|Dec 18, 2012, 09:13 PM||#1|
10.6 Server: My ACLs seem to be broken
I've got a small office file server (a Mini server running 10.6.8 server, configuration imported from a 10.5 XServe) that I'm having some really, really weird permissions issues with.
One of the directories on a share on the server is supposed to be read/write-able by a bookkeeping user group, but not readable by the broader general staff user group (this is a custom staff group, not the system default one). I did this by creating an ACL for the folder (via the browser in Server Admin) with Full Control permission for the desired group, and then below it the staff group with deny Full Control, then set inherit to everything below.
That worked fine for literally years.
Then, suddenly, a few days ago, people could no longer modify or delete folders that they created within that folder. When I checked the permissions on created folders, they were somehow getting created without "delete" allowed, which made no sense, but I assumed that something had gone wonky and tried doing every combination of reboots, re-setting permissions, re-propagating them, etc I could think of.
Finally I re-created a fresh user group for the Bookkeepers (new GID, short and long name), deleted the old one entirely, used the command line and sudo to purge the ACL from the top-level folder entirely, and re-added the desired permissions.
Still no luck--now I can create new folders, but cannot rename or move a folder I have just created, although I can delete it. The "Effective Permissions" browser in Server Admin shows my user as having full permissions for the folder in question to do everything, I've logged out and back on to make sure it's not a cache issue, and I've run out of ideas short of an OS reinstall.
The command line says I have the following permissions, which as far as I can tell are identical to directories I can edit the name of and move:
inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
Is there something I'm missing here? What the heck is going on?
|Thread Tools||Search this Thread|
All times are GMT -5. The time now is 02:26 PM.