I'm trying to create a user that has read privileges across an
entire share point that contains user home folders with the usual
folder structure inside (i.e., Desktop, Documents, Library, etc).
Default permissions for most of these user subfolders allow, of
course, only the owner to read files or traverse directories.
I thought that creating an ACL entry for my "uber" user in the root
directory of the share point would do the trick. The default
permissions for new ACEs created in WGM sound exactly like what I
want: full read permissions and full inheritance to all child
folders and files and descendants.
After creating the ACE, the Effective Permissions Inspector in WGM
only shows me the ACE permissions for the root of the share point,
but not for any of the child items, which seem to be following the
standard owner/group/everybody permissions. Trying to access items
in the Finder while logged in as the new user produces results
consistent with the "effective permissions" as shown.
However, if I propogate the ACL permissions to all child objects of
the share point using WGM, the Effective Permissions inspector then
shows the desired permissions as defined in the ACE, but... I still
can't access folders in the Finder unless the standard permissions
FWIW, I verified the ACL permissions in Terminal and found they
matched what I thought they should be.
So, my questions are:
- Is it necessary to manually propagate ACL permissions, even if the
entry specifies application to all child objects?
Yes. ACLs are only propagated at file creation time by or when
propagated manually. It's covered in the Apple docs and our Filesystem
- Why would the permissions appear correct in WGM and when listed
with "ls -ale", but not function consistent with that listing when
the user is logged in via AFP?
AFP does funny things sometimes with permissions. Make sure that they
are able to read attributes on the files.
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden