Permissions are driving me crazy!

Discussion in 'OS X Yosemite (10.10)' started by dmylrea, Feb 4, 2015.

  1. dmylrea macrumors 68000

    dmylrea

    Joined:
    Sep 27, 2005
    #1
    I have a new Mac Mini running Yosemite with Server app.

    Short story is I have a shared folder on an external (TB) drive array. Let's call it "Shared". Underneath "shared" are thousands of folders/subfolders/files. It the main share for a dept. at work.

    We have two groups that have been assigned permissions. A Read/Write group and a Read Only group (RW and RO).

    I have assigned, at the "Shared" folder, both groups with the respective permissions (either read/write or read only) and chose to "apply to enclosed items" so the permissions would flow down into all the files and folders under "Shared".

    Everything looks great, I can check any subfolder under "Shared" and they have the correct permissions. HOWEVER, when someone in the RW group saves a new file into a folder, the file does not inherit the permissions of the folder! In other words, if FILE.JPG is saved into a folder with the correct permissions, the file permissions for the new file only have RW group. No RO group permission is given to that file. Hence someone in the RO group cannot access (open) or even copy the file. Access denied!

    It's driving me crazy why permissions are so wacky here. It's frustrating for the employees as well.

    Any help or advice as to why saving a file into a folder, the file does not inherit the permissions of the parent folder?

    Thanks!
     
  2. dyt1983, Feb 4, 2015
    Last edited: Jun 1, 2015

    dyt1983 macrumors 65816

    Joined:
    May 6, 2014
    Location:
    USA USA USA
    #2
    edit: To remove personally identifying info not relevant to the conversation.
     
  3. dmylrea thread starter macrumors 68000

    dmylrea

    Joined:
    Sep 27, 2005
    #3
    Thank you for the info. I am trying to digest what you have said and will look at the unmask info also.

    Just to be clear, though, that permissions were initially setup using server app when the share was created. When things weren't working as expected, I used the manual "Get Info" screen on the top level "shared" folder and manually set both groups to have either read/write or read only permissions and for the permissions to flow to subfolders and files.

    The user that is trying to access these files IS a memeber of the RO group and can see/open any files in the shared folder except for new ones, because new files are not inheriting the permissions of the parent folder.

    Not sure if I was clear that was the problem. I thought using a RW and a RO group would give me the security I need as the department staff are in the RW group, and then choice staff in other departments are in the RO group and can open and view files, but then, everyone else has NO access. If I use the EVERYONE group with read only, then wouldn't EVERYONE have access to see/open the files?
     
  4. dyt1983, Feb 5, 2015
    Last edited: Jun 1, 2015

    dyt1983 macrumors 65816

    Joined:
    May 6, 2014
    Location:
    USA USA USA
    #4
    edit: To remove personally identifying info not relevant to the conversation.
     
  5. dmylrea thread starter macrumors 68000

    dmylrea

    Joined:
    Sep 27, 2005
    #5
    Coming from years (a decade practically) in the Windows server environment, it makes logical sense that you apply group permissions to a folder and the permissions stick with any files put into that folder.

    Maybe I haven't made it crystal clear, but I'm not a novice in that just because I name a group something (the examples I gave were just that, examples), that I don't expect that, magically, the permissions follow the group name! I mean, come on...

    When I assign the permissions at the top folder level, I assign a group, call it GROUP1, read/write permissions, and a group called GROUP2, read only permissions. I have users assigned to both GROUP1 and GROUP2. When assigning permission, I chose the option for the permissions to apply to enclosed items (folders, subfolder, and files within those folders).

    Hence, if I have a folder called ART, with the above GROUP1 and GROUP2 permissions, and the files in the folder have those permissions, and someone from GROUP1 (the read/write group) saves a file in that folder, I assume that someone in GROUP2 can read/open that file, since GROUP2 has read only permissions.

    In any case, I think I've explained it well. I cannot understand why once the permissions are set in a folder that new files added to the folder by someone in the read/write group can't be read by someone in the read only group. Otherwise, what's the point of group permissions?
     
  6. SlCKB0Y macrumors 68040

    SlCKB0Y

    Joined:
    Feb 25, 2012
    Location:
    Sydney, Australia
    #6
    Your description makes it clear that you don't understand how the underlying permissions work.

    https://www.freebsd.org/doc/handbook/permissions.html
     
  7. dyt1983, Feb 8, 2015
    Last edited: Jun 1, 2015

    dyt1983 macrumors 65816

    Joined:
    May 6, 2014
    Location:
    USA USA USA
    #7
    edit: To remove personally identifying info not relevant to the conversation.
     
  8. dmylrea thread starter macrumors 68000

    dmylrea

    Joined:
    Sep 27, 2005
    #8
    Thanks all for the links and references. Apparently, there is more to it than the server app and folder info settings would have you think.

    Score one for Windows Server. :)
     
  9. dmylrea thread starter macrumors 68000

    dmylrea

    Joined:
    Sep 27, 2005
    #9
    This is what is confusing. Using the Server app to setup sharing, it's supposed to setup the ACL's for me (from the Apple HELP file on sharing):

    ----------
    You can enable or disable access to each shared folder listed in the File Sharing pane of the Server app. You can give access to all users with accounts on your server, or only the specific users and groups you select to have read and write access to each shared folder and its contents. Also, you can allow guest access for any shared folder.

    Turn on file sharing if it isn’t already on.

    Before you set any folder permissions, decide who gets to use the service, and from which network.

    See Server access overview.

    In the File Sharing pane, select the shared folder in the list.

    Double-click the selected folder or click Edit edit.

    To change the access users or groups have to a shared folder and its contents, select Read & Write, Read Only, Write Only, or No Access next to that user or group name, then change it to the needed access level.

    You can also add or delete users and groups that have access to a shared folder by clicking Add add or Remove remove.

    ACLs are automatically propogated through the folders.

    To let users access a folder without logging in, select the “Allow guest users to access this share” checkbox.


    ----------

    I was checking some of the files that RW users save that RO users don't have access to, and it seems the files are being saved with USER permissions. In other words, if user John saved the file (John is in the RW group) a read/write permission for John appears in the list of permissions, and then user Jane can't open it (Jane is in the RO group) because the RO Group permission is totally missing from the file permissions (even though the parent folder has the correct permissions).

    Despite having this dual set of permissions to have to deal with, what's the point of the OSX permissions and shares setup with the Server app if they don't work?
     

Share This Page