Can ACLs on a directory prevent Guest account from access via a file share?

Discussion in 'macOS' started by kudukudu, Jan 27, 2010.

  1. kudukudu macrumors regular

    Joined:
    Oct 24, 2007
    #1
    I have given up on getting home sharing to work properly amongst all my various computers at home on 10.5 and thought I would use an old style brute force method of simply setting up a file share to share my iTunes library. I set up file sharing to use the Guest account and it works fine for all of my other content. I have tried to create shares of the following directories and can only connect as a registered user (Guest user cannot even see these shares):

    /Users/<name>/Music
    /Users/<name>/Music/iTunes

    I have gone into the terminal and looked at the ACLs on the Music directory (e.g ls -alte) and I can't see anything that would block access, but I am not an expert with this type of ACL. The ACL on the Music directory is this:

    0: group:com.apple.sharepoint.group.2 allow search
    1: group:everyone deny delete

    I have an ACL called 0: group:everyone deny delete on one of my other shares that works fine so this can't be the culprit (more importantly the ACL looks like it is just preventing users from deleting anything).
     
  2. Denarius macrumors 6502a

    Denarius

    Joined:
    Feb 5, 2008
    Location:
    Gironde, France
    #2
    Those aren't ACL permissions, those are POSIX permissions, which are overruled by ACL permissions.

    To view the ACL permissions do get info on your movies and go to the sharing and permissions section. Change the 'everyone' setting from 'no access' to 'read only' (or read and write if you really want to let people run amok!).

    If you haven't already done it, go to System Preferences>Sharing and then enable file sharing. Finally, add your movies folder to the list to the right in the pane.
     
  3. kudukudu thread starter macrumors regular

    Joined:
    Oct 24, 2007
    #3
    I looked at the man page for "ls" and apple describes these POSIX permissions as ACLs:

    e - Print the access control list (ACL) associated with the file

    It looks like the permissions are set to "custom" for everyone on /users/<name>/Music. I can't believe I missed this. I changed them to read only and now all is good.

    thanks Denarius
     
  4. Denarius macrumors 6502a

    Denarius

    Joined:
    Feb 5, 2008
    Location:
    Gironde, France
    #4
    You're absolutely right about the -e option, should've spotted that myself. Something new learnt today! The first bit is the POSIX then the bit about 'everyone:deny deleted' is the ACL supplement to the POSIX permissions. POSIX is the core UNIX permissions system and Access Control Lists are used to make more complex permission schemes on top of the POSIX, but if there's a disagreement between them, the ACL permissions get priority in OSX.

    Incidentally, if you did want to set it up properly for registered users on other computers then set them up as share users and add them to a group which you can then add into the permissions in get info.

    Have fun.
     

Share This Page