Full permissions (access) for every new file that will be created by another user in the future

Question

Level 1

16 points

Full permissions (access) for every new file that will be created by another user in the future

I use the Wi-Fi scanner, that saves scans to shared folder on my MacOS.

For security reasons, I don't want to store my administrator's account's password in Wi-Fi scanner, so I created the new "Sharing only" user with permission only for this shared folder.

It can save the files to this folder, but... I can't open these files before permission managing even as an full administrator... It is a bug, because I don't need permission for changing the permissions for these files, but can not open files directly without changing permission every time when new scan created.

PLEASE READ THIS:

I found similar questions but them about onetime changing, it is simple. If I change the permissions manually for currently existing files, it will not change the permission for future files. But I will scan new files, so I don't want to manually change my permission for every scan I will create.

I need one of these variants:

automatic changing the permissions every time while new file created by "shared" user OR
switch off permission detection for full administrator for the files, created by another "standart" or "sharing" users.

Error message for Google:

You do not have permission to open the document

Contact your computer or network administrator for assistance

Every advice will help. Thank you in advance.

iMac

Posted on Feb 7, 2023 12:54 PM

Reply

Answer 1

Top-ranking reply

Barney-15E

Level 10

122,852 points

Feb 7, 2023 5:33 PM in response to drabada

In Users and Groups, create a group.

Add your user and your scanner user to the group.

Adjust this ACL for the <groupName> you created and the path to the folder, then copy/paste it into Terminal and hit return.

chmod -R +a "group:<groupName> allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,reads ecurity,file_inherit,directory_inherit" "Path/to/directory/"

Reply

Answer 2

drabada Author

Level 1

16 points

Feb 9, 2023 10:54 AM in response to Barney-15E

Finally we did it. I found an answer on AskDifferent. Syntax was a little bit wrong: no necessarily to use "" in the path address in my case (MacOS Ventura 13.2). I did it with the next command:

chmod +a "group:groupname allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" ../Shared/User

Before that I used man chmod :-D

Thank you, Barney!

Reply

Answer 3

drabada Author

Level 1

16 points

Feb 8, 2023 4:20 AM in response to Barney-15E

Hi, Barney, and thank you for your reply.

I thought the way with the same group for both users: for "sharing account" and for "superadmin".

What do you think about security risks in that way? Because in the case of hacking the "sharing account" from Wi-Fi scanner it will be possible to use the same rights that belongs for "superadmin"-mine main account in the same group? Is it not the same risk way that just grant superadmin's authentication data to the scanner directly?

I will be happy if you could explain it for me and another users here, because I am not very experienced in the usergroup's risks and roles.

P.S.: and I guess it is mistake here: "reads ecurity". TIA.

Reply

Answer 4

Barney-15E

Level 10

122,852 points

Feb 8, 2023 4:53 AM in response to drabada

The sharing user should only have access to that folder, but that is dependent on what you sent in the sharing settings.

If they’re inside your LAN, I’m not sure why they would attack the scanner when they can just attack your Mac. Is your scanner wide open to the Internet or is it behind the same router as your Mac?

That ACL does not give the scanning user any more access than it already has. It only gives you access to the files it writes.

Reply

Answer 5

drabada Author

Level 1

16 points

Feb 8, 2023 9:02 AM in response to drabada

I tried to use -r flag instead -R (capitalisation), but now I got another error:

chmod: +a: No such file or directory

I tried the address with or without / in the end and also located it in the Bash by "ls" command. The directory exists, but maybe I use wrong start point.

Reply

Answer 6

drabada Author

Level 1

16 points

Feb 8, 2023 10:58 PM in response to Barney-15E

Dear Barney, before MacOS i used Ubuntu, so I know details about Bash and quotes, but thank you about notification. It is nice to hear real help from you.

user@imac ~ % chmod -r +a "group:<group> allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" "/Users/Shared/User"
chmod: +a: No such file or directory
chmod: group:<group> allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit: No such file or directory
user@imac ~ % ls -l /Users/Shared/User 
total 1736
<files and directories list>

So, directory exists, but chmod doesn't see it in this case.

Reply

Answer 7

Barney-15E

Level 10

122,852 points

Feb 9, 2023 4:54 AM in response to drabada

You don’t need the brackets around group name. I don’t know if that is somehow throwing it off, but I don’t think so.

I’m not sure what’s wrong with the directories, but when I get a chance, I’ll try to replicate what you’ve done on my Mac and see how it responds.

Reply

Answer 8

Barney-15E

Level 10

122,852 points

Feb 9, 2023 10:45 AM in response to Barney-15E

I could successfully set it with:

chmod -R +a "group:SharingGroup allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" "/Users/Shared/User"

If I tried with yours using <> around the name, and with <group> I got the No such file or directory. So, my guess is you are not using the name of the group you created in the command.

Reply

Answer 9

drabada Author

Level 1

16 points

Feb 8, 2023 8:50 AM in response to Barney-15E

Ok, I'll try.

But it gets the error message:

chmod: Unable to translate '<groupname>' to a UUID

What you think about it?

Reply

Answer 10

Barney-15E

Level 10

122,852 points

Feb 8, 2023 11:51 AM in response to drabada

You need to replace <groupName> with the name of the group.

also, you need to replace, "Path/to/directory/" with the actual path to the directory.

Reply

Answer 11

drabada Author

Level 1

16 points

Feb 8, 2023 12:20 PM in response to Barney-15E

It is obvious, but I already did it. It doesn't work :-D any other thoughts?

Reply

Answer 12

Barney-15E

Level 10

122,852 points

Feb 8, 2023 3:53 PM in response to drabada

Post what you entered into Terminal (arrow up will recall previous commands).

Also, post the response.

Make sure any quotes are not curly quotes.

Reply

Answer 13

Barney-15E

Level 10

122,852 points

Feb 9, 2023 4:25 PM in response to drabada

You should be able to quote the path or not quote the path. It’s just easier to show it quoted in case people have spaces in the names of the path.

Reply

Full permissions (access) for every new file that will be created by another user in the future

Similar questions