ACL POSIX - Rules of Precedence
Hello,
Having some problems with this.Workgroup manager states "Access Control List entries take precendence over the standard permissions listed above" yet, when I read Apples own File Services Administor PDF it says :
"When you add ACEs to an ACL, order is important. Mac OS X Server uses the following
rules to control access to files and folders:
• If a file or folder has no ACEs defined for it, Mac OS X Server applies the standard
POSIX permissions.
• If a file or folder has one or more ACEs defined for it, Mac OS X Server starts with the
first ACE in the ACL and works its way down the list until the requested permission is
satisfied or denied. After evaluating the ACEs, Mac OS X Server evaluates the
standard POSIX permissions defined on the file or folder. Then, based on the
evaluation of ACL and standard POSIX permissions, Mac OS X Server determines
what type of access a user has to a shared file or folder.ation for OSX Server 10.4 it states "
So it seems its a combination of both POSIX and ACLs which determines a users access.Sadly on my system it doesn't seem to work this way.
I'm trying to set up folder for our production dept.I only want the production group to have access.
So I set the Posix entries as :
owner - localadmin - read and write
group - admin - read and write
everyone - none
Then I add an ace for the production group, giving them full access.
I fire up the Effective Permissions Inspector, drag over a production member and find all the write attributes are off except for delete.So the everyone posix field definitley overrides my ACL settings. Now I can set the Posix everyone field to read and write but I don't want everyone to have access.
I thought about adding an ACL entry to the effect of denying access to all maybe by using the staff group.However deny permissions override other permissions, as stated in Apples File Services PDF.
All this coupled with the fact that once ACLs are enabled all files copied under AFP receive standard Posix permissions makes OSX a very poor fileserver.
Anyone got any ideas about how to setup this very basic share?
Thanks Guys.
Having some problems with this.Workgroup manager states "Access Control List entries take precendence over the standard permissions listed above" yet, when I read Apples own File Services Administor PDF it says :
"When you add ACEs to an ACL, order is important. Mac OS X Server uses the following
rules to control access to files and folders:
• If a file or folder has no ACEs defined for it, Mac OS X Server applies the standard
POSIX permissions.
• If a file or folder has one or more ACEs defined for it, Mac OS X Server starts with the
first ACE in the ACL and works its way down the list until the requested permission is
satisfied or denied. After evaluating the ACEs, Mac OS X Server evaluates the
standard POSIX permissions defined on the file or folder. Then, based on the
evaluation of ACL and standard POSIX permissions, Mac OS X Server determines
what type of access a user has to a shared file or folder.ation for OSX Server 10.4 it states "
So it seems its a combination of both POSIX and ACLs which determines a users access.Sadly on my system it doesn't seem to work this way.
I'm trying to set up folder for our production dept.I only want the production group to have access.
So I set the Posix entries as :
owner - localadmin - read and write
group - admin - read and write
everyone - none
Then I add an ace for the production group, giving them full access.
I fire up the Effective Permissions Inspector, drag over a production member and find all the write attributes are off except for delete.So the everyone posix field definitley overrides my ACL settings. Now I can set the Posix everyone field to read and write but I don't want everyone to have access.
I thought about adding an ACL entry to the effect of denying access to all maybe by using the staff group.However deny permissions override other permissions, as stated in Apples File Services PDF.
All this coupled with the fact that once ACLs are enabled all files copied under AFP receive standard Posix permissions makes OSX a very poor fileserver.
Anyone got any ideas about how to setup this very basic share?
Thanks Guys.
imac G5, Mac OS X (10.3.9)
