Cleaning up ACL/Permissions

Hi, in working on an Advanced Leopard server that someone had setup... I'm seeing ACL permissions listed for system level directories and files. To my knowledge, they shouldn't be there, is this a correct, in a normal install ACL's are not in use here?
In any case, with all the overalpping individual users based ACL's used in the general data files, I'd like to cclear them all out, if advisable, and start with some new one's based on gorups.
Can someone advise as to the best way to clean things up, without harming file access? - Lewis

Hi again.
When setting/deleting acls via the commandline the changes will be reflected in the GUI as it is calling the same underlying tool. You could test this yourself by setting some acls on a test file in the GUI and then listing the acls via the ls -le command in the terminal then run the chmod -N command and repeat the ls -le command.
If you do this with the sharing 'browse' pane of Server Admin open in the background you will see the changes as they happen.
A couple of interesting articles on the subject here and here
Cheers

Similar Messages

  • Which command line to delete all ACL permissions ?

    Hi,
    I would like to clean all old ACL permissions in folders and sub-folders, to put on the main share folder the right ACL's and distribute them.
    It seems it's impossible in Server Admin interface. Which is the command line able to do that ?
    I believe it's something like chmod ???
    Thanks for your response.
    Patrick

    chmod -N is the command to remove ACLs. -R runs recursively, therefore to recursively remove all ACLs from a directory tree:
    sudo chmod -R -N /path/to/dir

  • Clean up messy permissions?

    I'm on 10.6.1 server and have setup 10 shares which are used by 40 users. I've changed permissions to accommodate appropriate access - that works fine. What I'm seeing are remnants of previous settings - old folders that have been deleted, users able to see (but not access) other user's folders for which they have no access or viewing privileges. It seems like it needs a cleanup to purge the residue from the setup process but I have no idea how to do that.
    Got any general cleaning tips?
    thanks

    The easiest way to clean up the permissions is to use chmod.
    Unlock any locked files with chflags...
    sudo chflags -R nouchg /path/to/folder
    Strip away all ACLs like this...
    sudo chmod -R -N /path/to/folder
    Then reapply the correct ACLs with either Server Admin or chmod. Be sure to apply the permissions with propagation (recursively) in either case. For example...
    sudo chmod -R +ai "group:<group name> allow readattr,readextattr,readsecurity,read,execute,list,search,writeattr,writeextat tr,delete,write,append,deletechild,add_file,add_subdirectory,file_inherit,directoryinherit" /path/to/folder

  • Default acl permissions for root and user?

    after running permissions i keep getting acl permissions changed and will repair. Apparently it doesn't. Is their a manual way of resetting to defaults for both root and user.

    Turns out they didn't change themselves, but authentication got out of whack. This post fixed it for me, but I just jogged access on ical and blogs. Not sure which or both is needed, but after I toggled them over and back I was up and running again.
    <SNIP>
    Solution found athttp://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
    It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
    Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
    Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
    After much head scratching it turns out to be a sACL (Service Access Control List) issue.
    This thread solved the mystery!
    http://discussions.apple.com/thread.jspa?threadID=1654864
    To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
    Open Server Admin on a computer (any), and connect with the local admin to the machine.
    Select the server and authenticate.
    Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
    If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
    Save.
    Try logging in again… should be a good one!
    </SNIP>

  • Why can't I change ACL permissions of a volume on mac os x 10.6

    Hello,
    I'm currently working with a Mac OS X 10.6.8 Server with 2x1TB drive installed in RAID configuration (/Volumes/LTRK) and 1x2TB installed as a regular volume (/Volumes/LTRK2/). For both volumes I could set all permissions perfectly, but recently, I cannot change the permissions on the 2TB volume. I have the following current permissions:
    ACL:
    Group of regular division members (read + all descendants)
    Group of ICT co-workers (read/write + all descendants)
    Administrators (read/write + all descendants)
    Everyone (read + all descendants)
    POSIX:
    The admin user account (read/write + this folder)
    The 'staff' group which is automatically there (read/write + this folder)
    Others (read + this folder)
    If I compare to the drive where I can change the permissions and where everything works correctly (the RAID config), the only difference is that the 'Everyone' group permissions are not set to be inherited for the working drive (so only on the volume level). I wanted to check whether this was the source of my problems and tried to change the permissions of the 'Everyone' group. However, as soon as I click Save in Server Admin, it automatically reverts to all descendants.
    The results of the failure to reset the permissions, leads to the fact that I don't have write access anymore with the admin user accound (I guess due to counteracting permissions). I also tried to delete all permissions from the volume with "chmod -R -N /Volumes/LTRK2" but this gives me a list of every file on that volume, with the error message: "chmod: Filed to clear ACL on file filename: Invalid argument"
    Does anyone have any suggestions on how to solve this issue?
    Kind regards

    Welcome to iMovie Discussions.
    See my 2nd reply to 'getzcreative', here.

  • Does FCSvr read ACL permissions set in OD?

    We have set up a series of permissions using ACL's within OD. I assumed that FCSvr would pick up these permissions to certain areas of an Xsan. However within FCSvr you can still see media from areas that have been denied to certain users - set up in OD.
    Within FCSvr, I have created further permissions within the permission sets for each user group. But, because these are driven by metadata, it then causes further access problems with any media that is scanned in or comes from a watch folder- as metadata is not inputted straight away for this media. My next thought now is to break the areas in the Xsan down as Devices, and then set permissions to these in Fcsvr admin, but I have read in another forum that there is a bug with this process as it denies access to the wrong areas and can mess up the look of the interface.
    Really, FCSvr should be able to read the ACL's in OD, surely?
    Any advice appreciated.

    Actually, FCSvr always operates as admin. It is as if every user is the admin user when working with the devices of FCSvr. As you noted, the only way to limit permissions in FCSvr are via metadata filtering, traits, and devices.
    You should divvy up your SAN into multiple devices. This used to be a problem, but in v1.1.1 the interface problems related to device permissions have been corrected. You can restrict access and activity device by device, group by group. You can also set metadata during scans and with subscriptions + set asset metadata responses. My file naming convention allows me to have FCSvr automatically fill in six different fields just from creating the asset (assuming my users name their files properly of course, but there's only so much an admin can do).

  • Question about ACL permissions

    I have a situation and i wounder how to set up the permissions to make it work.
    I have a folder (the share point) with ~200 subfolders,(called -1000,-2000, -3000, etc etc) In these folders there are tons of pictures.
    I want a group(picturesRW) to be able to Read all files/folders, change name on the files (but not on the folders) and also add new files, but not delete(files or folders) Also not to move folders in to other folders (if that is possible).
    Then i want another group to be able to just read everything, but thats the easy part.
    Hoping there is someone that knows how to set this up. Have tried with allowing "Write attributes" but they still cant rename files..
    Cheers!

    Hi
    A good place to start in my opinion in understanding ACLs is Gerrit de Witt's excellent series of posts:
    http://discussions.apple.com/thread.jspa?messageID=1535247
    If you have not already done so download the Admin Manuals:
    http://manuals.info.apple.com/en/UserManagement_Adminv10.4.pdf
    http://images.apple.com/server/macosx/docs/UserManagementv10.5.mnl.pdf
    Bear in mind that on 10.4 Server you have to enable ACLs on a volume, followed by a restart otherwise the ACLs don't take and all that is working is the standard POSIX permissions. 10.5 Server has ACLs enabled by default. If you don't want them you have use terminal to disable them. You can't have ACLs without standard POSIX. Both permissions models apply and are accumulative. You can use standard POSIX permissions without ACLs. Be careful when using both models to define an access policy as a deny using both models can easily lock you out of the server. Use WGM when applying permissions. Don't be tempted to do it using the Finder. Defining permissions using terminal - in my opinion - is better but it is not to everyone's taste. ACLs should take precedence over standard POSIX permissions.
    Hope this helps, Tony

  • Transport KM ACL permissions without content

    Hallo
    Is it possible to transport ACL KM permissions without transporting the content in the KM folders?
    As fare as I can see, it is only possible to transport the ACL permission if I select the import mode u201CDelete Conflicting Data Firstu201D. Thus that our solution is in production, this is not an option.
    I have a situation where I need to change a significant number of KM folder permissions and I would like to avoid doing this manually in all 3 portal environments (development, test and production).
    I have looked at the u201CPropagation of ACLsu201D report but I can not define a single template folder u2013 I have around 40 different settings, which have to be applied in 3 different repositories.
    We are on NW 7, SP16.
    Thanks in advance,
    Henrik Andersen

    Hi Henrik,
    I have the exact same query, although I envy you as you only have 40 setting  (I have 30 times 160).
    The reply from Julian is correct altough needs custom development.
    Hopefully SAP will introduce a ACL Export / Import function soon... They already have something similair for assinging roles as you can export assignments to text and import them again OR like the PCD objects XML import/export...
    Only thing I can do is share my current workaround I did (note this action needs to be done in planned downtime as the content will be unavailible for a while).
    on the source system
    1. run KM toolbox > Report >  Mass copy with ACL to a temp repository
    (only copy the elements that where changed)
    2. Transport this temp copy to the target system
    on the target system:
    3. MOVE your content from the actual location to the temp structure
    result is old content in new structure with new permissions
    4. REMOVE the old structure
    5. MOVE the complete structure and content from the temp location back to the original location
    Please do a complete backup and test for that you do it for real as all systems are different and cannot be commpared.
    But again I hope that sombody has a real solution (I hope SAP in SP17 or so)
    Cheers,
    Benjamin Houttuin

  • UME: Regular Permissions - ACL Permissions

    Gentelmen,
    After reading recently published SDN article about WD security (Aug 31, 2004 -- https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/web dynpro security.pdf), one question araise for me: what is a connection (if any) between regular UME permissions (in fact, std. java permissions) and UME ACL permission?
    Any thoughts?
    VS

    [ -closed with no resolution- ]

  • ACL permissions

    Here we go again.
    I had to reinstall system without migration.
    Now, I have a host of folders which deny permissions.
    I tried to apply this solution :
    http://discussions.apple.com/thread.jspa?messageID=7239576&#7239576
    But in console I have a lot of permissions still denied.
    See below :
    Last login: Wed Sep 16 16:42:15 on console
    noname:~ quantx$ chmod -R -N ~
    chmod: /Users/quantx/.Trash/Dalaï Lama: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/46DCAD50-1D12-4287-A2A6-7828420EAD4A.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/4AD2C283-256C-43AE-82C0-6E91F146DDF6.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/C33B5E8D-DD71-4CEC-98F0-6174615CD465.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/EB53AFDF-D3D9-4EAF-AD6E-071F48AE277D.calendar: Permission denied
    chmod: /Users/quantx/Documents/Édition/Traductions 2009/Toucan/IlCapoDeiCapi PDF: Permission denied
    chmod: /Users/quantx/Documents/Mac + divers/Carnet d’adresses 2009-06-02.abbu: Permission denied
    chmod: /Users/quantx/Documents/Mac + divers/permajetremote_profiling_targets,_instructions_&_orderform: Permission denied
    chmod: /Users/quantx/Documents/Stampes:Prudhomme: Permission denied
    noname:~ quantx$ chmod -R -N ~
    chmod: /Users/quantx/.Trash/Dalaï Lama: Permission denied
    chmod: Failed to clear ACL on file thumbs: No such file or directory
    chmod: /Users/quantx/.Trash/iWeb.app/Contents/Resources/Themes/Black.webtheme/English. lproj/Podcast.webtemplate/thumbs: No such file or directory
    chmod: Failed to clear ACL on file thumbs: No such file or directory
    chmod: Failed to clear ACL on file Welcome.webtemplate: No such file or directory
    chmod: /Users/quantx/.Trash/iWeb.app/Contents/Resources/Themes/Black.webtheme/English. lproj/Welcome.webtemplate: No such file or directory
    chmod: Failed to clear ACL on file Welcome.webtemplate: No such file or directory
    chmod: Failed to clear ACL on file French.lproj: No such file or directory
    chmod: /Users/quantx/.Trash/iWeb.app/Contents/Resources/Themes/Black.webtheme/French.l proj: No such file or directory
    chmod: Failed to clear ACL on file French.lproj: No such file or directory
    chmod: Failed to clear ACL on file Cloud 9.webtheme: No such file or directory
    chmod: /Users/quantx/.Trash/iWeb.app/Contents/Resources/Themes/Cloud 9.webtheme: No such file or directory
    chmod: Failed to clear ACL on file Cloud 9.webtheme: No such file or directory
    chmod: Failed to clear ACL on file 06420034-1.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420034-2.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420035-1.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420035-2.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420036-1.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420036-2.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420037-1.JPG: No such file or directory
    chmod: Failed to clear ACL on file 06420037-2.JPG: No such file or directory
    chmod: Failed to clear ACL on file 0643: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Pictures/2006/M7 - Août/0643: No such file or directory
    chmod: Failed to clear ACL on file 0643: No such file or directory
    chmod: Failed to clear ACL on file 0644: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Pictures/2006/M7 - Août/0644: No such file or directory
    chmod: Failed to clear ACL on file 0644: No such file or directory
    chmod: Failed to clear ACL on file 0645: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Pictures/2006/M7 - Août/0645: No such file or directory
    chmod: Failed to clear ACL on file 0645: No such file or directory
    chmod: Failed to clear ACL on file 0646: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Pictures/2006/M7 - Août/0646: No such file or directory
    chmod: Failed to clear ACL on file 0646: No such file or directory
    chmod: Failed to clear ACL on file 2007: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Pictures/2007: No such file or directory
    chmod: Failed to clear ACL on file 2007: No such file or directory
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/46DCAD50-1D12-4287-A2A6-7828420EAD4A.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/4AD2C283-256C-43AE-82C0-6E91F146DDF6.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/C33B5E8D-DD71-4CEC-98F0-6174615CD465.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/EB53AFDF-D3D9-4EAF-AD6E-071F48AE277D.calendar: Permission denied
    chmod: /Users/quantx/Documents/Édition/Traductions 2009/Toucan/IlCapoDeiCapi PDF: Permission denied
    chmod: /Users/quantx/Documents/Mac + divers/Carnet d’adresses 2009-06-02.abbu: Permission denied
    chmod: /Users/quantx/Documents/Mac + divers/permajetremote_profiling_targets,_instructions_&_orderform: Permission denied
    chmod: /Users/quantx/Documents/Stampes:Prudhomme: Permission denied
    noname:~ quantx$ chmod -R -N ~
    chmod: Failed to clear ACL on file Contrat-Proximus015.jpg: No such file or directory
    chmod: Failed to clear ACL on file Voiture: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Documents/Divers/Scans/Voiture: No such file or directory
    chmod: Failed to clear ACL on file Voiture: No such file or directory
    chmod: Failed to clear ACL on file Vœux 2005-2007.mbox: No such file or directory
    chmod: Failed to clear ACL on file dogpossum old sew & sew Archives.html: No such file or directory
    chmod: Failed to clear ACL on file Données utilisateurs Microsoft: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Documents/Données utilisateurs Microsoft: No such file or directory
    chmod: Failed to clear ACL on file Données utilisateurs Microsoft: No such file or directory
    chmod: Failed to clear ACL on file eBay:Price:UPS: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Documents/eBay:Price:UPS: No such file or directory
    chmod: Failed to clear ACL on file eBay:Price:UPS: No such file or directory
    chmod: Failed to clear ACL on file Entourage Identités + MBOX 08:09: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Documents/Entourage Identités + MBOX 08:09: No such file or directory
    chmod: Failed to clear ACL on file Entourage Identités + MBOX 08:09: No such file or directory
    chmod: Failed to clear ACL on file Entourage.ics: No such file or directory
    chmod: Failed to clear ACL on file Édition: No such file or directory
    chmod: /Users/quantx/Desktop/sthan/Documents/Édition: No such file or directory
    chmod: Failed to clear ACL on file Édition: No such file or directory
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/46DCAD50-1D12-4287-A2A6-7828420EAD4A.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/4AD2C283-256C-43AE-82C0-6E91F146DDF6.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/C33B5E8D-DD71-4CEC-98F0-6174615CD465.calendar: Permission denied
    chmod: /Users/quantx/Documents/2009-06-02 iCal.icbu/Calendars/EB53AFDF-D3D9-4EAF-AD6E-071F48AE277D.calendar: Permission denied
    chmod: /Users/quantx/Documents/Édition/Traductions 2009/Toucan/IlCapoDeiCapi PDF: Permission denied
    chmod: /Users/quantx/Documents/Mac + divers/Carnet d’adresses 2009-06-02.abbu: Permission denied
    chmod: /Users/quantx/Documents/Mac + divers/permajetremote_profiling_targets,_instructions_&_orderform: Permission denied
    chmod: /Users/quantx/Documents/Stampes:Prudhomme: Permission denied
    noname:~ quantx$
    Grrrrrrrr.

    Tons and tons of these in fact, regarding Safari, Mail, Utilities, etc. you name it :
    « Applications/Mail.app/Contents/Resources/Spanish.lproj/ExportAccessoryView.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FeedbackCollector.nib/de signable.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FeedbackCollector.nib/ke yedobjects.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FeedbackCollector.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FindPanel.nib/designable .nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FindPanel.nib/keyedobjec ts.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FindPanel.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FindPanel.strings ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FontsAndColorsPreference s.nib/designable.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FontsAndColorsPreference s.nib/keyedobjects.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/FontsAndColorsPreference s.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/HyperlinkPanel.nib/desig nable.nib ».
    ACL trouvé mais non prétendu sur « Applications/Mail.app/Contents/Resources/Spanish.lproj/HyperlinkPanel.nib/keyed objects.nib ».
    ACL trouvé mais non prétendu sur

  • Extended ACL permit ip and allowed ports

                       Hi everyone
    Need to confirm if we have extended ACL with object group below
    access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
    will above ACL allow all the ports  on the destination object group?
    Thanks
    mahesh

    And to illustrate the situation above
    Situation 1 - Only allow rule exists on the ACL
    object-group network SOURCE
    network-object 10.10.10.0 255.255.255.0
    network-object 10.10.20.0 255.255.255.0
    object-group network DESTINATION
    network-object 10.10.100.0 255.255.255.0
    network-object 10.10.200.0 255.255.255.0
    access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
    The above ACL would
    Allow ALL TCP/UDP source and destination ports
    Allow those from the source networks of SOURCE to the destination networks of DESTINATION
    Situation 2 - Deny rules exist before the allowing rule
    object-group network SOURCE
    network-object 10.10.10.0 255.255.255.0
    network-object 10.10.20.0 255.255.255.0
    object-group network DESTINATION
    network-object 10.10.100.0 255.255.255.0
    network-object 10.10.200.0 255.255.255.0
    access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
    access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
    access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
    The above ACL would
    First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
    It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
    It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
    The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
    So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
    In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
    - Jouni

  • Sun Filer - can you automate ACL permissions for all shares?

    Does the Sun Filer have an automation tool that will allow me to change all share permissions?
    As I'm a windows admin, does the filer have a powershell snapin?
    I havent been able to find much on the internets in regards to this topic.
    Thanks

    So... chmod -R on its own doesn't do anything, obviously. chmod +a returns "Failed to set ACL on file 'Tests': Operation not supported." Sure enough, the volume has "ignore ownership" enabled. I'm pretty sure I don't have ACLs running on that volume.
    1. Does "ignore ownership" mean ACLs get turned off?
    2. Other than that little switch in Finder, how do I control the ACLs volume-wide? I have neither fsaclctl nor fsctl on that server. Do I need to copy fsaclctl from a Leopard client?
    3. The deeper question is, do I want to enable ACLs? All the employees store all their files on that volume (it's a small company); will ACLs wreak havoc? Aside from official documentation, you sometimes get the feeling that ACLs are broken altogether.
    As for a 3rd party content management system, I need file-level access for users. A tool that manages the file storage, controls and audits access for end users, and avoids filename collisions and related issues sounds to my like AFP and Mac OSX Server.... Is there any 3rd party tool that can do that and supports things like resource forks?

  • Powershell & ACL permissions

    So, not sure if this is actually a PowerShell issue or a simple lack of understanding of permissions on my part. So, when you look at permissions manually you have some base permissions; Modify, Read & Execute, Read, Write, etc. You also have Special
    Permissions, like Full Control and Read Attributes.
    I have a script that is pushing out changed permissions, and 
    Get-ACL $Target | Format-List
    gives me what looks to be correct permissions. But if, for example, I do
    $ACRights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
    I would expect to see Read and Write in the basic permissions via the UI, and what I get in Special permissions only, and some that I didn't expect, but that are related, like Read Attributes. So, am I actually getting the results I should, and because I
    am applying this via ACL it's all Special permissions? Or is there some other mechanism for setting simple Read & Write permissions?
    Also, my need here is to make just a few files and folders available to users in ProgramData in an office where IT has generally locked down ProgramData (which then breaks functionality of some Autodesk products this year). Autodesk suggested manually setting
    the required permissions for All Users on the files and folders, but my sense is that using Authenticated Users would be better, because it limits the permissions a bit. Or is the Authenticated Users group an old concept, and there is a better practice here?
    I wouldn't be surprised if the same technique needs to be used on some Program Files folders, as Autodesk basically works form the assumption that everyone is a Local Admin, which is just insanity in my book and I would rather target specific files for access
    rather than throwing the gates open as Autodesk wants.
    Thanks!
    Gordon

    It's probably showing up as "Special" because the access control entry isn't set to apply to sub folders and files. Container objects (folders, registry keys, AD objects, and WMI namespaces) need their ACEs to apply to their children as well in order for
    them to not show up as "special". Here's how to create an ACE that gives Read and Write permissions that apply to a folder, its sub folders (ContainerInherit), and sub files (ObjectInherit):
    New-Object System.Security.AccessControl.FileSystemAccessRule (
    "Authenticated Users",
    "Read, Write", # Access enumeration string/numeric value
    "ContainerInherit, ObjectInherit", # InheritanceFlags (apply to sub folders and files)
    "None", # PropagationFlags (None simply means that this will apply to the object)
    "Allow" # ACE type
    The reason you're seeing more rights than you expect is because "Read" is actually multiple specific access rights being combined (specifically list directory, read extended attributes, read attributes,  and read permissions). To see that it translates
    to more than one right, you can convert it to binary:
    [convert]::ToString([System.Security.AccessControl.FileSystemRights]::Read.value__, 2)
    Notice that more than one bit is set. If you want to see what each of those bits means, you can use this function:
    function TranslateRights {
    param(
    $Rights = "Read",
    [Type] $Enumeration = [System.Security.AccessControl.FileSystemRights],
    [switch] $ListAll
    # Files/folders use the same enumeration, and the numeric access masks can mean slightly different things, e.g.,
    # bit 0 set means list directory for a folder or read data for a file. For that reason, it helps to have a collection
    # of the different meanings:
    $GroupedRights = @{}
    [enum]::GetNames($Enumeration) | ForEach-Object {
    $IntValue = [int] ($_ -as $Enumeration)
    # Only interested in numbers that are powers of 2
    if ($IntValue -band ($IntValue - 1)) { return }
    if ($GroupedRights.ContainsKey($IntValue)) {
    $GroupedRights.$IntValue += $_
    else {
    $GroupedRights.$IntValue = @($_)
    $GroupedRights.GetEnumerator() | sort Name | ForEach-Object {
    if ($_.Name -band ($Rights -as $Enumeration)) {
    $Granted = $true
    else {
    $Granted = $false
    $RightsString = $_.Value -join " / "
    if ($ListAll) {
    [PSCustomObject] @{
    Bit = [System.Math]::Log($_.Name, 2)
    Rights = $RightsString
    Granted = $Granted
    elseif ($Granted) {
    $RightsString
    And you could use it like this:
    TranslateRights -Rights Modify
    TranslateRights -Rights Modify -ListAll
    TranslateRights -Rights ReadKey -Enumeration ([System.Security.AccessControl.RegistryRights]) -ListAll

  • Simple ACL permissions gone ugly

    Fellows, I have a share on my network, where 2 different groups have to have access to it. The Principal group has Full Control thru ACL to this folder, BUT the Employees groups has access to it, but they can not delete anything that they write nor anything that's in this shared folder (named Shared Files).
    They way I have setup is thru ACL's and that's where the Principal's group has Full Control to this folder (this actually it's easy and it works), and the Employees group has (Custom ACL entries, where they DO NOT have Administration, they DO have Read, DO have Write but DO NOT have Delete, nor Delete Subfolders and Files turned on from under the Write ACE).
    When the members from Employees access the shared folder, they only have Read access, they can not copy, create, change names on this folder, even though those privileges are under the Custom access to that ACL entry.
    If it's too confusing I could make it more clear.
    In the meantime how can I have the members from Employess read, write, BUT NOT to delete anything from the shared folder.
    Any help will be greatly appreciated it.
    Thanks.

    What I have found to work is this:
    Set up your POSIX first to the BARE MINIMUM. Then set your ACL's to give the actual permissions that you need utilizing groups as opposed to individuals. Attempt to set up permissions with the least amount of DENY's as possible, if any at all.
    In my particular setup, I have a share with several child folders that require differing permissions based on the group accessing it.
    *The parent share has the following permissions:*
    +*Note: These are the base permissions. Once set, I propagated all ACLs & All POSIX permissions.+
    ACL
    Administrators - Allow - Full Control - This folder
    Staff - Allow - Custom - Child folders, child files, all descendants
    Admin - NONE
    Read - ALL
    Write - ALL but Delete & Delete Sub-folders & files
    Staff - Deny - Custom - This folder, child folders, child files, all descendants
    Write - Delete & Delete Sub-folders & files
    POSIX
    Admin - Read & Write - This folder
    Staff - Read - This folder
    Others - Read - This Folder
    *For a write only child folder for everyone except admins:*
    +*Note that "staff" can not see the contents of this folder, they can only drop files/folders on top of this folder to write to it.+
    ACL
    Administrators - All - Full Control - This folder
    POSIX
    Admin - Read & Write - This folder
    Staff - Write Only - This folder
    Others - Write Only - This folder
    The only issue I have found with my current setup is that Mac clients can not write to any of the child folders without allowing 'Delete Sub-folders & files', regardless of whether I change the POSIX for Staff & Others to 'Read & Write'. Windows clients work perfectly. Go figure.. lol.
    HTH,
    lnail

  • Crazy ACL permissions issues!

    I have Server 10.5.2 setup on a G5 dual 2.0. I have a share point which is an entire drive. At the root level I have 2 groups with read write access and 2 individuals with read write privs. Posix is set as root for owner read write, admin as group read write, and world as read. Inherit is checked as well.
    Problem is that it does not work correctly on certain files when saving from photoshop it will say that the file is locked. I can then do a save as to the desktop and copy it over manually to the server, replacing the other file, with no error. I know this might be a photoshop issue but would like to know if anyone else has had problems with this. It almost seems as if Photoshop does not honor ACL's.

    Hi
    You might have better luck in creating a folder within the drive and sharing that instead of the whole drive.
    The other guys are correct though about using DTP packages (especially Quark - although I think this has been addressed with Quark 7) and image editing applications across a network. I have not seen the kind of ACL issues you describe when the share point has been a folder rather than the drive. Cant you use standard POSIX for those share-points only and use ACLs for the others?
    I think Adobe have said that CS3 only is capable of working across a network. Anything less than that will give you problems.
    Hope this helps, Tony

Maybe you are looking for