ACLs to allow read/write to folders but prevent name changes folders

Similar Messages

• Allow read/write but deny delte

  Hello,
  i am working on a Mac OS X Server 10.5.6 and i am trying to set a group of users to have the ability to read and write to a certain share but to deny them the ability to delete any files or folders from that share.
  Here how i set it but it doesn't work:
  owner admin r/w
  group all r/w
  others none
  acl all deny delete,deletechild,file_inherit,directoryinherit
  but the members of group all can not add files no where in the share.
  I have tried another setting which also doesn't work:
  owner admin r/w
  group all r/w
  others none
  acl all allow list,addfile,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit
  but in this case group all can add files and also delete them.
  Please help how can i make these users to have all rights except deleting files.
  Thank you

  I am trying to do the exact same thing.
  As of 10.5.3, from what I understand, Apple has now forced us to use ACL's for permissions inheritance. Fine. But if they're wanting us to use ACL's, then why don't they work like they're supposed to!?
  I made the exact changes you made, and no luck. I am trying to create a share point people can read and write to, but not delete files from. There are access control entries designed specifically to handle this. delete, delete_child. You'd think that when denying these two entries, this would work, but somehow my client workstations think they're not allowed to write any data to to the share point.
  If anyone can point us in the right direction, it'd be greatly appreciated!
  evan

• Prevent file deletion on server but allow read/write permissions

  So, I have several iMacs that are basically public computers.  They will all access a shared server.  The machines need to possess all of the user permissions of a "read/write" user with the EXCEPTION of being allowed to delete.  As it is now, a random user could delete our entire server in two clicks.  So, I need to somehow secure our data while still allowing the "reading" and "editing" of files.
  Here's what I need to do:
  •  Somehow disable the delete file function altogether (while still maintaining read/edit permissions) or
  •  Find some 3rd party app or workaround that prompts the user with a password dialogue box in order to execute the "delete" function or
  •  Somehow apply permissions to a specific folder on the server that enables read/edit, but disables file deleting by users
  I set the permissions of my trash folder to "read only" however, this only prevents deleting local files and doesn't prohibit deleting files from the shared drive.
  Thoughts?

  I'd rethink the requirements.
  The literal answer is that yes, you can mark the files as being undeletable.
  The access control list setting via the command line chmod command is something akin to the following:
  chmod +a "groupname deny delete"
  In practice, these same requirements do allow the shared files to be effectively deleted; via overwrite.  (This is why the Unix-layer file protections don't bother to differentiate write from delete access.)  These requirements also allow partial file corruptions, a situation which tends to be far more pernicious.

• Read & Write all folders and files

  How do I allow another account user read & write privileges to all my files and folders? I have set the other user as an administrator however each file and folder that i've copied into their documents folder still need to be changed individually (through the Get Info window) in order to save changes or add new files to them. This is very time consuming, so is there an easier way?

  Not exactly what you are looking for but maybe some useful information:
  http://www.computerworld.com.au/article/197922/useraccounts_file_sharing_leopard_whatnew?pp=1&fp=2&fpid=2

• Mount point won't allow read/write for non-root user

  Any ideas why this particular fstab line leads to root user only read/write for any disk referenced in my fstab?
  Example:
  UUID=496E-7B5E   /media/STORAGE   vfat   defaults 0   0
  I have tried all variations of what "defaults" should be (rw,suid,dev,exec)
  I had even added uid=0777, and no matter what options I add there, doing
  sudo mount -a
  or with the line in fstab commented out and
  mount -t vfat -U 496E-7B5E /media/STORAGE -o defaults
  causes the same issue.
  Results in every filesystem there to be mounted as read only for me as a user, and I can only write to them as root. 
  Weird
  I have run
  sudo chmod -v -R a+rwx /media/STORAGE
  and similarly
  sudo chmod -v -R 0777 /media/STORAGE
  Both were tried on the directory as mounted and unmounted.  When mounted, the verbose output DOES NOT error out and shows property change of the files
  Oddly, if no fstab reference is used, the disk shows up in the dolphin panel, and can be mounted in that manner and it is read write as a usual user. 
  Using a Chakra-live installed with Unetbootin, so perhaps that is the issue... so
  How is mounting through dolphin handled and what might I use at the command line to accomplish this same routine, as I only need one partition to mount read write when the system starts, so maybe I can add the command to rc.local
  Last edited by bwh1969 (2009-01-18 23:04:59)

  # fstab generated by gen_fstab
  #<file system>   <dir>         <type>      <options>    <dump> <pass>
  none            /dev/pts      devpts      defaults        0     0
  none            /dev/shm      tmpfs       defaults        0     0
  UUID=496E-7B5E /media/STORAGE vfat    defaults,user,users,rw,exec,uid=777,gid=777   0       0
  /dev/sr0     /mnt/sr0_cd  auto     user,noauto,exec,unhide 0     0
  # This would do for a floppy
  #/dev/fd0        /mnt/floppy    vfat,ext2 rw,user,noauto    0     0
  #    +   mkdir /mnt/floppy
  # E.g. for USB storage:
  #/dev/sdb1        /mnt/usb      auto      rw,user,noauto   0     0
  #    +   mkdir /mnt/usb

• Read/Write permissions and saving prevented

  Hi!
  My hard drive failed last week, and while it was being replaced, the technician backed up the old one, replaced all my data onto the new one and upgraded me to 10.4.10, and then repaired permissions. He also replaced my keyboard, which had few to no letters painted on it (again). I'm the only user on this computer.
  Most things seem to be working well, but so far I've found that I'm not allowed to access my address book at all -- I'm being 'told' I have no read/write permissions for address book. I am also not allowed to save anything (not print to .pdf, not anything from Appleworks, not from textedit) except email as drafts. I have found a way to get around some of it, by trying to save directly to the hard drive, then I get asked to authenticate with my password, I do and it OKs that individual file. This works maybe 90% of the time, but not always on the first try.
  Oh, also I can't run anything in flash (I tried to go to a flash based website and it wouldn't work), and I was not able to download a flash player at all.
  Do these issues go together at all? I'm nervous that if I try to fix something, I'll make it worse.
  Thanks in advance for any ideas!
  iBook G4   Mac OS X (10.4.10)  
  iBook G4, iMac,    

  Hi Tttina, it sounds like permissions within your Home folder. To check, create a new account, name it "test" and see how your apps work in that User acct? (That will tell if your problem is systemwide or limited to your User acct.) This account is just for test, do nothing further with it.
  Open System Preferences >> Accounts >> "+" make it an admin account.
  If that works, then repair the Permissions inside your Home folder:
  • Navigate to YourHome/Library.
  • Get Info (Command - i) on folders for apps you are having problems with.
  • Open the "Ownership & permissions" disclosure triangle.
  • Make sure you are the owner, with "read and write" access.
  • Click on "apply to all"
  • If this is correct, open the "Applications Support" folder and do the same procedure (Command+I) for the folders with the names of the applications you are having trouble with.
  Note:
  The reason to do this is because repairing permissions with Disk Utility (as the tech did) doesn't touch permissions inside your home folder.
  -mj
  [email protected]

• Read/write dvd's but not cd's

  Does anyone have insight about this problem. When trying to burn a cd I get error codes like:
  Sense Key=Medium Error
  Sense Code = 0x0C
  Write Error
  There is no problem with DVD's, only cd's.
  I have a Mac Pro with the built in Pioneer DVD-RW DVR-111D.
  I'm thinking I need to bring it in for repair but I don't know.
  Thanks,
  Charlie

  Hi, I am having a similar problem to the above writer. Just recently my drive has stopped recognising CDs, including commercial ones with music or photos. The drive just makes an initial sound then whirrs for a while and stops. No disc image shows on desktop. DVDs are read perfectly. However I have had a problem trying to burn a DVD where a similar message to above writer appeared.
  This is not about the quality of disc inserted I do not think since this is commercial music discs which work in other machines?
  Any ideas?

• Can I batch change user access to folders & file read-write permissions?

  I had a corrupted user account on my iMac and after weeks of trying repairs I followed a forum suggestion to delete my account.
  Before doing so I synced all my document folders and files (since 2004) over my LAN to an external hard drive that was attached to my MacMini. I then deleted the iMac account.
  Next I backed up my Mac Mini user account with Time Machine. I then created a new iMac User account on the iMac and let the iMac access Time Machine to bring over all my MacMini preferences, settings, desktop, etc. I now have a fully functioning iMac user account.
  Here is the problem. I attached the USB external drive directly to my iMAC. I can access some of the folders and files on the external hard drive. Most of them refuse to let me acces the folder or open a file. If I use the GET INFO command I see an "_unknown" user with "read and write". I see an "everyone" with "no access". I can individually change each folder and file to allow my user account access and give myself permission to read and write the files. I cannot delete delete the "_unknown" account.
  It will take me days to individually change each folder and file manually like I am now doing.
  Is there a way to use Automator to add my user account to the folder or file and give me read and write folder and file permissions?
  Or is there any other way to do this in a batch change?
  Is there something I need to do to the external files right now that will ensure that I can access them if either computer crashes and I need to replace the MAC? I would hate to have to go through this again. Would having a MAC server instead of an external drive solve this?
  I am using MAC OS 10.6.8 with the most recent updates installed (as of today).
  Thanks,
  Sandi Dickenson

  Select the icon of the external drive in the sidebar of a Finder window, and open the Info window. In the "Sharing & Permissions" section of the window, click the lock icon and authenticate. Make sure you have read & write access to the volume by changing the settings if necessary. Then, from the action menu (gear icon), select "Apply to enclosed items."
  The "_unknown" user and group are assigned automatically to files on a volume with the "Ignore permissions" option set.

• Read/Write, no Delete permissions

  This should be fairly obvious, but I cannot come up with the correct ACL settings in 10.5/10.6 to create a file share that is read/write to a specific group, but they cannot delete. This is a photo archive that needs to allow people to add files, but not remove them. Seems like unchecking the "Delete, Delete Subfolders and Files" should (leaving Read completely checked and should apply to All subfolders and files.)
  What am I missing? I'm sorry I don't have more to offer specifics-wise on the server at the moment, because I'm offsite. But here are some details:
  10.5.8 Server on Intel Xserve w/XRaid attached.
  OD Master running internal DNS that resolves back and forth correctly
  Users connect via AFP, but Bonjour is disabled.
  Several other shares(folders) on the RAID, but only this one requires this set up. No matter what combination of Permissions I check, logging in as the user(AFP) via Kerberos produces 3 results:
  1. User can read/write new files, but can also delete (bad).
  2. User can only read, no write/delete (bad)
  3. User can no longer see share point.
  This seems simple and perhaps I need to try removing the ACL altogether but it seems severe.
  Can someone create a working share like that and post the screenshot?
  I can get more specific information next time I'm onsite.

  I may have found my solution here:
  http://discussions.apple.com/thread.jspa?threadID=2114195&tstart=105
  Looks like I need to change the POSIX to the photo group instead of the 'admin' on the server.
  I will give a try on my next visit and report back.
  Message was edited by: Shawn Punga

• HT1549 How do I read write to an external drive?  I am under admin account and cannot read write to any folder on the external drive.

  I have a Mac Mini with Mavericks installed, as well as a PC running Windows 7.  I want to be able to read write from both computers to an external drive on the Mac.  I created 2 folders on the drive and named them Movies, and TV Shows.  The content of those folders are the respective files. I set up both folders to be shared on the Mac under system preferences, and then mapped the drives on the PC.  I also created a user account with admin privileges on the mac that matched my PC.   I then copied a Music folder to the root drive instead of using external, and set up sharing as well.  File Sharing is selected for all three folders, however the music folder is the only one which allows me to change the permissions to allow read write to everyone, or to create individual user accounts to connect with read write permissions.  The options to add users or change permissions are simply grayed out for the two folders on the external drive, so not only can I not write from my PC, but I can’t even do it on the Mac with the administrative user logged in. The folder on the root drive is fine but I cannot make any changes to the external drive at all.  Get info for any folder on drive shows read only.  SMB and AFP are selected for all folders under options.  I can access all three folders from PC, but can only add files to the Music folder. I cannot do anything from either computer to the folders on the external drive.

  Try Applications/Utilities/Disk Utility - select the drive and run Repair Disk.

• How can I make sure files I transfer stay at read/write instead of read?

  My employer recently got six brand new Mac Pros for our a/v guys. Well I wasn't able to get migrate to work (it wouldn't detect the slave drives, only the master) so I had to put files onto an external drive (a LACIE 1TB) and put them on the new Mac Pro OS 10.5.
  We're finding out that files that we're moving, their permissions are being changed to read only instead of remaining at read/write or so it seems.
  We've also got these machines on a closed network so we can share files between different areas of the office. Each computer has an administrator account and allows sharing and gives those it is sharing with, read/write permissions. But if I transfer a file from machine a to machine b, it comes out as read only one the file.
  I'm thinking we jacked up the file sharing somewhere somehow. Curious if anyone might be able to take a crack at this. We're all new to leopard.
  Screenshots:
  Thanks

  usually though; they are techs; and so geeky; that in windows they set themselves as admins with unlimited privaleges. So what they do is go to account setting and just delete your account; and when they delete; they will delete everything; and all your person files.
  Most though; find that too troublesome; so they just reformat the drive with a backup they built; for that computer.
  Most of the things you can do is deleting temporary internet files; and cookies; and any saved passwords on your account. Usually all found in options/tools in most web browsers. For windows; most files are on desktop; my music; my downloads; my documents; and etc.

• Online vs Read Write

  I have a confusion in following commands about tablespace.
  When should we use Online and Read Write.
  SQL> ALTER TABLESPACE imp_dat ONLINE ;
  SQL> ALTER TABLESPACE imp_dat READ WRITE ;
  If ONLINE tablespace allow READ/WRITE both, then why is Read Write for?
  Need more clarifications plz.

  do you want to know the difference between ONLINE/OFFLINE and READ ONLY/WIRTE.
  if the tablespace is READ ONLY it is available to select the data from.
  if the tablespace is OFFLINE then you can not even select from it.
  hope this is the answer of you question.

• Finding exception with the read-write-backing-map-scheme configuration.

  Finding exception with the <read-write-backing-map-scheme> configuration, that is setup against a simple database cache store implementation. The class SimpleCacheEventStoreImpl implements CacheStore interface.
  Exception in thread "main" java.lang.UnsupportedOperationException: configureCache: read-write-backing-map-scheme
       at com.tangosol.net.DefaultConfigurableCacheFactory.configureCache(DefaultConfigurableCacheFactory.java:995)
       at com.tangosol.net.DefaultConfigurableCacheFactory.ensureCache(DefaultConfigurableCacheFactory.java:277)
       at com.tangosol.net.CacheFactory.getCache(CacheFactory.java:689)
       at com.tangosol.net.CacheFactory.getCache(CacheFactory.java:667)
       at Sample.SimpleEventStoreConsumer.main(SimpleEventStoreConsumer.java:10)
  The cache store is interfaced to the program SimpleEventStoreConsumer(where I have a put and get operation) through the following cache configuration descriptor. On running the SimpleEventStoreConsumer, the exception happens on trying to get the Named cache from the cache factory
  <cache-config>
       <caching-scheme-mapping>
            <cache-mapping>
                 <cache-name>Evt*</cache-name>
                 <scheme-name>SampleDatabaseScheme</scheme-name>
            </cache-mapping>
       </caching-scheme-mapping>
       <caching-schemes>
            <read-write-backing-map-scheme>
                 <scheme-name>SampleDatabaseScheme</scheme-name>
                 <internal-cache-scheme>
                      <local-scheme>
                           <scheme-ref>SampleMemoryScheme</scheme-ref>
                      </local-scheme>
                 </internal-cache-scheme>
                 <cachestore-scheme>
                      <class-scheme>
                           <class-name>com.emc.srm.cachestore.SimpleCacheEventStoreImpl</class-name>
                           <init-params>
                                <init-param>
                                     <param-type>java.lang.String</param-type>
                                     <param-value>{cache-name}</param-value>
                                </init-param>
                           </init-params>
                      </class-scheme>
                 </cachestore-scheme>
            </read-write-backing-map-scheme>
            <local-scheme>
                 <scheme-name>SampleMemoryScheme</scheme-name>
            </local-scheme>
       </caching-schemes>
  </cache-config>

  you are missing <backing-map-scheme>. Do like following:
  <caching-schemes>
            <distributed-scheme>
                 <scheme-name>distributed-scheme</scheme-name>
                 <service-name>DistributedQueryCache</service-name>
                 <backing-map-scheme>
                      <read-write-backing-map-scheme>
                           <scheme-ref>rw-bm</scheme-ref>
                      </read-write-backing-map-scheme>
                 </backing-map-scheme>
  <autostart>true</autostart>
            </distributed-scheme>
            <read-write-backing-map-scheme>
                 <scheme-name>rw-bm</scheme-name>
  <internal-cache-scheme>
       <local-scheme>
                      </local-scheme>
                 </internal-cache-scheme>               
            </read-write-backing-map-scheme>
  </caching-schemes>

• Could you explain how the read-write-backing-map-scheme is configured in...

  Could you explain how the read-write-backing-map-scheme is configured in the following example?
  <backing-map-scheme>
      <read-write-backing-map-scheme>
       <internal-cache-scheme>
        <class-scheme>
         <class-name>com.tangosol.util.ObservableHashMap</class-name>
        </class-scheme>
       </internal-cache-scheme>
       <cachestore-scheme>
        <class-scheme>
         <class-name>coherence.DBCacheStore</class-name>
         <init-params>
          <init-param>
           <param-type>java.lang.String</param-type>
           <param-value>CATALOG</param-value>
          </init-param>
         </init-params>
        </class-scheme>
       </cachestore-scheme>
       <read-only>false</read-only>
       <write-delay-seconds>0</write-delay-seconds>
      </read-write-backing-map-scheme>
  </backing-map-scheme>
  ...Edited by: qkc on 30-Nov-2009 10:48

  Thank you very much for reply.
  In the following example, the cachestore element is not specified in the <read-write-backing-map-scheme> section. Instead, a class-name ControllerBackingMap is designated. What is the result?
  If ControllerBackingMap is a persistence entity, is the result same with that of cachestore-scheme?
  <distributed-scheme>
              <scheme-name>with-rw-bm</scheme-name>
              <service-name>unlimited-partitioned</service-name>
              <backing-map-scheme>
                  <read-write-backing-map-scheme>
                      <scheme-ref>base-rw-bm</scheme-ref>
                  </read-write-backing-map-scheme>
              </backing-map-scheme>
              <autostart>true</autostart>
          </distributed-scheme>
          <read-write-backing-map-scheme>
              <scheme-name>base-rw-bm</scheme-name>
              <class-name>ControllerBackingMap</class-name>
              <internal-cache-scheme>
                  <local-scheme/>
              </internal-cache-scheme>
          </read-write-backing-map-scheme>

• How do I allow users to create folders in a shared folder where we all then have read/write access to those new folders?

  I have three users who need to access a particular folder on one of our other Macs. The folder resides on the desktop of that particular Mac and it is set as "shared" with all of our accounts set to access the folder. When a user creates a new subfolder in that shared folder, the permissions are instantly set to allow the creator read/write access but the other users are only allowed read-only access. Is there a way to set the permissions so that any new folder created in that shared folder automatically gives read/write access to all accounts who are authorized access to that shared folder?

  You should be able to take the permissions you have set and "apply to enclosed items." I am trying to attach a picture of what this looks like so my apologies if it does not work.
  Highlight your folder you want and go to File>Get Info or command+I and at the bottom where it has Sharing and Permissions, click the lock button to authenticate. Click the gear and click "apply to enclosed items". See if that works.