Best Way to Override 'Everyone - Read Only' using ACLs

Hi, let me first clarify that I'm not an 'official' network administrator, I'm just the only one in a small design office able to attempt to figure this stuff out.
We are needing to upgrade our security in a small office (5-7 users, 1 server running OSX Server 10.4.4).
We've been working great since OSX Server 10.3.x using standard POSIX privileges setup as follows:
Owner: Our_Server - R/W
Group: OurGroup - R/W
Everyone: None
We've been able to share files great as we're all in the same group (OurGroup). No problems.
Unfortunately, we now need to add a higher level of security for some incoming freelance workers. Essentially, we need to give them access to only certain folders UNDER our main Share Point directory. But we need to retain all of the freedom we've always had for the entire Shared directory.
From my understanding, the only way to do this is by using ACL's and a different group for the freelancers. I've setup a TEST directory to try this on. I've almost got it setup to work the way we want, but now am experiencing what I've discovered to be one of the drawbacks of using ACL's - the "Inherit Permissions from Parent" feature of AFP is no longer an option.
So using this method, new files added by default pick up the standard POSIX permissions, which allow Read access to Everyone. And I have to 'replicate' the behavior of 'Owner' and 'Group' that we had working before using POSIX or the group would end up Read Only.
- Any way to simulate the inherited permission of 'Everyone: None" using ACLs?
- Is there an easier/better way to allow access to only certain sub-folders of our main Share Point for a different group (FreelanceGroup)?
- Any way to do this while keeping our good working POSIX model?
- What should my POSIX access settings be set now when using ACLs?
- How dangerous is having 'Everyone: Read Access' really? We have guest access disabled, appropriate firewalls, etc.?
Thanks a lot. I hope I'm approaching this properly. I'm open to any tips. We just need to make sure nothing 'appears' to change too much in the workflow we have grown accustomed to (within reason).
G5 Dual 2Ghz   Mac OS X (10.4)   1.5GB RAM

If you haven't already, you may find my ACL Tips post helpful: http://discussions.apple.com/thread.jspa?messageID=1696702
My best advice would be to concentrate on defining ACLs for the groups of users for whom access should be granted (Allow rules). These can define inheritance for newly created files and folders, and you don't have the limit of having to think about just one group and everyone else. Remember that the POSIX "everyone" group is actually "everyone else" - that is, any valid user (guest if guest access is enabled) who does NOT match the owner or who is NOT a member of the POSIX group. The way that POSIX permissions are calculated, the connecting user is always granted ownership if possible, then group membership (primary group first, membership lookup by GID second) if that fails. Failing the two, the everyone else permissions are returned.
Here's an example that highlights the difference:
There is a group called "everyone" - that's actually all users, guests included, if guest access is enabled. This group is NOT the POSIX everyone else field. Rather, if you grant an ACL deny for everyone, then that covers all users, not just those for whom you don't have an ACL defined!
Further, there's an "authed users" group, which is the group of all authenticated users (and it never includes guests, even if guest access is enabled). Like the "everyone" group, membership is calculated by GUID by memberd. So you can thinnk of these two groups as "smart groups."
Since the "smart groups" have membership controlled by memberd and GUID values, it's wise to only use them when defining ACL entries. Neither should be used for the group value of the POSIX group field. Either membership calculation will fail, or the "everyone else" POSIX field may never need to be consulted.
As to the missing "inherit from parent" feature, the story is just the opposite: ACLs actually give you better inheritance than that feature ever did. For example, ACLs each support inheritance with the file_inherit, directory_inherit, only_inherit, and limit_inherit controls. For each entry, you can have a group or single user's ACL entry apply to new child files, new child folders, or both. Further, you can control inheritance on a per-folder level, and manage how deeply that inheritance goes (limit_inherit) or whether the permissions are only inheritable.
For example, your example POSIX group permissions would look like this using two ACLs:
ourgroup allow readattr,readextattr,readsecurity,list,search,read,execute, write,delete,append,deletechild,add_file,add_subdirectory,writeextattr,writeattr,file_inherit,directoryinherit
Again, my ACL Tips post explains more, and my answer to this post clarifies how new files, copied files, and moved files/folders get their POSIX and ACL permissions: http://discussions.apple.com/thread.jspa?messageID=3188259&#3188259
Hope this helps!
--Gerrit

Similar Messages

  • Best practice for making form read-only at certain steps in process?

    I have a process with a single form and 4 Assign Task operations.  During Assign Task operations 1 and 3, the form is edited.  During Assign Task operation 2 and 4, it should be read-only (it is reviewed and acknowledged, but not changed).   There is no single criteria in the form data that indicates whether a form should be read-only or not -- this is only signaled by the step in the process.  What is the best way to manage the read-only state?
    Is there a way to make the form read-only via a setting in Workbench, or should I do this via a script in the form?
    Thanks!
    Toby

    I have a process with a single form and 4 Assign Task operations.  During Assign Task operations 1 and 3, the form is edited.  During Assign Task operation 2 and 4, it should be read-only (it is reviewed and acknowledged, but not changed).   There is no single criteria in the form data that indicates whether a form should be read-only or not -- this is only signaled by the step in the process.  What is the best way to manage the read-only state?
    Is there a way to make the form read-only via a setting in Workbench, or should I do this via a script in the form?
    Thanks!
    Toby

  • Any way to make Contacts Read Only in Server 10.8/9

    I have turned on OS X Server Services Contacts (in either 10.8 or 10.9), set up a user account, added that account as a CardDav to a computer(s) made a group(s) of contacts and imported some vcards so everybody can see them in their Contacts on their computers in 10.8 or 10.9. Everything fine.
    What I can't figure out is if there is any way to make them Read Only, allowing only a selected group to have Read/Write privileges. When you have hundreds of employees many of them will end up editing something in the "public contacts" that they shouldn't have done or delete them completely.
    If they were read only that would be great.
    Any ideas? Other then an exchange server there isn't much out there for Macs.
    Thanks,
    Todd

    Update -
    I found a way to make this work. And it is free!
    Forget Apple OS X Server Service Contacts.
    Use Sogo instead. Works perfectly and is extremely fast in handling our 5000+ public cardev records and 1000+ cardev private records!

  • What is the best way to create a read more/collapse text box on the homepage of a site?

    What is the best way to create a read more/collapse text box on the homepage of a site?

    I figured this out by using a lightbox. I set the trigger at the top of the box, hid all initially and added a close button. In the box that would have linked to the first thumbnail for the lightbox, I added a text box that said "read more"

  • Can you suggest a best way to store and read arabic from oracle database?

    Hi ,
    can you suggest a best way to store and read arabic from oracle database?
    My oracle database is Oracle Database 10g Release 10.1.0.5.0 - 64bit Production on unix HP-UX ia64.
    NLS_NCHAR_CHARACTERSET AL16UTF16
    NLS_LANGUAGE AMERICAN
    NLS_TERRITORY AMERICA
    NLS_CHARACTERSET WE8ISO8859P1
    I have presently stored the data in nvarchar2 field. But i am not able to display it correctly.

    Using the national characterset should work but there are other factors that you have to consider when working with NCHAR/NVARCHAR2/NCLOB.
    If possible, changing the characterset is usually the best solution if it's a possiblity for you.
    For more info:
    Dear Gurus: Can u pls explain the difference between VARCHAR2 & NVARCHAR2??

  • I have a macbook pro I use for work and iMac at home. What is best way to manage my files? Use iCloud? Dock my laptop when I come home? Appreciate any suggesitons

    I have a macbook pro I use for work and iMac at home. What is best way to manage my files? Use iCloud? Dock my laptop when I come home? Appreciate any suggesitons

    That depends on what kind of "files" you're talking about and what your employer's policy is on using cloud storage.
    I found dropbox and/or OneDrive work very well for keeping documents in sync between multiple machines.

  • Every file has staff and everyone "read only" privileges

    Just upgraded to SL with a clean install. Copied over all my documents. Now it seems like every single file has staff and everyone read only privileges (in addition to me having read & write).
    How can this be? Under System Preferences, Sharing, I have absolutely nothing checked.
    Anyone know anything about this? Thanks.

    santranyc wrote:
    Just upgraded to SL with a clean install. Copied over all my documents. Now it seems like every single file has staff and everyone read only privileges (in addition to me having read & write).
    these are standard permissions in both leopard and snow leopard. any new files you create in your home directory will have those permissions.
    How can this be? Under System Preferences, Sharing, I have absolutely nothing checked.
    this has nothing to do with sharing.
    Anyone know anything about this? Thanks.

  • How can we make the ms-word data as read-only using java code?

    How can we make the ms-word data as read-only using java code?

    MVSK wrote:
    By using java code i opened a file in ms-word. But the data i want to display as read-only. that means should not change it.I don't think you can do that. Display pdf documents instead.

  • What is the best way to set up Facetime if using multiple computers with one apple ID?

    I currently have FaceTime setup on my iPad 2 using my normal appleID, but have just recently upgraded our iMac from Leopard to Snow leopard, and have added FaceTime to that computer as well. So my question is this. If I want to avoid confusion with which device is called when someone calls us using FaceTime, what is the best way to distinguish the devices? Should I try to use a different email address to reach the iMac? Is there a best-known-method for this?

    That's a nice system Kevin, and it will work very nicely with Photoshop.  I do take it that you have 16Gb RAM in Total?
    250Gb SSD is a good size, but you can still run short, and that will affect Windows performance.  When you get your system, instal WinDirStat which gives you a graphic display of everything on your drive, like below. Clicking on any of the large areas will tell you what and where they are, so you can think about moving cache folders etc. to one of the HDDs.
    Leave the Pagefile.sys on the boot drive.  Think about disabling Hyphenate as it takes a ton of space, and too often crashes on wake up.
    My Documents
    Desktop
    Downloads
    Look at Bridge cache
    iTunes backup
    Other stuff like that.
    Think about another 500Gb drive just for Photoshop Scratch.  Drives are cheap as chips nowadays
    Do yourself a favour, and invest $100 in Shadow Protect (or similar if there is such a thing) SP saves incremental backups every 15 minutes (you can set the interval, but it has no impact on performance with a system like yours).  If you have a problem you can mount the back up at any of those 15 minute points, and open files from it.  You can also make a bootable DVD image of your C drive, and be back up and running five minutes after disaster strikes.
    Optimize Performance in Photoshop
    Photoshop CC and CC 2014 GPU FAQ
    For more ideas, swing by the Premiere Pro Hardware forum.  Those guys are serious good at this stuff, and you'll find links tips and ideas.
    Happy computing, and have fun with your Creative Cloud® apps.

  • SQL Server 2012 - Wat Is The Best Solution For Creating a Read Only Replicated/AlwaysOn Database

    Hi there I was wondering if someone may have a best recommendation for the following requirement I have with regards setting up a third database server for reporting?
    Current Setup
    SQL Server 2012 Enterprise setup at two sites (Site A & Site B).
    Configured to use AlwaysOn Availability groups for HA and DR.
    Installed on Windows 2012 Servers.
    This is all working and failover works fine and no issues. So…
    Requirement
    A third server needs to be added for the purpose of reporting, to be located on another site (Site C) possibly in another domain. This server needs to have a replicated read only copy of the live database from site A or Site B, whichever is in use. The Site
    C reporting database should be as up-to-date to the Site A or Site B database as possible – preferably within a few seconds anyway….
    Solution - What I believe are available to me
    I believe I can use AlwaysOn and create a ReadOnly replica for the Site C. If so do I assume Site C needs to have the Enterprise version of SQL server i.e. to match Site A & Site B?
    Using log shipping which if I am correct means the Site C does not need to be an Enterprise version.
    Any help on the best solution for this would be greatly appreciated.
    Thanks, Steve

    for always on - all nodes should be part of one windows cluster..if there site C is on different domain - I do not think it works.
    Logshipping works --as long as the sql on site C is is same or higher version(sql 2012 or above).  you can only do read only.
    IMHo, if you can make site C in the same domain then, Always is better solution else log shipping
    also, if your database has enterprise level features such as - partitonin, data compression -- you cannot restore the database on lower editions- so you need to have enterprise edition.
    Hope it Helps!!

  • How to lock a form (all fields read only) using a button (JavaScript)

    Hi guys,
    I have a form with several input fields, check boxes. Using a button in the form, I would like to lock it using a JavaScript. Locking means in my case that all input fields, checkboxes, etc. are read only (cannot be changed anymore).
    I already use the following approach:
    data.form.MyInputField.access = "readOnly";
    The problem is, that this approach is not comforable from maintenance perspective. I would like a more generic or more simple way.
    Generic:
    loop over all fields and set them to "read only"
    Simple:
    xfa.form.lock; // but this does not work
    Do you have any ideas how to solve this requirement in another way as I currently do?
    Thanks,
    Thomas

    Now I used the following script:
    // set the whole form as container
    var objContainer = data.Report;
    // call the method to set all fields to read only (recursion)
    disableAllFields(objContainer);
    function disableAllFields(objContainer) {
         for (var i=0; i < objContainer.nodes.length; i++) {          
              switch (objContainer.nodes.item(i).className) {
                   case "field" :
                   case "exclGroup" :
                        objContainer.nodes.item(i).access = "readOnly";
                        break;
                   case "subform" :
                        disableAllFields(objContainer.nodes.item(i));
                        break;
                   default:
    It works but is there another possibilitiy such like
    form.lock;
    Thanks,
    Thomas

  • Best way of extracting Akai-CD for use in Kontakt

    What's the best way of doing it so it preserves the original data? Google only shows old results.

    Page 87 of the Kontakt manual (that's Kontakt 4).
    Might be an idea to post something like this on a Native Instruments forum ;-)

  • I go to File get info sharing and it says I have custom info, me read and write, staff read only and everyone read only and I don't know how to change the setti

    I am attempting to download an update for Firefox - when attempting to open it tells me to go to File/getinfo and when I look at sharing and Permissions there are three entries, me, staff and everyone - me is Read/write, the others are read only and there is a note that says I have suxtom access but still cannot drag to applications -
    how do I unlock this process

    Hello mbennjr, if you have problem with update or permissions firefox the better way is to '''download and install the new version'''.
    1. Download a copy of the latest firefox from http://www.mozilla.org/en-US/firefox/all.html
    2. '''Trash''' the current Firefox application to do a clean install.
    3. Install the version that you have downloaded.
    Do not select to remove your personal data, your profile data is stored elsewhere in the [http://kb.mozillazine.org/Profile_folder_-_Firefox#Mac Firefox Profile Folder], so you won't lose your bookmarks or other personal data.
    see also: [https://support.mozilla.org/en-US/kb/install-firefox-mac?redirectlocale=en-US&redirectslug=Installing+Firefox+on+Mac#os=mac&browser=fx24 Installing Firefox on Mac]
    thank you

  • Best way to archive projects for future use

    I use Adobe Premiere Pro CS4,but this is a more generic question.  I shoot videos that people want to save for a long time.  I burn my projects to DVD's (or Blue-ray discs if the client does not mind the cost).  DVD's can be destroyed, lost, wear out.  What is the best way to preserve these memories?  I know that some people charge the client and use a dedicated external hard drive for each project.  What technique is not too expensive, but will last the longest?
    Thanks,
    Lisa

    OK, I meant to tack this question with my last one, my client wants me to take her 1 hour video and compress it to a format that she can store/watch on her own hard drive.  What format would retain audio and video quality best, and not be enormous and still be able to run on a computer (ie not burned to a DVD or Blu-ray Disc)?
    Second part to this question:
    one of my projects is 5 years old - not done on a external hard drive - which means that I can no longer access the project for conversion purposes.  What choices do I have  if I only have a DVD disc to convert to a file that can play/be stroed on a computer?
    Thanks

  • Is there a way to create a "read only" inbox in mac mail?

    I am wondering if there is a way to set up a read only inbox...I would like to receive email from a specific address but block or not have the option to send from that address.

    Thanks! I was able to get to the sqlite prompt, but at that prompt I must not be copying/pasting correctly. Here is what I'm getting if you can correct me, perhaps I need to type it in differently? Thanks
    Last login: Tue Jun 10 14:04:28 on console
    Macintosh-3:~ ryanr$ sqlite3 ~/Library/Application\ Support/AddressBook/MailRecents-v4.abcdmr
    SQLite version 3.7.13 2012-07-17 17:46:21
    Enter ".help" for instructions
    Enter SQL statements terminated with a ";"
    sqlite> .mode csv
    sqlite> SELECT zfirstnamenormalized, zlastnamenormalized, zemailnormalized FROM zabcdmailrecent;
    sqlite>
    sqlite> .mode csv SELECT zfirstnamenormalized, zlastnamenormalized, zemailnormalized FROM zabcdmailrecent;
    Error: unknown command or invalid arguments:  "mode". Enter ".help" for help
    sqlite> .mode csv
    sqlite> SELECT zfirstnamenormalized, zlastnamenormalized, zemailnormalized FROM zabcdmailrecent;
    sqlite>

Maybe you are looking for

  • Uploaded photos to icloud photo library, now how can I remove them from iphone

    I have finally uploaded all my photos to icloud photo library, however it has still kept them all on phone - granted they are smaller versions and I have some more space but  still want to remove most to make more space - but be safe in the knowledge

  • Wrong weekday labels in web calendar

    I just installed Lion Server 10.7.3, I got just a problem with web calendar localization: the day of the week is worng (today friday 10 is showed as saturday 10) I found the the translation file is wrong, i.e.the file for italian strings ( /usr/share

  • Can I download Elements 9 onto MacBook Pro with Retina?

    If so, how do I do it?

  • Générer un pdf (avec ACROBAT 8)

    Je possède Acrobat 8 avec lequel je devrais pouvoir générer un pdf depuis les logiciels Office. Mais je suis récemment passé de XP à Seven ; j'ai réinstallé Office et Acrobat, mais si sous XP, Word (par exemple) me proposait dans la liste des imprima

  • Problems dragging albums & folders in iPhoto

    I've recently been having sporadic trouble moving albums & folders within iPhoto: when I drag the folder, it "sticks" -- it won't "let go" at the new location. Right-clicking the mouse doesn't have any effect. Sometimes I just have to shut down the c