Strange permissions issues. Mac Pro, G5, OSX 10.5, 10.7, 10.8

[joecool99]

3 MAC PRO on wired ethernet network.

- 1st runs OSX 10.8
- 2nd runs OSX 10.7
- 3rd old G5 with OSX 10.5

2nd one has SW RAID1 (2x 4TB hard drives). it's a shared drive with permissions sets to R/W to everybody

other 2 computers connect to this to access TIFF and PSD files.
This is at print / design company.

initially all seems fine, but over time the permissions seems to degrade with the computers having issues saving or opening files from that volume because of insufficient privileges.

i went there, restarted all computers, and propagated the permissions again on the shared drive. all seemed fine.

now 2 weeks later i get a call it's doing same thing. they have 5000-10000 files in good folder structure on the shared drive.

i can't think of what is causing this degradation. all they do is open the files in PS CS5, do the work, save and eventually print them.

 

[benwiggy]

This is a bit of a guess, but it may be that each user is still saving the files with permissions and ownership specific to that user which is denying other users, in spite of the folder's attributes.

I would use inherited ACLs on the folder rather than relying on rwx attributes.

 

[joecool99]

after the last propagation of permissions it worker fine. there is no immediate evidence of what's going on. They can open and save files fine (for a while)

edify me on ACL, how is that different? Isn't that part of Samba Sharing protocol? No windows on the network.

 

[benwiggy]

ACLs are a range of permission instructions that are more detailed and specific than the standard unix flag attributes.
Here's an example:
0: group:everyone deny add_file,add_subdirectory,directory_inherit,only_inherit

So you can specify particular actions and the groups that they apply to. Inherited actions are added onto any files going into folders with those ACLs.

ACLs are built-in to OS X. You define them with chmod -a

 

[joecool99]

can this be set via UGI ? or terminal only ?
i read the man page about chmod, but honestly it's clear to me.

The ACL manipulation options are as follows:

     +a      The +a mode parses a new ACL entry from the next argument on the commandline and inserts it
             into the canonical location in the ACL. If the supplied entry refers to an identity already
             listed, the two entries are combined.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
              # chmod +a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write
              # chmod +a "guest deny read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write
              # chmod +a "admin allow delete" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
              # chmod +a "User 1:allow:read" file
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: User 1 allow read
                3: admin allow write,delete

             The +a mode strives to maintain correct canonical form for the ACL.
                              local deny
                              local allow
                              inherited deny
                              inherited allow

             By default, chmod adds entries to the top of the local deny and local allow lists. Inherited
             entries are added by using the +ai mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
                3: juser inherited deny delete
                4: admin inherited allow delete
                5: backup inherited deny read
                6: admin inherited allow write-security
              # chmod +ai "others allow read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
                3: juser inherited deny delete
                4: others inherited allow read
                5: admin inherited allow delete
                6: backup inherited deny read
                7: admin inherited allow write-security

     +a#     When a specific ordering is required, the exact location at which an entry will be inserted is
             specified with the +a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write
              # chmod +a# 2 "others deny read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: others deny read
                3: admin allow write

             The +ai# mode may be used to insert inherited entries at a specific location. Note that these
             modes allow non-canonical ACL ordering to be constructed.

     -a      The -a mode is used to delete ACL entries. All entries exactly matching the supplied entry will
             be deleted. If the entry lists a subset of rights granted by an entry, only the rights listed
             are removed. Entries may also be deleted by index using the -a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
              # chmod -a# 1 file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write,delete
              # chmod -a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow delete

             Inheritance is not considered when processing the -a mode; rights and entries will be removed
             regardless of their inherited state.

             If the user or group name contains spaces you can use ':' as the delimiter

             Example
              # chmod +a "User 1:allow:read" file

     =a#     Individual entries are rewritten using the =a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow delete
              # chmod =a# 1 "admin allow write,chown"
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write,chown

             This mode may not be used to add new entries.

     -E      Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines.  If
             the information parses correctly, the existing information is replaced.

     -C      Returns false if any of the named files have ACLs in non-canonical order.

     -i      Removes the 'inherited' bit from all entries in the named file(s) ACLs.

     -I      Removes all inherited entries from the named file(s) ACL(s).

     -N      Removes the ACL from the named file(s).

i've tested this briefly on a folder:

chmod +a "admin allow write" test

chmod +a "everyone allow write" test

drwxr-xr-x+   2 bluemoon  staff          68 Jun  9 12:13 test
 0: group:everyone allow add_file
 1: group:admin allow add_file

should i disable the standard sharing in preferences ?
what would be the correct command to set full privileges to everyone on the shared folder and all included files ?

 

[benwiggy]

I guess you would want something like:

chmod +a "everyone allow list,add_file,search,delete,add_subdirectory,delete_child,
readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,
directory_inherit"

 

[joecool99]

thanks. i will try that.
do i disable the share in the system preferences ? or shall both exist along side ?

on a second note, WHY would the rwx standard share cause such issues ?
i would have expected this to work flawlessly.

 

[benwiggy]

thanks. i will try that.
do i disable the share in the system preferences ? or shall both exist along side ?
on a second note, WHY would the rwx standard share cause such issues ?
i would have expected this to work flawlessly.

The ACLs just give permission to do various things. However, you still need the share active in order to ... share the folder.

The problem is probably more to do with user ownership than the actual flags.

Do you have OS X Server running on this Mac, or Client? Server will sort this stuff out more effectively.

 

[joecool99]

The ACLs just give permission to do various things. However, you still need the share active in order to ... share the folder.

The problem is probably more to do with user ownership than the actual flags.

Do you have OS X Server running on this Mac, or Client? Server will sort this stuff out more effectively.

user ownership? hmm. how can i look into that ?
what if all 3 macs would have identical user/pass ?

no, they are all standard client OSX.

 

[joecool99]

The ACLs just give permission to do various things. However, you still need the share active in order to ... share the folder.

The problem is probably more to do with user ownership than the actual flags.

Do you have OS X Server running on this Mac, or Client? Server will sort this stuff out more effectively.

user ownership? hmm. how can i look into that ?
what if all 3 macs would have identical user/pass ?

no, they are all standard client OSX.

 

[joecool99]

seems these attributes cannot be applied to a folder:

The following permissions are applicable to all filesystem objects:
           delete  Delete the item.  Deletion may be granted by either this permission on an object or the
                   delete_child right on the containing directory.
           readattr
                   Read an objects basic attributes.  This is implicitly granted if the object can be looked
                   up and not explicitly denied.
           writeattr
                   Write an object's basic attributes.
           readextattr
                   Read extended attributes.
           writeextattr
                   Write extended attributes.
           readsecurity
                   Read an object's extended security information (ACL).
           writesecurity
                   Write an object's security information (ownership, mode, ACL).
           chown   Change an object's ownership.

i get error when i try the full string you suggested (above - few posts back):

chmod: Unable to translate 'readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit' to a UID/GID

* aslo, can i set this ALC on the entire drive ? or does it have to be on a folder only ? will these ACL automatically propagate as users manipulate folders and files on the shared drive ?