Strange permissions issues. Mac Pro, G5, OSX 10.5, 10.7, 10.8

Discussion in 'macOS' started by joecool99, Jun 8, 2013.

  1. joecool99 Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #1
    3 MAC PRO on wired ethernet network.

    - 1st runs OSX 10.8
    - 2nd runs OSX 10.7
    - 3rd old G5 with OSX 10.5

    2nd one has SW RAID1 (2x 4TB hard drives). it's a shared drive with permissions sets to R/W to everybody

    other 2 computers connect to this to access TIFF and PSD files.
    This is at print / design company.

    initially all seems fine, but over time the permissions seems to degrade with the computers having issues saving or opening files from that volume because of insufficient privileges.

    i went there, restarted all computers, and propagated the permissions again on the shared drive. all seemed fine.

    now 2 weeks later i get a call it's doing same thing. they have 5000-10000 files in good folder structure on the shared drive.

    i can't think of what is causing this degradation. all they do is open the files in PS CS5, do the work, save and eventually print them.
     
  2. benwiggy macrumors 68020

    Joined:
    Jun 15, 2012
    #2
    This is a bit of a guess, but it may be that each user is still saving the files with permissions and ownership specific to that user which is denying other users, in spite of the folder's attributes.

    I would use inherited ACLs on the folder rather than relying on rwx attributes.
     
  3. joecool99 thread starter Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #3
    after the last propagation of permissions it worker fine. there is no immediate evidence of what's going on. They can open and save files fine (for a while)

    edify me on ACL, how is that different? Isn't that part of Samba Sharing protocol? No windows on the network.
     
  4. benwiggy macrumors 68020

    Joined:
    Jun 15, 2012
    #4
    ACLs are a range of permission instructions that are more detailed and specific than the standard unix flag attributes.
    Here's an example:
    0: group:everyone deny add_file,add_subdirectory,directory_inherit,only_inherit

    So you can specify particular actions and the groups that they apply to. Inherited actions are added onto any files going into folders with those ACLs.

    ACLs are built-in to OS X. You define them with chmod -a
     
  5. joecool99 thread starter Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #5
    can this be set via UGI ? or terminal only ?
    i read the man page about chmod, but honestly it's clear to me.

    Code:
    The ACL manipulation options are as follows:
    
         +a      The +a mode parses a new ACL entry from the next argument on the commandline and inserts it
                 into the canonical location in the ACL. If the supplied entry refers to an identity already
                 listed, the two entries are combined.
    
                 Examples
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                  # chmod +a "admin allow write" file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: admin allow write
                  # chmod +a "guest deny read" file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: admin allow write
                  # chmod +a "admin allow delete" file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: admin allow write,delete
                  # chmod +a "User 1:allow:read" file
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: User 1 allow read
                    3: admin allow write,delete
    
                 The +a mode strives to maintain correct canonical form for the ACL.
                                  local deny
                                  local allow
                                  inherited deny
                                  inherited allow
    
                 By default, chmod adds entries to the top of the local deny and local allow lists. Inherited
                 entries are added by using the +ai mode.
    
                 Examples
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: admin allow write,delete
                    3: juser inherited deny delete
                    4: admin inherited allow delete
                    5: backup inherited deny read
                    6: admin inherited allow write-security
                  # chmod +ai "others allow read" file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: admin allow write,delete
                    3: juser inherited deny delete
                    4: others inherited allow read
                    5: admin inherited allow delete
                    6: backup inherited deny read
                    7: admin inherited allow write-security
    
         +a#     When a specific ordering is required, the exact location at which an entry will be inserted is
                 specified with the +a# mode.
    
                 Examples
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: admin allow write
                  # chmod +a# 2 "others deny read" file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: others deny read
                    3: admin allow write
    
                 The +ai# mode may be used to insert inherited entries at a specific location. Note that these
                 modes allow non-canonical ACL ordering to be constructed.
    
         -a      The -a mode is used to delete ACL entries. All entries exactly matching the supplied entry will
                 be deleted. If the entry lists a subset of rights granted by an entry, only the rights listed
                 are removed. Entries may also be deleted by index using the -a# mode.
    
                 Examples
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: guest deny read
                    2: admin allow write,delete
                  # chmod -a# 1 file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: admin allow write,delete
                  # chmod -a "admin allow write" file1
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: admin allow delete
    
                 Inheritance is not considered when processing the -a mode; rights and entries will be removed
                 regardless of their inherited state.
    
                 If the user or group name contains spaces you can use ':' as the delimiter
    
                 Example
                  # chmod +a "User 1:allow:read" file
    
         =a#     Individual entries are rewritten using the =a# mode.
    
                 Examples
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: admin allow delete
                  # chmod =a# 1 "admin allow write,chown"
                  # ls -le
                  -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                    owner: juser
                    1: admin allow write,chown
    
                 This mode may not be used to add new entries.
    
         -E      Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines.  If
                 the information parses correctly, the existing information is replaced.
    
         -C      Returns false if any of the named files have ACLs in non-canonical order.
    
         -i      Removes the 'inherited' bit from all entries in the named file(s) ACLs.
    
         -I      Removes all inherited entries from the named file(s) ACL(s).
    
         -N      Removes the ACL from the named file(s).
    i've tested this briefly on a folder:
    Code:
    chmod +a "admin allow write" test
    Code:
    chmod +a "everyone allow write" test
    Code:
    drwxr-xr-x+   2 bluemoon  staff          68 Jun  9 12:13 test
     0: group:everyone allow add_file
     1: group:admin allow add_file
    
    should i disable the standard sharing in preferences ?
    what would be the correct command to set full privileges to everyone on the shared folder and all included files ?
     
  6. benwiggy macrumors 68020

    Joined:
    Jun 15, 2012
    #6
    I guess you would want something like:

    chmod +a "everyone allow list,add_file,search,delete,add_subdirectory,delete_child,
    readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,
    directory_inherit"
     
  7. joecool99 thread starter Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #7
    thanks. i will try that.
    do i disable the share in the system preferences ? or shall both exist along side ?

    on a second note, WHY would the rwx standard share cause such issues ?
    i would have expected this to work flawlessly.
     
  8. benwiggy macrumors 68020

    Joined:
    Jun 15, 2012
    #8
    The ACLs just give permission to do various things. However, you still need the share active in order to ... share the folder.

    The problem is probably more to do with user ownership than the actual flags.

    Do you have OS X Server running on this Mac, or Client? Server will sort this stuff out more effectively.
     
  9. joecool99 thread starter Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #9
    user ownership? hmm. how can i look into that ?
    what if all 3 macs would have identical user/pass ?

    no, they are all standard client OSX.
     
  10. joecool99 thread starter Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #10
    user ownership? hmm. how can i look into that ?
    what if all 3 macs would have identical user/pass ?

    no, they are all standard client OSX.
     
  11. joecool99 thread starter Suspended

    joecool99

    Joined:
    Aug 20, 2008
    Location:
    USA
    #11
    seems these attributes cannot be applied to a folder:

    Code:
    The following permissions are applicable to all filesystem objects:
               delete  Delete the item.  Deletion may be granted by either this permission on an object or the
                       delete_child right on the containing directory.
               readattr
                       Read an objects basic attributes.  This is implicitly granted if the object can be looked
                       up and not explicitly denied.
               writeattr
                       Write an object's basic attributes.
               readextattr
                       Read extended attributes.
               writeextattr
                       Write extended attributes.
               readsecurity
                       Read an object's extended security information (ACL).
               writesecurity
                       Write an object's security information (ownership, mode, ACL).
               chown   Change an object's ownership.
    i get error when i try the full string you suggested (above - few posts back):
    Code:
    chmod: Unable to translate 'readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit' to a UID/GID
    * aslo, can i set this ALC on the entire drive ? or does it have to be on a folder only ? will these ACL automatically propagate as users manipulate folders and files on the shared drive ?
     

Share This Page