Disable ACLs

Question

Level 1

0 points

Disable ACLs

In simple terms could somebody please direct me how to switch off ACL's totally so I can get 10.4 to work as 10.3 to inerit permissions under AFP.

various macs, Mac OS X (10.4.6)

Posted on Oct 17, 2006 7:32 AM

Reply

Answer 1

lythaby

Level 1

20 points

Oct 17, 2006 9:09 AM in response to itmanltd

Under workgroup manager/sharing.
Disable the route share for ACL's. then re share what you want to, using unix permissions.
The thing is, i've not found a proper way to make the permissions work properly for OWNER/GROUP/EVERYONE.
I'd suggest setting the shares up as you want, ie, RWX-RW-R-, then sudo chmod -R 775 , and drag the shares onto it.
The problem then comes when the user saves a file, as inherent permissions don't seem to work unless ACL's is on??!!, and POSIX throws a wobbly!

What is the full reason that you want to loose the ACL stuff.

Reply

Answer 2

itmanltd Author

Level 1

0 points

Oct 17, 2006 8:23 PM in response to lythaby

I am simply trying to have shares that inherit permissions all the way down the way its always worked in 10.3 (if its set that way).

I've tried every combination of settings but nothing works. If I switch on 'everyone' as RW then I would have thought everyone is everyone?

For Windows users you can manually set it up under protocols but not AFP? If I could simply have al the buttons 'live' under AFP protocals that should do it.

Reply

Answer 3

itmanltd Author

Level 1

0 points

Oct 17, 2006 8:54 PM in response to itmanltd

In answer to may last reply I've found this post

http://discussions.apple.com/thread.jspa?messageID=2809887&#2809887

Explains perfectly what I'm trying to do and how simply the answer is. I'm upgrading to 10.4.8 at the moment but a quick test everything appears to be good again. I'll test on all our servers once they've upgraded and post again if there are any more issues.

Reply

Answer 4

Oct 17, 2006 9:37 PM in response to itmanltd

Hi itmanltd,
Actually, you probably haven't tried everything. OS X makes the "brute force" method viable. By implementing WatchPaths, Apple has endowed launchd with the capacity to monitor the same events used in Folder Actions. That means that it's not necessary to run a script constantly to poll the contents of directories. Launchd provides the service that allows you to register an interest in an event and then sit back and do nothing until notified. When someone modifies the contents of a directory, your script is run, which would ostensibly set permissions or ACLs as you desire.

Here's where things get tricky. Only files at the top level of the specified directory get watched. Contents of subdirectories are not monitored. Thus, to watch at all depths, all directories must be watched. Further, the users probably have the right to create directories so the list of watched paths must be dynamic. That means that the job would have to be unloaded and then reloaded but a job can't do that to itself. Thus that job must be able to invoke another job to do the loading and unloading.

It struck me that such an adaptive job should certainly have uses but it was originally created to do just what you want. However, it does have one drawback. The process of changing permissions is itself a change for which the job is looking. Thus, for this use an infinite loop is probably started. However I've tried it and there is no noticeable drain on the system because the launching of the job is so slow. If you're interested I put the property lists and scripts in a tarball at propagate_acls.tar.bz2.
--
Gary
~~~~
"Bruce McKinney, author of of Hardcore Visual Basic, has
announced that he's fed up with VB and won't be writing
a 3rd edition of his book. The best quote is at the end:
'I don't need a language designed by a focus group'."

Reply