How to make sub folders in a share invisible to certain users?

Question

How to make sub folders in a share invisible to certain users?

Back in the 10.3 days simply setting the posix permissions so that certain users and groups had no access to a sub folder in a shared folder would make the folder invisible to those users and groups.

Flash forward to Snow Leopard, I'm trying to accomplish the same thing with ACLs, and I can't seem to do it, the folders are still visible with access denied badges. I read the ACL white paper that was on AFP548, and that suggested creating a deny full control ACE for groups that shouldn't have access, but that no longer seems to work the folders are still visible.

I've been fiddling with different ACL configurations, but I can't seem to get it to work.

I am running Mac OS X Server 10.6.4, and the clients are 10.6.4 as well.

Any help in figuring this out would be most appreciated. Thanks in advance.

Posted on Jul 22, 2010 9:41 AM

Reply

Answer 1

Jul 22, 2010 10:43 AM in response to Benjamin Rush

Hi

Set the POSIX Permissions for Everyone to No Access.

Tony

Reply

Answer 2

Jul 22, 2010 11:05 AM in response to Antonio Rocco

Thanks for the reply Tony.

Do you mean set the posix permissions for just Others to no access, or to set Owner, Group and Others to no access?

Reply

Answer 3

Jul 22, 2010 11:25 AM in response to Benjamin Rush

Hi

Apologies I do mean Others. What I normally do is set the POSIX Owner and Group to admin and Others to No Access. Both Permission models apply so you have to take that into account. Any created user is automatically made part of the built-in POSIX staff group (ID=20). That user is also part of Others. If you're trying to deny access for that user using ACLs only yet neglecting to change the POSIX Permission accordingly that user will still have access of some sort.

By setting the Others POSIX Permission to No Access at the Parent Folder level that user won't 'see' the Share. If you're trying to do this with a Nested Folder then that user will 'see' the folder but have no access. What they'll see is the red no entry sign folder icon.

Don't forget to propagate afterwards as well as removing or applying appropriate ACEs if your sharing structure involves nested folders. Server Admin's Interface (IMO) is actually OK with this although you could use the command line if you wish.

This is how it works for me and I rarely see any problems.

Tony

Reply

Answer 4

Jul 22, 2010 11:53 AM in response to Antonio Rocco

Ok, I tried your suggestion and between the results of that test and your last response, I think what I'm trying to do may not be possible with the current system. What I envision doing is have a single share with some child folders that everyone can see, and other child folders that are only visible to select users and invisible to everyone else. Unfortunately, it seems like I can't make those folders invisible to unauthorized users, only inaccessible.

Reply

Answer 5

Jul 22, 2010 12:13 PM in response to Benjamin Rush

Hi

You may achieve what you want (albeit in a round-about-way) if you apply the hidden flag using the chflags utility? Something like:

sudo chflags hidden /pathtofileorfolder

This will hide the folder/share for everyone. Network Users as well as local users. However this may not be desirable from your point of view?

Tony

Reply

Answer 6

Jul 22, 2010 1:05 PM in response to Antonio Rocco

Unfortunately, making these folders invisible to all would not work in this situation. I was hoping to keep a single shared folder and simply manage permissions within it to control who sees which folders in addition to which folders they can access. It looks like I will just have to bite the bullet and create multiple share points to visually segregate the data.

I appreciate your help in sorting this all out, thanks.

Reply

Answer 7

Jul 22, 2010 1:44 PM in response to Benjamin Rush

Perhaps symbolic links to make virtual SMB shares...

Reply