all on one line, may be wrapped here):
sudo chmod +a "<userorgroup> allow read,write,list,search,addfile,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsecurity,f ile_inherit,directoryinherit" /path/to/directory

Reply

Answer 7

Aug 19, 2009 8:35 PM in response to Mabel O'Farrell

That shouldn't really matter at this point. The above set of commands sets the students as the owner.

@junglejimnz: You can use whichever command you want. Either use the chown above, or replace it with the ACL Mabel provided. You can use either one, as they should both have the same effect. Just clearing up any confusion you may have had. 😉

Reply

Answer 8

techgal

Level 1

5 points

Oct 28, 2009 9:39 AM in response to Community User

Ok. I have mobile accounts set up for students... and I have collaborative work areas set up for them - dropbox, handouts, and teamwork folders. I want them to be able to rw to the teamwork folder and was told that I could use acl's to stop them from being able to delete. All looks and acts fine until they access the folder ONE time and then it breaks... they loose all permissions and then are unable to continue.. this occurs with any type of file... nevermind the fun that is Microsoft Office!
I would like really appreciate finding out how to fix this if possible. Right now the group that all students belong to has rw access to the folder and they can delete but I would it would be nice if I could implement the things that apple says I should be able to implement.

the acl's

students belong to a group whose acl has rw
posix
admin is owner
student group has rw
others none

Any help or insight would be much appreciated.
Thanks

Reply