brycesteiner

Q: Sharing Permissions ****

Here's what's happening. I have a volume with this (under get info):

 

I set it so the users can access. All people are part of a group called "Users". The "Users" group is allowed to read and write along with all the admins. Since they are also part of the "staff" group that is default on OS X, they have the privilege of read and write also. I also have it set to read and write for everyone (everyone I assume is all users, not guests). All permissions were propagated to all files and folders.

 

Okay. now I also have in server the share on the volume named "data" that everyone also has access to the folders within. That's great. Both Windows and Mac users accesses the files with no problem until one person saves or creates a new folder or file. At that point they are the owner and no one else can access the file. They get access denied and Distiller can not process the postscript files.

 

The only way I can get this to work is to turn off sharing and check the box "Ignore ownership on this volume" and turn sharing back on.

 

I'm using Server 5.0.15 on OS X 10.11.2  I really don't think that matters because it's always done this no matter the OS X.

 

What can I do to solve this?

Mac mini, OS X El Capitan (10.11.2), 2011 Mac Mini Server

Posted on Dec 14, 2015 6:35 AM

Close

Q: Sharing Permissions ****

  • All replies
  • Helpful answers

  • by Strontium90,Helpful

    Strontium90 Strontium90 Dec 14, 2015 5:04 PM in response to brycesteiner
    Level 5 (4,067 points)
    Servers Enterprise
    Dec 14, 2015 5:04 PM in response to brycesteiner

    It sounds like you are trying to use only POSIX permissions.  POSIX permissions do not inherit.  You must use at lease once Access Control Entry.  This should be done in Server.app.  Follow these general steps:

     

    1:  Great a group or groups

    2:  Add the proper people to the proper groups

    3:  In Server.app, double click the shared folder

    4:  In the Permissions window, press the + button and add the group defined in step 1.

    5:  Set the proper permissions for the group.

    6:  Generally leave the POSIX permissions at standard umask unless you need to be more restrictive.

    7:  Permissions should propagate.  If they do not...

    8:  Select your Server from Server.app's sidebar (first item in the list), and choose the Storage tab.

    9:  Drill down to your shared folder and select it.

    10:  From the Gear menu choose Propagate Permissions or Edit Permissions and then propagate.

     

    Screen Shot 2015-12-14 at 10.04.08 AM.png

    OS X has not supported POSIX inheritance since 10.4.  You must use ACLs to properly manager group permissions. 

     

    Oh, and you should not be giving everyone write access.

     

    Reid

    Apple Consultants Network

    "El Capitan Server – Foundation Services"

    "El Capitan Server – Control & Collaboration"

    "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by brycesteiner,

    brycesteiner brycesteiner Dec 14, 2015 8:59 AM in response to Strontium90
    Level 1 (25 points)
    Mac OS X
    Dec 14, 2015 8:59 AM in response to Strontium90

    I'm glad to hear that you think this is fixable. I am using the ACL's. I'm also using the UNIX permissions in get info--which I'm getting I shouldn't do. Is there a way to reset the POSIX back default? If OS X doesn't support it why does it have it as changeable in the Finder?

     

    1-5. I have created groups and I've been trying to use them in the Server app.

    Screen Shot 2015-12-14 at 11.36.59 AM.png

    I have everyone added to Users with the exception of the admin. I also have the owner who is also the admin. Should I not have users here?

    6. How do I get POSIX in Finder back to default? Since OS X doesn't use them it shouldn't matter right? Apparently it does matter because I have to "Ignore Ownership on this volume" turned on to get this to work. Perhaps it should be checked so it works?


    7. Permissions do because I force them to with the gear.

    8. On the storage tab I have a similar look to the finder "get info". When I choose Edit Permissions they are set to "custom" for the groups that I have created. The default "staff" is set to read and write. See below. I think you will see problems below that show why i have to have ignore ownership turned on.

    Screen Shot 2015-12-14 at 11.57.25 AM.png

     

    Thanks for your help.

  • by Strontium90,Helpful

    Strontium90 Strontium90 Dec 14, 2015 5:03 PM in response to brycesteiner
    Level 5 (4,067 points)
    Servers Enterprise
    Dec 14, 2015 5:03 PM in response to brycesteiner

    The Get Info window has been broken for more years than I can count.  Never rely on what it reports when inspecting data from a server and never use it to change permissions on server content.  Always use Server.app or the Terminal (chmod). 

     

    1-5:  You must disable Ignore ownership.  If that is enabled on the volume, all permissions are ignored.

     

    6:  The default umask is 755 for folders and 644 for files.  The group is commonly staff.  You can use some Terminal mojo to reset your data using the find and chmod commands (sudo find /path/to/data -type d -exec chmod 755 {} \; sudo find /path/to/data -type f -exec chmod 644 {} \;).  Of you can simply set the POSIX owner to read/write and the Group and Other to Read only.  However, the exclusion of Everyone is a way to hide the shares when using AFP.  This is effective if you have more than one share and you want to restrict visibility to those who should not have access.

     

    7:  Use the Terminal to confirm you are getting what you want.  Say /Volumes/Files/Dropbox/Data is the share you want.  Your group is Research.  Run this command to view the permissions:

     

         ls -le /Volumes/Files/Dropbox/Data

     

    drwxr-xr-x@ 2 carbon  research      68 Dec 14 17:13 Folder

    0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

    1: group:research inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,file_inherit,directory_inherit

    -rw-r--r--@ 1 carbon  research  205184 Dec 14 17:13 Test.png

    0: user:_spotlight inherited allow read,execute

    1: group:research inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecur ity

     

    You should get something like above.  Note the locations of research are both in the POSIX group and the #1 ACE. 

     

    8:  You need to have all Inheritance boxes checked.  This is what you are trying to accomplish.

     

    Recommendation... Leave the existing share alone for a moment.  Follow these steps:

    1:  Make sure Ignore ownership is off

    2:  Make a new folder

    3:  Share the folder

    4:  Edit the folder on the Sharing tab and add ONLY the User group.  Set that group to Read/Write

    5:  Go to a workstation.  Connect to the share and add some content. 

    6:  Go to another workstation.  Connect to the share as a different user and edit the first users content.  Add some new stuff as well.

    7:  Go back to first workstation.  Edit everything.

     

    If you have this working, then replicate to the existing share.   If you think you need to start from scratch, you can use the find/chmod command to reset POSIX and the chmod -N to strip the ACL table off all files/folders.  Then go back to Server.all and start over.

     

    Reid

    Apple Consultants Network

    "El Capitan Server – Foundation Services"

    "El Capitan Server – Control & Collaboration"

    "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by brycesteiner,

    brycesteiner brycesteiner Dec 14, 2015 5:45 PM in response to Strontium90
    Level 1 (25 points)
    Mac OS X
    Dec 14, 2015 5:45 PM in response to Strontium90

    Well I'm glad to report I think I'm getting somewhere. I didn't realize some of the functions under the tab of the server.

     

    1. Ignore ownership is now turned off.

    2. I put all the volume permissions back to the user only.

    3. I changed the ACL's now to the permissions of the group only and the owner -- all in the server.

    4. I then told groups permissions to inherit. I left the owner name and owner permissions not to inherit (not checked), only to find out it (files newly created were stuck again.) I then told it to inherit owner permissions (checked all 6 boxes) to child objects. While it was re-propogating I was watching the Distiller server and suddenly it started working. It must have worked. I did several more test files and then it worked with no issues. Good! Hopefully this was the issue.

     

    Now my understanding of permissions has changed--it's not permission assigned but permission inherited--and use the right tools. Everything is denied and nobody is given access unless explicitly inherited.

     

    So why does Apple put permissions changes in the Finder get info if they are not to be used?

     

    Now how can I control Screen Sharing? In the main system sharing settings I allow screen sharing for three users, yet only the one logged in can access the screen. The other users are all denied access (connection failed) even though they log in fine through the finder and see all the folders they are supposed to see. I click disconnect then "share screen" and it lets me type in the main user/pw and it works fine. This always worked with Yosemite (10.10) and below. Once upgrading to 10.11 this issue appeared. So is there another way to make permission changes for screen sharing in the server app?

     

    thanks for the help!

  • by Strontium90,

    Strontium90 Strontium90 Dec 14, 2015 6:29 PM in response to brycesteiner
    Level 5 (4,067 points)
    Servers Enterprise
    Dec 14, 2015 6:29 PM in response to brycesteiner
    Well I'm glad to report I think I'm getting somewhere.

     

    Great news!

     

    it's not permission assigned but permission inherited

     

    Basically you are setting a permission model on the parent folder.  Assuming all inheritance is enabled, all children and decedents will get the same permissions.  Now, there may be cases where you WANT to break inheritance.  That is the feature called make inherited explicit.  In other words, you can define a new parent within a parent folder.  Think of it as a mutation.

     

    So why does Apple put permissions changes in the Finder get info if they are not to be used?

     

    Because the Get Info window is for home users who don't know they are using ACLs.  POSIX permissions remain critical to the function of the OS.  They can not be removed.  And solo users may need to alter permissions.  Get Info works for them.  But domain bound devices should avoid the Get Info window.