PDA

View Full Version : Permissions Difficulties - Users can't do certain things




JimboStormforce
Jan 21, 2013, 02:51 AM
I am responsible for a Mac Mini Server environment someone else set up, and every so often something throws me a curveball.

Some of our network users (and it turns out this has been the case for nearly a year) can't do things like open Mail (they don't have permission to the relevant library folder) and things like delete or move files.

I've been through all the permissions (both Posix by right clicking and get Info and ACL through Server.App) on each users home folder, and have ensured that the user seems to have the right access, and is the owner.

One of the quirks I've discovered is that on the ACL for each user who works, there is a user called 'root' with Read Write access. Trying to add this root user for the others doesn't work as it doesn't seem to be on the system.

I'm running out of options and knowledge here - does anyone know of a good guide to clearing all ACLs and Permissions on a network user's home folder, and then rebuilding them?

Cheers!



JimboStormforce
Jan 22, 2013, 07:08 AM
So, I've spent the day clearing all permissions on the folders via the command line (or I think that's what I've done) whether POSIX or ACL, and then trying to apply new permissions that should be correct.

No dice.

JimboStormforce
Jan 23, 2013, 03:41 AM
I've now started to view the permissions using terminal (which I'm no expert with), and find something interesting.

If I do ls -ld myHomeFolder (which works!) I get:
drwxrwxr-x+ 39 root admin 1282 23 Jan 09:31 Mail


As an example on the Mail folder (which is one of the ones causing problems. If I do this for another user, I get:
drwxrwxr-x+ 11 adamoneill admin 330 17 Jan 10:07 Mail


So, the POSIX permissions look the same, the ACLs might be different, but the owner is different. adamoneill owns his own folder, but root owns my folder.

Most odd.

----------

Listing the ACLs gives me:

drwxrwxr-x+ 39 root admin 1282 23 Jan 09:31 Mail
0: user:jimbodavies allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,reads ecurity

for my home folder, and

drwxrwxr-x+ 11 adamoneill admin 330 17 Jan 10:07 Mail
0: user:root allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,reads ecurity


for adamoneill. So, it looks like the owner and user are swapped round.

JimboStormforce
Jan 23, 2013, 07:48 AM
Well, after much googling, I fixed it.

I went in to Terminal on the server, and used chown to change the owner to root, and the group to admin on each user's home folder.

I then used chmod -RN to strip all the ACLs from each user.

I then user Server.app to add each network user to their home folder with Read, Write access, and propogated those permissions as an ACL.

Seems (touch wood) to be working.