Permission Problem

Discussion in 'Mac OS X Server, Xserve, and Networking' started by kwood, Sep 17, 2008.

  1. kwood macrumors 6502a


    Jun 26, 2006
    In the Great White North.
    Hey All,

    I searched through out the forums and google trying to find a resolution to the problem I am having but am unable to find the answer. Here is the set-up followed by my problem.

    1 Mac Pro running 10.4.11 Server mainly for using NetBoot and Open Directory for network user accounts. It has 1x250GB hard drive with the server OS installed and 2x500GB hard drives in a mirrored RAID set for the different network accounts.

    There are 16 iMacs and 8 MacBooks with 10.5.4. The iMac's have the network logins, and the MacBook's just have a generic user account.

    My goal is to allow the different network users to be able to share files back and forth just using their home folders drop box. This was working properly until something happened that I did not expect. One of the students hopped onto the Mac Pro and made it so everyone had read and write access to the RAIDed storage volume. So every network account can now delete and create files on any of the other accounts. They did this by "getting info" on the storage account storage volume and giving everyone read and write access to everything including enclosed folders.

    I set this network up for a teacher and told them not to use the Mac Pro, just lock it up in their network cabinet (properly ventilated of course). They left it out in the open with a display hooked up to it so any one knowing the password can adjust the settings. The teacher has also told the password to a few of the students and it got around.

    The password has since been changed and the computer will be locked away once I fix this problem. However I do not know how to adjust the permissions back to default. I need to make it so the owners of the accounts have read and write access to their files, and write access to other peoples' drop boxes.

    So far all I can do is either give everyone access to everything, or access to nothing including their files. Does anyone know how to fix this problem? I am at an end.

  2. tgallant macrumors newbie

    May 13, 2008
    Calgary, Alberta
    the easiest way would be to go to a previous backup, but if you didn't backup, I would then ask you how many users are on the server?
    Because if you want, you can use active, to re-create everyones home-folder, and just give each student their old home-folder in their drop box.
    IF you like, I have a server that I use to test things, I can try different unix commands and see if that works. If no do you have techtool pro? That apparently works. Or folder maker server.
  3. belvdr macrumors 603

    Aug 15, 2005
    No longer logging into MR
    Do you mean R/W for their files and only read for others' boxes? Doesn't make a lot of sense otherwise.

    If so, here's what you can do.

    I assume the owners of the files are set correctly and everyone is in one group.

    If that's correct, use Terminal, cd to the directory:
    cd /RAID_Volume
    then make all directories R/W for owners and R/O for the group:
    find . -type d -exec chmod 750 {} \;
    then make all files R/W for owners and R/O for the group:
    find . -type f -exec chmod 640 {} \;
    EDIT: If you need to do different directories, such as /user_a, /user_b, etc, you can substitute the '.' in the above code with the directory (/user_a, /user_b, etc).

    Word of advice is get to know the Unix underpinnings of OS X. That can save a lot of time and make things much easier.

    I'm not sure I would recommend any of that. That's a lot of work and time when it can be fixed in just a few minutes.
  4. kwood thread starter macrumors 6502a


    Jun 26, 2006
    In the Great White North.
    Sorry it has taken a while for me to get back on this, I am also a University student and had other assignments to worry about.

    There are 90 students over 3 classed and each have their own network account. Each of these accounts can currently read and write to everyone else's home folder. Meaning, User A can go to User B and delete User B's ~/Library, or ~/Pictures or ~/Whatever. I only want these accounts to have write access to ~/Drop Box.

    I will check into the terminal commands. I know basic UNIX commands (like creating folders, deleting, moving etc..). I will try the ones you suggested (they do make sense to me) but I have to see what 'group' the accounts are set to. I did not personally create the Open Directory accounts, I just created the 'template' for the teacher and had them create the accounts.

    Although I did find out what happened. The student got on the Mac Pro, right clicked on the "Account Storage" Volume (the 2 RAIDed 500GB drives). Set the permissions like this form the 'get info' window:
    Owner: read and write
    Everyone Else: read and write

    I have figured out a dirty way to fix the problem. Go in manually to each home directory and give the owner read and write access, set everyone else to read only. Then give only write access to the drop box.

    If I understand adjusting permissions like this from the 'get info' window will do the same as this suggestion:

    Either way, I will go in and see how the network accounts are set-up and then use your suggestions to fix the problem.

    Thanks a lot for your help.
  5. kwood thread starter macrumors 6502a


    Jun 26, 2006
    In the Great White North.

    Ok so the problem has mostly been resolved. Each user now owns the contents of their home folders and no one has access to the content of the enclosing folders. However, people can still go in an delete entire folders.


    User A can go to User B's home folder. User A cannot go into User B's ~/Library folder as they do not have permission to access the folder. But User A can still delete User B's entire ~/Library folder. This is true for every folder inside each of the user account's home folder.

    Essentially User B owns everything in their home folder except the home folder itself. I need a terminal command to change the ownership so that Use B actually owns the folder itself.
  6. Zjef macrumors newbie

    Feb 4, 2008
    Not sure what your permissions are per user. I'm also no expert, so my solution is a bit more basic.

    Anyhow, you may find and answer here:

    If you read trough the thread, the permissions should look like:
    chmod -R 700 /Users/username
    chmod 755 /Users/username
    chmod -R 755 /Users/username/Public
    chmod -R 733 /Users/username/Public/Drop\ Box
    chmod -R 755 /Users/username/Sites

    You also may want to remove the executable permission on the Public folder; 755 becomes then 744.

    Also I would give it a go on just 1 user and then decide how to go from there.

Share This Page