Q: OS X 10.10 - Shared File is not sharable. ACL & Permissions Question
I am running OS X Server on OS X 10.10 (Yosemite). A file is shared among all members of the "is_medical_assistant" group; the folder that contains the file is also owned and shared by this group. Using the file permission settings of OS X Server, I have given the members of the "is_medical_assistant" group Full Control of both the folder and the file; furthermore, the permissions on the folder are set to inherit to the child files, folders and all descendants.
The goal is to allow Employee A to edit the file over an SMB share. Employee B then needs to be able to open the file at a future time and also make edits.
The problem is that when Employee A edits and saves the file in Numbers, it saves with new ownership: "Employee A":wheel, and Employee B is no longer able to edit the file. Employee B can open and read the file but cannot edit and save changes.
This problem is racking my brain, and I don't know what to do.
I have tried the following:
- using file ownership and group settings (chown) to assign ownership of the file to the group at a POSIX level.
- using a script run by cron to chown the wheel group to the "is_medical_assistant" group.
- using chown to set ACL's manually.
The cron job fails, presumably, because the administrator account does not have membership to any of the groups that can read or write to the directory, although adding the administrator to the group does not seem to have a positive effect.
All help is appreciated!
OS X Server 4, OS X Yosemite (10.10.3)
Posted on Mar 9, 2016 3:57 PM
Thank you, Alberto Ravasio, This exercise has helped me find the answer: In order to give a user the ability to edit a file in a directory, one must give that user the "add_file,add_subdirectory,delete_child" permissions. Mac OS X must attempt the creation of a temporary file and the subsequent deletion of the temporary file when determining if a file is "Locked". In the case of simple files like txt documents, the add_file and delete_child permissions are used. In the case of more complex files like Pages and Numbers, the add_subdirectory and delete_child permissions are used; these complex formats use a temporary directory instead of just a temporary file.
I have achieved the results I desire:
- Users are able to access files from any system using network credentials to edit files.
- Users are able to make changes to files after other users from the same groups make edits.
- The user login on the client is irrelevant to the credential decision at the server.
To achieve this result, I did the following:
- I gave ownership of all files and directories to root:wheel
- I set POSIX permissions to 0700 for all files and directories.
- I cleared all existing and erroneous ACL permissions by using the command:
sudo chmod -R -N ./PatientManagmentDataFolder
- I added read permissions to the necessary folders and files recursively using the command:
sudo chmod -R +ai "group:clinic_staff allow list,search,read,execute,file_inherit,directory_inherit" ./PatientManagmentDataFolder
- I added edit permissions to the folder for the group that has write permissions using the command:
sudo chmod -R +ai "group:patient_manager_file_editor allow write,append,execute,delete,add_file,add_subdirectory,delete_child,file_inherit ,directory_inherit" ./PatientManagementDataFolder
After performing these steps, I approached several members of the staff and asked them to edit the spreadsheets contained within the folder. The attempts failed or succeeded based on the user's membership to each of the groups defined in the ACL.
Posted on Mar 14, 2016 4:41 PM










