ACL permissions issues

Question

Level 1

0 points

ACL permissions issues

Hopefully someone will be able to help with this issue.

I am trying to setup a permission structure for folders on an AFP Share on an xServe running 10.6.4.

I would like to Deny access to all folders for the Everyone Group then allow access to folders to explicit groups. This kind of works but I am having issues with users that are given explicit read write access in that they are able to create folders but unable to name or rename them?

Is this a bug or am I going about this the wrong way?

Regards,
Darren

xServe, Mac OS X (10.6.4)

Posted on Aug 25, 2010 12:07 AM

Reply

Answer 1

Churnd

Level 1

5 points

Aug 25, 2010 3:59 AM in response to Darren_W

I'm assuming these people are using Windows XP? If so, check this blog post: http://chrishearn.wordpress.com/2010/04/07/os-x-server-smb-problems/

Specifically, this part:

; Fix ACL's for Windows XP Users
acl check permissions = no
nt acl support = no

Reply

Answer 2

Darren_W Author

Level 1

0 points

Aug 25, 2010 4:16 AM in response to Churnd

Thanks for the reply.

Its a good link but unfortunately only related to SMB share, I am only sharing and connecting via AFP. This problem is actually not windows related at all. Clients are connecting to the AFP share via Mac's running 10.6.4.

Reply

Answer 3

Churnd

Level 1

5 points

Aug 25, 2010 8:16 AM in response to Darren_W

Ah I see. Try removing the deny ACL and restrict the allow ACL to just the people you want. I never use deny ACL's... in my opinion they are more trouble than they're worth. From what I can tell, would only want to use them if you have an allow ACL inherited that you want to circumvent for a specific directory or file.

Reply

Answer 4

Aug 25, 2010 10:00 AM in response to Churnd

Agreed. Deny ACLs (on any platform) as exceptions to allow rules usually are best left avoided if they can be. Much easier to evaluate "this is what is allowed" then "this is what is allowed, except in this instance, or that one, or this other one".

Reply

Answer 5

Darren_W Author

Level 1

0 points

Aug 25, 2010 8:55 PM in response to MuddyBulldog

Hey Guys, Thanks heaps for your input.

I guess I am going about this the wrong way, I will have a think about the best way to complete this task.

Does any one have any suggestions as to the best way to do this?

I wish to create a share with several folders inside that I want to be hidden unless the user is in a group with rights to read the folder?

I have been successful in doing this using POSIX permissions however the folders are not hidden, just displayed with the no access symbol.

Regards,
Darren

Reply

Answer 6

Aug 27, 2010 10:49 AM in response to Darren_W

I've always gone with the philosophy that if you have two folders in one share that need different permissions what you actually need is two shares.

as opposed to:

afp://server/share/folder1
afp://server/share/folder2
afp://server/share/folder3

where all 3 folders are accessed via 'afp://server/share',
create

afp://server/share1
afp://server/share2
afp://server/share3

users that don't have access to a particular share won't see it should they open

afp://server

Reply