Server ACL Issue

Discussion in 'macOS' started by adese, Jun 14, 2007.

  1. adese macrumors member

    adese

    Joined:
    Feb 21, 2006
    Location:
    Sunderland, MA
    #1
    - - - - - - - - -

    Hey Admin, don't mean to 2x post but I couldn't delete the old one and I feel this is a better place for my question. Sorry.

    - - - - - - - - -

    Hi

    Running 10.4.9 Server on an Xserve w/ RAID. Here's the breakdown :

    Have Group A which consists of Groups B and C. The group for folder Z is Group A. We want to allow Group C to be able to move files and folders within folder Z but deny them the ability to delete.

    For this ACL we tried "Deny Group C Delete" in Workgroup Manager for the share point "Folder Z". The problem is this also disallows them from moving files and folders since a move command is basically a copy/delete action.

    Can anyone help? Thank you in advance!!
     
  2. Michael Smith macrumors newbie

    Joined:
    Jun 13, 2007
    #2
    Strictly speaking, "move" (actually rename) is a combined add-child and delete operation, and in fact the two sub-operations are authorised separately.

    However, fundamentally you're correct; there is no way to achieve the behaviour you want. Because there is no way to express "do not allow the destination of a rename to be outside this subtree if the source is inside it", the ability to rename is effectively the ability to delete (a file in /tmp called , might as well have been deleted for all that you're going to find it again...).

    There is probably enough functionality in the KAUTH interface to achieve what you want, if you're not averse to developing a small kernel extension. I assume that what you're looking for is a way to enforce your workflow rules, rather than a truly secure environment?

    I'm sorry I don't have any better suggestions for you.

    = Mike
     
  3. adese thread starter macrumors member

    adese

    Joined:
    Feb 21, 2006
    Location:
    Sunderland, MA
    #3
    I hope you don't mind if I post your response to the same question I put in /discussions/mac os x server/file services on the apple site, if you have an apple login and you'd like to respond to it there via copy paste from here and earn some points, here's the link http://discussions.apple.com/thread.jspa?threadID=997408&tstart=0

    thank you for your response, its too bad its the case, but I had an inkling.
     

Share This Page