Network Drive Permissions Hassles
 

Our (mixed Tiger and Snow Leopard) workgroup uses an external hard drive as a shared library disk. It is connected to one (Tiger) Mac Pro and shared over our gigabit network. However, we are suffering from incredibly annoying OS X permissions behaviour. If I create a new folder or copy files or folders onto the Library disk over the network, it is immediately assigned "read only" status. Is there no easy way to just maintain read/write access for everybody for all our files?

We previously used a NAS drive for our Library. No permissions issues, but on the other hand, it was brutally slow, especially when loading folder lists and building icon previews. Incredible annoyance of a different flavour. Essentially, I am looking for a network storage solution that is not stupidly slow, and doesn't default to "read only" status all the time.

This network permissions nonsense might be my biggest complaint with the otherwise perfectly sensible Mac platform. I figure, hey, I own my files – why can't I just declare once and for all, that I want all my files to be read/write for everyone, in perpetuity? I don't have a choice??

Any suggestions? Thanks.

Is your NAS drive SMB or AFP? I've found, with Buffalo NAS drives anyway, that running in AFP mode eliminated the problems.

You are running straight POSIX on them?

I have no experience with this, but a couple of questions occur to me:
1) Have you set it to "Ignore ownership" (in Get Info on the drive)?
2) Is this permission problem only for network access? Or does it also occur for other local users - users who are logged in on the Mac where the drive is connected?

The NAS drive was shared as SMB, but this is because there was an issue with the AFP share where the drive would randomly become locked. I suspect it had something to do with the corporate IT security system, but IT doesn't know anything about Macs so we just moved on and stuck with SMB. I seem to recall that AFP was not much faster anyway.

I don't know what POSIX is.

"Ignore ownership" is checked on the new external HDD version.

And no, there aren't any permissions issues when interacting on the host computer.

I just did a new test and this time when I created a new folder (over the network) I was able to rename and delete the folder – even though Get Info shows simply "Everyone: Read Only". Previously, immediately after creating the folder, I was unable to rename it, drag files into it, etc. and it got a red circle with a line through it. Super duper no access. So things are inconsistent now.

The broader issue I have is that I want any new files and folders I create to be read/write for everyone by default, rather than read/write for me and read only for everyone else. We share files and have to constantly reapply read/write status to our files.

Note that the permissions on a folder govern what can be done with the files and sub-folders in that folder.
Whether or not you can delete a folder depends on the permissions of the parent folder.

Well, if your IT people know how to manage Windows they should know what an ACL is. They can add an ACL with the flags of "everyone" for "read and write" permissions.

Is it a Windows box that is hosting the share point?

I'm pretty sure I had applied read/write permission for everyone to the whole drive, but perhaps not.

No, it's a Tiger Mac Pro.

Again, my main desire is to find a way to make read/write permissions for everybody the default behaviour. Is there a (simple) way to do this? Thanks for your comments.

If it's not the boot drive, you should be able to set "Ignore Permissions" from the Get Info window.

Mikey-San a regular here on these forums wrote an app called Sandbox which allows you to set ACLs from a easy to use GUI. I think you may want to give it a shot.

http://mikey-san.net/damage/archives...andbox_22.html

Can you use Terminal to do it? Type chmod 777, a space, and then drop the icon on the terminal window, so it looks like: chmod 777 /Volumes/yourdisk and if you cannot set it to the whole drive add the folder name to the end /Volumes/yourdisk/yourfolder.

Or, ⌘-I and at the bottom, click the lock, authenticate, and click the dropdown lists and change them all to read/write?
I haven't been on Tiger in a while so I don't remember if those options are available to you.

lowfokus, I can apply read/write permissions to existing files on the drive, but that's not my issue.

Every time I create a new file or folder on my system, "Everyone" gets "Read only" permissions for those items. I want all my files to be Read/Write for Everyone by default.

tlarkin, it's not immediately clear to me that Sandbox will do this for me. I'm going to email Mikey-San to find out. Thanks for the suggestion.

It helps you set up an access control list, where you can flag "everyone" read/write access and it will apply to all sub files/folders from the parent directory you add the ACL to.

I haven't used it as I use the command line for this stuff, but it should help you out.

Sandbox apparently is not ready for Snow Leopard, which rules that out for the time being.

I'm trying a Terminal method to have files inherit permissions from the parent folder, but looks like even this is not working in Snow Leopard...

I'm working from this article: http://www.macosxhints.com/article.p...71103075157767

When I type "fsaclctl -p /path/to/your/shared/folder -e" (with the correct path entered) to confirm that ACE is enabled on the volume, Terminal says "command not found". I am pretty computer savvy, but have almost no experience with Terminal, so I'm proceeding with caution. Any insights into my current roadblock? Should I just skip this step and proceed to the "chmod +a ... " business?

As of 10.5 and 10.6 ACE should be enabled by default, you need to look at the chmod command with the +a option to add your ACL.

If this is a network share have your IT department do it for you.

I did a test on my local hard drive:

chmod +a "everyone allow list,add_file,search,delete,add_subdirectory,delete_child,file_inherit,directory_inherit,read,write,delete,append,execut e" /Users/ravenplenty/Test2

Before I ran that command, the folder "Test2" has three permissions users listed: ravenplenty (Me), staff, everyone. All with Read & Write privileges. After running the command, there is a second "everyone" on the list, with "Custom" privileges. When I create a new folder inside of Test2, it still gets the old default access list: Read & Write for ravenplenty (Me), and Read Only for "staff" and "everyone", but it also has the second "everyone" with Custom privileges. When I drag this new folder across the network, the list reduces to just "everyone" with Read Only privilege.

Er...ah...now what?

Does anyone have any advice about my last post? Thanks...

This would be settings on your Network drive. Does your login grant full privileges?

I have full privileges on my computer (admin status), and the network drive has "ignore ownership" checked, and has had read/write permissions assigned to all sub-items. When you say "Network drive"...perhaps you misunderstand. This is not a NAS, it is an external hard drive mounted to another Mac Pro on the network.

To reiterate – there are two issues here:

1) I want all my files to be read/write for everyone by default. This is supposed to be accomplished via the terminal script in my previous post which didn't work. I'm still hopeful that someone might help me with that.

2) When I create a new file or folder onto the network drive, it's given "read only" privileges for everybody. If I try to change that to read/write, it switches to "no access".

You try putting it in /Users/shared and applying the ACL there? There could be special cases for anything in your home directory that is being shared via ACL. Also, I think in like 10.5.6 Apple changed how home folders access works on the server side by a default ACL, not sure if this was mimic'd on the client.

Thanks for the suggestion tlarkin. Unfortunately I got the exact same result.

Is it really so odd that I should want my files to be read/write for everyone? Why is it so hard to accomplish? Doesn't anyone else find this annoying?

1) Try using "Sandbox" for changing access control lists (ACLs):
http://mikey-san.net/sandbox/

2) Don't use Finder for finding out about permissions - especially if you are doing something out of the ordinary with ACLs. Finder's Get Info is notoriously misleading regarding permissions. (or at least it has been in the OS X versions I've tried)
Use commands in Terminal to be sure.

It seems that Sandbox is not ready for Snow Leopard, so that's out of the questions for now.

You mean the "ls -le" command thingy? This is what it tells me about my newly created Untitled folder that was supposed to inherit read/write privileges:

drwxr-xr-x+ 2 ravenplenty wheel 68 Nov 2 10:40 untitled folder
0: group:everyone inherited allow list,add_file,search,delete,add_subdirectory,delete_child,file_inherit,directory_inherit

Unfortunately for me, that's mostly gibberish. And it's besides the point, because when I copy it over the network, it still converts to Read Only. This is my whole point. If I manually assign a file or folder Read/Write for Everyone and then copy it over the network, no problem – it retains Read/Write privileges. But every new file or folder I create gets Read Only for Everyone by default.

I just want all my files to be Read/Write for everyone by default. Is there a way?

How are you logged into the Mac Pro on your network? Through an Administrative, non-admin or Guest account? This would also effect how file permissions are assigned.

The permissions assigned to newly created files/folders on your local drive are controlled by your 'umask' settings.
Look for articles on the main macosxhints site about changing 'umask'

I have admin access on my own Mac Pro as well as when I log in to the network Mac Pro which hosts the shared external hard drive.

Edit: Thanks Hayne, I'll look into the "umask" thing. Sounds promising.

Another edit: I'm having difficulty finding out how to change umask settings. Nothing really comes up when I search macoshints.com – only 4 articles are less than three years old, and they don't describe how to do this either. A google search hasn't pointed me to a simple explanation either. There are a lot of irrelevant posts or else they are articles that are filled to the brim with developer techno-speak. So now my two new questions are:

1) Is anyone able to explain in simple terms how to change the umask settings on my computer?
2) Is it, like, a really bad idea to change my default permissions to read/only for everyone? I only want that to apply to specific folders, but perhaps umask settings apply to the whole computer?

Why are you only looking for articles less than three years old? umask is a unix command, and it hasn't changed the way it works in many years.

Trevor

Since I do not have experience with Terminal, scripting, Unix, etc., I am proceeding with caution. I suspected there could be changes in the way this is implemented in Snow Leopard vs. Tiger or Panther or whatever. As it is now, the only thing I know about umask is that it has to do with default permissions, and now, that it's a "Unix command that hasn't changed the way it works [however it works] in many years". I don't yet know how to change umask settings, or if it can be applied to specific folders or just the entire hard drive.

I will continue hunting for more info. Meanwhile, if anyone has the magic bullet – eg. "simply type XXXX in Terminal" or whatever – fire away!

If this is part of an Open Directory deployment at your work MCX could be over writing the settings and enforcing management. It can even override local Admin settings.

If this is a company computer, contact your IT department and have them set up a share for you.

Bless your heart, you probably thought that might be helpful. Open Directory Deployment? MCX? Uhh...

It is a rather large company with a PC workflow, within which we are basically a self-managed Mac island of graphic designers. IT here knows next to nothing about Mac computers. Effectively we're on our own here. Enter the (often) super helpful world of forums like this. Except I'm mostly getting jargon thrown at me instead of real-world help for a non-programmer. You guys are trying to help, I just know it.

If they have any kind of management put into those machines you may not be able to share anything. Further more, if you are logging in against AD/OD then you are most likely getting a Kerberos ticket.

This basically means, it would be easy for them to set up a network share, add in whatever users need access to it, and all users that authenticate with their network log ins would be granted access to it.

I have never personally tried to enable ACLs on the file system locally. I have always used Servers instead so I would have to test this out to see what is going wrong here and unfortunately I don't have the time at the moment.

IT hasn't ever touched our Mac machines, so there's no kind of management put into these machines.

Regarding IT setting up a network share for us... I prefer a local network option because it is probably faster and avoids SMB issues we've had. Plus, I've tried to connect to shared drives used by the PC-using bunch in Marketing, but the folders only appear empty to us Mac-users, and IT couldn't figure that out at all. I want to steer clear of the quagmire that is this company's IT dept if possible.

Let's avoid the temptation to get lost in these tangents. My original question remains: How can I make all my files Read/Write to Everyone by default?

You said your log in is a network log in, which means they had to bind your machine to some sort of directory service for you to log in, is that not the case?

I'm no expert at this, but the idea that you could be trying to effect this shared disk from your client machine seems futile to me. [it seems unlikely we could set ACLs on some local folder... and then "copy it over the network" and expect the server sharing this disk to automatically honor all our custom ACL entries.]

What i'm saying is that: you (or someone) needs to walk over to that Tiger Mac Pro which is serving the shared disk, and make the necessary changes *there*... on that machine.

I.e., do the fsaclctl command there, on the Tiger server... not from your Snow Leopard client. Unless the Tiger server itself (and the shared disk) have ACLs enabled on *their* end, all the chmod stuff done from some client seems meaningless.

Also -- AFAIK -- fsaclctl is not a command we apply to individual folders, but rather entire volumes. So go to the Tiger Mac Pro and login as an admin there... and use fsaclctl to enable ACLs on it (and the diskyDisk):

sudo fsaclctl -p / -e
sudo fsaclctl -p /Volumes/diskyDisk -e # it would be nice if you told us the real names of these items, to avoid misunderstandings.

Once Tiger is serving with ACLs enabled (i.e., after a restart) -- then start using chmod +a to allow and extend various write access privileges... but again: do that chmod +a stuff from the Mac that's serving the share, not from anyone's client machine.

At that point, it will be nice to see what ls -ale /Volumes/diskyDisk/path/to/shared/folder looks like (again, when run from the Tiger server).

Thanks Hal. I think there is a misunderstanding. I'm not trying to affect the shared disk from my computer, I'm trying to change the default permissions for new files on my computer. Here's the story retold:

I am part of a group of 6 graphic designers. We all use Mac Pros, some Tiger, some Snow Leopard. We are connected directly to each other in a local gigabit network, all ethernet cabled into one hub. We work off our own local hard drives. Sometimes we need to share files with each other. Also, there is a shared drive, "Library", which is an external hard drive connected to one of the computers. As long as my own local files are set to Read/Write for Everyone before I transfer them across the network, there's no problem. But the default for any new files and folders in Read Only for Everyone (Read/Write for Me of course). I would like Read/Write privileges for Everyone to be the default on my own local system, so my files can be easily shared across the network – thus avoiding the extra step of having to constantly reapply access privileges to my new files.

1) The procedure for changing 'umask' so it will affect GUI apps (as opposed to just commands run in Terminal) has changed from OS X version to version. So you are right to look only at more recent articles.
But there was an article about doing it in 10.5 (Leopard).
What version of OS X are you using? (I forget if you told us this)

2) It might be easier just to set up a Folder Action script that would automatically change the permissions of files put into a specific folder.

Mac OS X Hints: 10.5: How to set NSUmask in Leopard System 10.5

Apple.com: Mac OS X: Resolving permissions (umask) issues in a server-based group folder environment

Apple.com: Mac OS X Server 10.5: Setting a custom umask (despite the page title, also contains information about "OS X 10.4 and later")

Trevor

Okay, well i've gone over the posts here a few times... and it sure seemed like that external shared disk was the principle issue (on page 1 anyway).


One would need to know exactly where (which directory) those files get created, and exactly where (which directory) those files get copied to... and what sort of perms/ACLs exist in those two areas.

There may be some reluctance built-in to OSX which makes giving the general group known as "everyone" write privileges to everything more challenging. [it may be that denying everyone something is one matter, while allowing everyone is quite another -- idunno for sure.] Tweaking the umask to grant world access everywhere may indeed work... but also implies a security risk.

The more common approach is to use (or create) a *specific* group... and make all of your coworkers members of that group. Maybe name the group 'graphics' and pick an obscure gid, like 777 or something. Then set up ACL inheritance in some shared area using

chmod +a "group:graphics allow etc,etc,etc,etc" /Volumes/etc/etc/etc

There more detailed info we get about volume names and folder locations, the less vague the commands we can craft.

Other than that, hayne's folder action scrip should also suffice for your more recently stated needs.

Sorry about the confusion Hal. I guess there are two separate issues. One is the general issue with restricted permissions when copying files across to coworkers computers (including the Library disk) across the network – this would cease to be a problem if our files were read/write by default for everyone (or for our group, but I don't yet know anything about creating and managing groups), which became my main quest in this posting. The other issue is with creating new files or folders directly onto shares across the network. I have since learned that this isn't as big an issue as I thought. New files and folders created on Library (or any other networked computer hard drive) are shown to have Read Only privileges for Everyone (with no other user or group privileges displayed), but I can rename, move, etc. It's only if I try to change Read Only to Read/Write that trouble starts — it switches to No Access and the red circle and bar appear.

At this point I still think the umask solution is our best bet. It will avoid our having to even drop files into a scripted folder or anything.

Thanks very much to Trevor for posting those links.

That's the reluctance i was sensing. The group 'everyone' isn't a typical group in the ordinary sense [such as wheel, admin, staff, etc]. 'Everyone' is more akin to the Unix concept of "others" (or "world"), which is not a group per se... but rather refers to everyone *else* who isn't a member of a privileged group. (i.e., users not associated with some particular file or rule by virtue of any ownership or membership).

Apple's attempt to have Finder's Get Info windows provide a GUI for tweaking Unix permissions results in misleading information in some ways. (For one thing the 'execute' bit is conflated away so we don't actually see it. Directory sticky bit? Nonexistent. Likewise setuid and setgid on files. And also -- when we grant access to specific users or [real] groups -- what's happening sometimes is an ACL is being added).

Most likely for security reasons (or so i suspect anyway), it's a simple matter to *deny* 'everyone' this or that privilege... but less simple (or perhaps impossible?) to *allow* 'everyone' certain privileges. If instead of trying to tweak on 'everyone' you were to manipulate access based on a bona-fide group, like admin or staff (or 'graphics'), then perhaps Finder's Get Info window might be more willing to play along.

--

Hmm, actually, 'everyone' is a pretty strange animal. For example, we all own our own ~/Downloads folder (and many other subfolders of our home). But -- due to the "group:everyone deny delete" ACL on it -- even we as the owner cannot easily get rid of such folders. So then, 'everyone' seems more encompassing than Unix's "others" in some ways... at least when an ACL makes use of it. From a Finder Get Info window however, allowing 'everyone' to Read&Write simply reverts to the POSIX rwxrwxrwx mode... and skips placing any ACL.

Confused yet? -- I am. :)

Did you figure it out?
 

I have a very similar set-up as Ravenplenty, 4 designers accessing one shared computer that houses all our files. When D1 creates a folder and file no other designer has access to it. Like Ravenplenty we have no support from our PC IT Group and I'm not a Techie or a Programmer. I've been looking through these posts for days going back years and still haven't found a "receipt" to follow for us non-techie people.

Every get it figured out Ravenplenty? I sure would like to know and I'm betting there are others out there. :)