New folder has insufficient permissions (Mac OS X Server)

Question

I have configured the workgroup manager on Mac OS X Server (10.5.8) with 5 network users in 2 groups. Now I notice that when a network user makes a new folder, the folder is created with read & write permissions for that user, but the group to which the user belongs (as well as "everyone") has only read permissions and other network users are not able to add files or change things in the folder.

I found something about changing the umask by adding a launchd-users.conf file configuring the umask default setting. I did that on the server but that doesn't change anything.

It's a very annoying issue and I hope it's easy to fix. I'm not an expert, so I'm not sure if you know enough with the details above. If necessary I can provide further details.

Thanks a lot!

Answer 1

The basic problem is that the standard unix (/posix) permissions have no good way to control inheritance. Fortunately, there is a solution: grant access to the group via access control list (ACL) extended permissions, which do allow inheritance.

I don't have a 10.5 server handy, but I think the interface is pretty similar to 10.6: in Server Admin -> server name in the sidebar -> File Sharing icon in the top bar -> navigate to the folder/share point you want to grant group access to. If necessary, select the Permissions tab under the file navigator. Click the "+" button uder the permissions list to open the users & groups floating window, select Groups in the window, then drag the group you want to grant access to into the ACL (not POSIX) part of the permissions list. Change the Permission for the new ACL entry to "Read & Write", then click Save.

Note that the new ACL entry should have "Applies To" set to "This folder, Child folders, Child files, All descendants", which is what you want; but that only actually applies to new files/folders as they're created. To apply to the current contents, pull down the "action" (gear icon) popup menu under the permissions list, select "Propagate permissions", and propagate the ACL permissions to the current contents of the folder.

Answer 2

I made a new testfolder and ran the ls -le command on the higher level folder and got this as a result:

drwxr-xr-x+  2 stein       ACCOUNTING   68 Nov 14 09:18 Testfolder
 0: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 2: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 3: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 4: user:_spotlight inherited allow list,search,readattr,file_inherit,directory_inherit
 5: group:ACCOUNTING inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
 6: group:ADMINISTRATION inherited allow list ,add_file ,search ,delete,add_subdirectory ,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit

I think these are the ACL permissions right? I'm not sure how to get the POSIX permissions via command line? If this is not what you need to know, can you let me know how to get the information you need, as I'm not an expert obviously.

When I told you before what the group and user permissions were, I just right mouseclicked the folder and checked "get info". I don't know if these are the POSIX permissions or not. If I check the info: I see "spotlight" about 4 times, the group "ACCOUNTING" once with custom rights and once with "Read" rights, the user "John" that created the folder with "Read & write" rights, "everyone" with "Read" rights...