Permissions are driving me crazy!

[DEMinSoCAL]

I have a new Mac Mini running Yosemite with Server app.

Short story is I have a shared folder on an external (TB) drive array. Let's call it "Shared". Underneath "shared" are thousands of folders/subfolders/files. It the main share for a dept. at work.

We have two groups that have been assigned permissions. A Read/Write group and a Read Only group (RW and RO).

I have assigned, at the "Shared" folder, both groups with the respective permissions (either read/write or read only) and chose to "apply to enclosed items" so the permissions would flow down into all the files and folders under "Shared".

Everything looks great, I can check any subfolder under "Shared" and they have the correct permissions. HOWEVER, when someone in the RW group saves a new file into a folder, the file does not inherit the permissions of the folder! In other words, if FILE.JPG is saved into a folder with the correct permissions, the file permissions for the new file only have RW group. No RO group permission is given to that file. Hence someone in the RO group cannot access (open) or even copy the file. Access denied!

It's driving me crazy why permissions are so wacky here. It's frustrating for the employees as well.

Any help or advice as to why saving a file into a folder, the file does not inherit the permissions of the parent folder?

Thanks!

 

[dyt1983]

edit: To remove personally identifying info not relevant to the conversation.

 

[DEMinSoCAL]

Well, because that's now how it always works. Applications have something to do with the permissions used when creating files; above that is a system permissions mask "umask". Here's how you can change it.

http://support.apple.com/en-us/HT201684




Setting group permissions creates permissions that apply ONLY to the users in that group. To set permissions to users in another group (other than the owner of the file), you need the "everyone" permissions.

You need to have a "read" permission for "everyone" so that the other group can read the files, not a "RO" for group.

Maybe you understand that but it wasn't clear to me in your post.

PS: To do things more complex than this, you should set up an ACL in the Server.app ... this is probably more along the lines of what you want to do... including inheritance.

Thank you for the info. I am trying to digest what you have said and will look at the unmask info also.

Just to be clear, though, that permissions were initially setup using server app when the share was created. When things weren't working as expected, I used the manual "Get Info" screen on the top level "shared" folder and manually set both groups to have either read/write or read only permissions and for the permissions to flow to subfolders and files.

The user that is trying to access these files IS a memeber of the RO group and can see/open any files in the shared folder except for new ones, because new files are not inheriting the permissions of the parent folder.

Not sure if I was clear that was the problem. I thought using a RW and a RO group would give me the security I need as the department staff are in the RW group, and then choice staff in other departments are in the RO group and can open and view files, but then, everyone else has NO access. If I use the EVERYONE group with read only, then wouldn't EVERYONE have access to see/open the files?

 

[dyt1983]

edit: To remove personally identifying info not relevant to the conversation.

 

[DEMinSoCAL]

That is correct. The "everyone" permissions give read/write to EVERYONE. I believe you've tripped yourself up by giving your groups names of what you want them to do, but just because you name them that way, they don't magically get those powers!

Coming from years (a decade practically) in the Windows server environment, it makes logical sense that you apply group permissions to a folder and the permissions stick with any files put into that folder.

Maybe I haven't made it crystal clear, but I'm not a novice in that just because I name a group something (the examples I gave were just that, examples), that I don't expect that, magically, the permissions follow the group name! I mean, come on...

When I assign the permissions at the top folder level, I assign a group, call it GROUP1, read/write permissions, and a group called GROUP2, read only permissions. I have users assigned to both GROUP1 and GROUP2. When assigning permission, I chose the option for the permissions to apply to enclosed items (folders, subfolder, and files within those folders).

Hence, if I have a folder called ART, with the above GROUP1 and GROUP2 permissions, and the files in the folder have those permissions, and someone from GROUP1 (the read/write group) saves a file in that folder, I assume that someone in GROUP2 can read/open that file, since GROUP2 has read only permissions.

In any case, I think I've explained it well. I cannot understand why once the permissions are set in a folder that new files added to the folder by someone in the read/write group can't be read by someone in the read only group. Otherwise, what's the point of group permissions?

 

[SlCKB0Y]

Maybe I haven't made it crystal clear, but I'm not a novice in that just because I name a group something (the examples I gave were just that, examples), that I don't expect that, magically, the permissions follow the group name! I mean, come on...

When I assign the permissions at the top folder level, I assign a group, call it GROUP1, read/write permissions, and a group called GROUP2, read only permissions. I have users assigned to both GROUP1 and GROUP2. When assigning permission, I chose the option for the permissions to apply to enclosed items (folders, subfolder, and files within those folders).

Hence, if I have a folder called ART, with the above GROUP1 and GROUP2 permissions, and the files in the folder have those permissions, and someone from GROUP1 (the read/write group) saves a file in that folder, I assume that someone in GROUP2 can read/open that file, since GROUP2 has read only permissions.

In any case, I think I've explained it well. I cannot understand why once the permissions are set in a folder that new files added to the folder by someone in the read/write group can't be read by someone in the read only group. Otherwise, what's the point of group permissions?

Your description makes it clear that you don't understand how the underlying permissions work.

https://www.freebsd.org/doc/handbook/permissions.html

 

[dyt1983]

edit: To remove personally identifying info not relevant to the conversation.

 

[DEMinSoCAL]

Thanks all for the links and references. Apparently, there is more to it than the server app and folder info settings would have you think.

Score one for Windows Server.

 

[DEMinSoCAL]

This isn't Windows, and if you learned POSIX-style basic permissions first (they came about circa 1972), your "logical sense" would be completely different.

The basic permissions probably won't work for you since you've architected this requiring two groups. Even though Mac OSX supports inheritence of group/individual ownership through setuid/setgid bits on folders, this isn't going to help how the permissions are set.

As I suggested in my first response in this thread, you need ACLs. You have to set what you want explicitly rather than assuming things are implicit.

Give it a try.

This is what is confusing. Using the Server app to setup sharing, it's supposed to setup the ACL's for me (from the Apple HELP file on sharing):

----------
You can enable or disable access to each shared folder listed in the File Sharing pane of the Server app. You can give access to all users with accounts on your server, or only the specific users and groups you select to have read and write access to each shared folder and its contents. Also, you can allow guest access for any shared folder.

Turn on file sharing if it isn’t already on.

Before you set any folder permissions, decide who gets to use the service, and from which network.

See Server access overview.

In the File Sharing pane, select the shared folder in the list.

Double-click the selected folder or click Edit edit.

To change the access users or groups have to a shared folder and its contents, select Read & Write, Read Only, Write Only, or No Access next to that user or group name, then change it to the needed access level.

You can also add or delete users and groups that have access to a shared folder by clicking Add add or Remove remove.

ACLs are automatically propogated through the folders.

To let users access a folder without logging in, select the “Allow guest users to access this share” checkbox.

----------

I was checking some of the files that RW users save that RO users don't have access to, and it seems the files are being saved with USER permissions. In other words, if user John saved the file (John is in the RW group) a read/write permission for John appears in the list of permissions, and then user Jane can't open it (Jane is in the RO group) because the RO Group permission is totally missing from the file permissions (even though the parent folder has the correct permissions).

Despite having this dual set of permissions to have to deal with, what's the point of the OSX permissions and shares setup with the Server app if they don't work?