Hi itmanltd,
Actually, you probably haven't tried everything. OS X makes the "brute force" method viable. By implementing WatchPaths, Apple has endowed launchd with the capacity to monitor the same events used in Folder Actions. That means that it's not necessary to run a script constantly to poll the contents of directories. Launchd provides the service that allows you to register an interest in an event and then sit back and do nothing until notified. When someone modifies the contents of a directory, your script is run, which would ostensibly set permissions or ACLs as you desire.
Here's where things get tricky. Only files at the top level of the specified directory get watched. Contents of subdirectories are not monitored. Thus, to watch at all depths, all directories must be watched. Further, the users probably have the right to create directories so the list of watched paths must be dynamic. That means that the job would have to be unloaded and then reloaded but a job can't do that to itself. Thus that job must be able to invoke another job to do the loading and unloading.
It struck me that such an adaptive job should certainly have uses but it was originally created to do just what you want. However, it does have one drawback. The process of changing permissions is itself a change for which the job is looking. Thus, for this use an infinite loop is probably started. However I've tried it and there is no noticeable drain on the system because the launching of the job is so slow. If you're interested I put the property lists and scripts in a tarball at
propagate_acls.tar.bz2.
--
Gary
~~~~
"Bruce McKinney, author of of Hardcore Visual Basic, has
announced that he's fed up with VB and won't be writing
a 3rd edition of his book. The best quote is at the end:
'I don't need a language designed by a focus group'."