User profile for user: Paolo Romoli1
Paolo Romoli1 Author
User level: Level 1
0 points

Sticky bit, ACL, POSIX

Hi All,

After one day googling and testing (Snow Leopard Server 10.6.6) I didn't find any solution to what I thought to be a basic permission schema;

I need to set up just one share with read and write permissions for the group and delete permission for the owner; what I get is very close, but needs fine-tuning;

For example, user1 and user2 (belonging to group1) are able to create and delete their own files (and folders) in the share1, but user1 can't write in user2 folders and viceversa, and that's exactly what I miss;

I've spent a lot of time messing around with POSIX, ACL, sticky bit and a mix of them, but what I get is always more (users can delete each others' files) or less (they can't create files in each other's folders) than what I wanted…

users are in OD but the clients are just standard mac with local administrator accounts

Any assistance would be appreciated

iMac 27, Mac OS X (10.6.6)

Posted on Mar 13, 2011 1:55 PM

Reply
4 replies
User profile for user: Camelot
Camelot
User level: Level 9
58,305 points

May 23, 2011 9:26 PM in response to Paolo Romoli1

First off you can't do this with POSIX permissions because both create a file and delete a file rely on the same permission (write permission on the directory), therefore if you're allowing someone to create a file you're allowing them to delete it, too.


You should be able to get there with ACLs, though.


Given the directory /path try:


  • chmod +a "group:staff allow list,add_file,search,add_subdirectory,readattr,writeattr,readextattr,writeextat tr,readsecurity,file_inherit,directory_inherit" /path
  • chmod +ai "group:staff allow file_inherit" /path
  • chmod +ai "group:staff allow add_file,add_subdirectory" /path
  • chmod +a "user:user1 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,re adextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_i nherit"/path


These will allow any user in the staff group to create files and subdirectories in /path, and give user user1 the additional ability to delete files. The tricky part lies in getting the inheritence correct (the +ai switches) so that subdirectories inherit the permissions of the parent (which is what allows user1 to delete files in a subdirectory created/owned by a different user.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Sticky bit, ACL, POSIX

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up