Incorrect permissions set by new files

Similar Messages

• File Sharing Permissions Problem When NEW Files Created

  My wife & I have a home office network setup for our business, and are having trouble with shared files over the network. We're both on Macs, and all of our client files reside on an internal hard drive in my Mac Pro. I've set her up as a "Sharing Only" user on my computer (which matches the username & password of her account on her iMac), and have properly setup file sharing in both the System Preferences, and in the directory itself that we want shared. I've also applied the permissions to all files & folders below the main folder, and she can view, open and save whatever she needs and it works great.
  *Here's where the problem comes in...* If either of us create a NEW file or folder, the other person doesn't have WRITE access to it (we can browse and open it fine). The second I go to update a file she created, it won't let me over-write it, and I have to go into the permissions for that specific file and give myself Read/Write access. I've experimented with "Groups", and assigned both of us a special group, and applied that group access to that directory, but it doesn't make any difference when a NEW file or folder is created - it doesn't copy the parent directory permissions to itself, it makes one of us the owner, and nobody else has access.
  Is there any way around this? We're both constantly creating new files, and it really hampers our workflow to have to keep re-applying file permissions every time one of us creates something new. Ideally, any new files created within that main client folder would automatically have the same permissions as the parent directory. Any help would be greatly appreciated! Thanks!!

  Here's how to do this with Access Control Lists.
  1) Go to System Preferences -> Accounts. Unlock the padlock. Click the + button. Make a new group. Call this group "sharing" for the purposes of this exercise. Add the users you want to the group.
  2) Make a new empty folder in /Users/Shared. Call it "sharefolder".
  3) Log in to an admin account and paste all three of these lines at once into Terminal:
  sudo chmod +a "sharing allow delete,chown,list,search,add_file,\
  addsubdirectory,delete_child,file_inherit,directoryinherit" \
  /Users/Shared/sharefolder
  4) From now on, any files you create or copy to the sharefolder or to any of its subfolders will inherit read+write permission for all users in the group. If you have any existing files that you want to move into the sharefolder, a simple move by drag & drop won't cause the permissions to propagate. you need to hold down the option key while dragging them in. This will copy them over, ensuring that the ACL permission is properly inherited.
  One other caveat: Files created by a small number of OS X apps won't inherit the permissions properly if saved directly into the ACL folder hierarchy. TextEdit is one such app. Save TextEdit files in a temporary location first, and then copy them in. Then they will have the correct permissions.

• Is default new file privilege '700 OK?

  In my new Mountain Lion installation I noticed that new files were created with privileges set to:
  Me (owner):full access
  staff (group): read only
  everyone: read only
  IOW - '744 in octal
  Being a Tiger dinosaur up to now, that didn't make me feel real comfortable, so I looked around and found a pretty recent (Feb 2012) source from UC davis that recommends setting the new file defaults to:
  owner: full access
  group: no access
  everyone: no access
  I'd like to get a blessing from someone with a lot of experience as to whether or not its OK to set new file priviliges as recommend and whether the method recommended in the cited article is the right way to do it.

  Actually, I have 3 accounts, one admin acct and two standard accounts for myself and my wife.  I established the separate admin account primarily to be the installer of apps, per security concerns that I inherited from my early Tiger days (and may not be necessary anymore).
  I know that the privilege settings for the top-level subfolders of the home folder generally act as locked gates to all but the owner for access to what's inside each of them.  But, I wasn't sure if someone might be able to access a resource inside such a subfolder if (1) the privilege settings of the resource allow it ('644 for example) (2) the access request provides the full path to the resource.
  So I did some experiments with Finder and also with Terminal ... and discovered that at least my simple straight-forward attempts to access a file by it's full path failed.  I'm no UNIX mavin, so my Terminal experiments didn't prove there was no way for a more knowledgeable non-admin to go around a blocking folder ... ergo I sent out this inquiry. 
  If there were a way for a non-admin user to circumvent the privilege blocks in the primary home sub-folders (by giving the full path) ... I can image a scenario where one of our standard accounts is inadvertently infected by malware, which would exploit the vulnerability of unprotected files lying inside a protected folder.
  It sounds as if you're telling me that to your knowledge this is not possible.

• Read-only access permissions for new files/folders?

  System:
  Clean Install on new intel Xserve
  10.4.8 Server w/ Open Directory
  Windows clients can read/write completely fine...
  Clients connecting using AFP (whether Standard or Kerberos authentication) can access files, but when new files/folders are created on the server, they register as full permissions for the user who created them, but not for the rest of the group.
  The share(s) in question are set using POSIX from WGM: Full access for owner/group/everyone (changed it to this thinking it would help, but it does not). Of course, no one can make changes to a newly-created/deposited files/folders, which is just plain silly.
  I can chmod the permissions recursively from a script (which fixes the problem, of course) on a regular basis so that its not (as much of) an issue, but there is still a 5-minute lag for the script to kick in, since we don't want to bombard the server with chmod requests every minute....which is unnecessary in the first place!
  I have plenty of other setups which are identical but have no such issue...
  Any reason why POSIX permissions on the share are being ignored from every user account?
  Thanks,
  k

  "That's default posix behaviour no matter what access permissions you set on the sharepoint."
  I'm afraid this is dead wrong. What matters most is how you set permissions on the share, not if you've chosen to inherit vs. using POSIX. POSIX is still used in inherit functions, though you can use ACL's to override them. In this case, ACL's are not being used on those shares (though we tried it).
  After all, why would Apple (let alone anyone else) even offer the ability to change POSIX permissions on a share if it didn't have any effect? That would be somewhat contradictory in nature.
  Like I said before, I have several other installations which are identically setup that have no such issues.
  As for Windows, it is also not set to inherit permissions; we're setting those explicitly. And they work fine.
  Any other ideas?
  Thanks,
  k

• New files and folders on a Linux client mounting a Windows 2012 Server for NFS share do not inherit Owner and Group when SetGID bit set

  Problem statement
  When I mount a Windows NFS service file share using UUUA and set the Owner and Group, and set the SetGID bit on the parent folder in a hierarchy. New Files and folders inside and underneath the parent folder do not inherit the Owner and Group permissions
  of the parent.
  I am given to understand from this Microsoft KnowledgeBase article (http://support.microsoft.com/kb/951716/en-gb) the problem is due to the Windows implmentation of NFS Services not supporting the Solaris SystemV or BSD grpid "Semantics"
  However the article says the same functionality can acheived by using ACE Inheritance in conjunction with changing the Registry setting for "KeepInheritance" to enable Inheritance propagation of the Permissions by the Windows NFS Services.
  1. The Precise location of the "KeepInheritance" DWORD key appears to have "moved" in  Windows Server 2012 from a Services path to a Software path, is this documented somewhere? And after enabling it, (or creating it in the previous
  location) the feature seems non-functional. Is there a method to file a Bug with Microsoft for this Feature?
  2. All of the references on demonstrating how to set an ACE to achieve the same result "currently" either lead to broken links on Microsoft technical websites, or are not explicit they are vague or circumreferential. There are no plain Examples.
  Can an Example be provided?
  3. Is UUUA compatible with the method of setting ACE to acheive this result, or must the Linux client mount be "Mapped" using an Authentication source. And could that be with the new Flat File passwd and group files in c:\windows\system32\drivers\etc
  and is there an Example available.
  Scenario:
  Windows Server 2012 Standard
  File Server (Role)
  +- Server for NFS (Role) << -- installed
  General --
  Folder path: F:\Shares\raid-6-array
  Remote path: fs4:/raid-6-array
  Protocol: NFS
  Authentication --
  No server authentication
  +- No server authentication (AUTH_SYS)
  ++- Enable unmapped user access
  +++- Allow unmapped user access by UID/GID
  Share Permissions --
  Name: linux_nfs_client.host.edu
  Permissions: Read/Write
  Root Access: Allowed
  Encoding: ANSI
  NTFS Permissions --
  Type: Allow
  Principal: BUILTIN\Administrators
  Access: Full Control
  Applies to: This folder only
  Type: Allow
  Principal: NT AUTHORITY\SYSTEM
  Access: Full Control
  Applies to: This folder only
  -- John Willis, Facebook: John-Willis, Skype: john.willis7416

  I'm making some "major" progress on this problem.
  1. Apparently the "semantics" issue to honor SGID or grpid in NFS on the server side or the client side has been debated for some time. It also existed as of 2009 between Solaris nfs server and Linux nfs clients. The Linux community defaulted to declaring
  it a "Server" side issue to avoid "Race" conditions between simultaneous access users and the local file system daemons. The client would have to "check" for the SGID and reformulate its CREATE request to specify the Secondary group it would have to "notice"
  by which time it could have changed on the server. SUN declined to fix it.. even though there were reports it did not behave the same between nfs3 vs nfs4 daemons.. which might be because nfs4 servers have local ACL or ACE entries to process.. and a new local/nfs
  "inheritance" scheme to worry about honoring.. that could place it in conflict with remote access.. and push the responsibility "outwards" to the nfs client.. introducing a race condition, necessitating "locking" semantics.
  This article covers that discovery and no resolution - http://thr3ads.net/zfs-discuss/2009/10/569334-CR6894234-improved-sgid-directory-compatibility-with-non-Solaris-NFS-clients
  2. A much Older Microsoft Knowledge Based article had explicit examples of using Windows ACEs and Inheritance to "mitigate" the issue.. basically the nfs client "cannot" update an ACE to make it "Inheritable" [-but-] a Windows side Admin or Windows User
  [-can-] update or promote an existing ACE to "Inheritable"
  Here are the pertinent statements -
  "In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares."
  "Note About the Permissions That Are Set by NFS Clients
  The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client will
  only apply to that file or folder, so the resulting ACEs created by an NFS client will
  not have inheritance set."
  "So
  If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from the Windows NFS server because the permissions that are set by NFS clients only apply to the folder itself."
  http://support.microsoft.com/default.aspx?scid=kb;en-us;321049
  3. I have set up a Windows 2008r2 NFS server and mounted it with a Redhat Enteprise Linux 5 release 10 x86_64 server [Oct 31, 2013] and so far this does appear to be the case.
  4. In order to mount and then switch user to a non-root user to create subdirectories and files, I had to mount the NFS share (after enabling Anonymous AUTH_SYS mapping) this is not a good thing, but it was because I have been using UUUA - Unmapped Unix
  User Access Mapping, which makes no attempt to "map" a Unix UID/GID set by the NFS client to a Windows User account.
  To verify the Inheritance of additional ACEs on new subdirectories and files created by a non-root Unix user, on the Windows NFS server I used the right click properties, security tab context menu, then Advanced to list all the ACEs and looked at the far
  Column reflecting if it applied to [This folder only, or This folder and Subdirectories, or This folder and subdirectories and files]
  5. All new Subdirectories and files createdby the non-root user had a [Non-Inheritance] ACE created for them.
  6. I turned a [Non-Inheritance] ACE into an [Inheritance] ACE by selecting it then clicking [Edit] and using the Drop down to select [This folder, subdirs and files] then I went back to the NFS client and created more subdirs and files. Then back to the
  Windows NFS server and checked the new subdirs and folders and they did Inherit the Windows NFS server ACE! - However the UID/GID of the subdirs and folders remained unchanged, they did not reflect the new "Effective" ownership or group membership.
  7. I "believe" because I was using UUUA and working "behind" the UID/GID presentation layer for the NFS client, it did not update that presentation layer. It might do that "if" I were using a Mapping mechanism and mapped UID/GID to Windows User SIDs and
  Group SIDs. Windows 2008r2 no longer has a "simple" Mapping server, it does not accept flat text files and requires a Schema extension to Active Directory just to MAP a windows account to a UID/GID.. a lot of overhead. Windows Server 2012 accepts flat text
  files like /etc/passwd and /etc/group to perform this function and is next on my list of things to see if that will update the UID/GID based on the Windows ACE entries. Since the Local ACE take precedence "over" Inherited ACEs there could be a problem. The
  Inheritance appears to be intended [only] to retain Administrative rights over user created subdirs and files by adding an additional ACE at the time of creation.
  8. I did verify from the NFS client side in Linux that "Even though" the UID/GID seem to reflect the local non-root user should not have the ability to traverse or create new files, the "phantom" NFS Server ACEs are in place and do permit the function..
  reconciling the "view" with "reality" appears problematic, unless the User Mapping will update "effective" rights and ownership in the "view"
  -- John Willis, Facebook: John-Willis, Skype: john.willis7416

• How do you get a new file in a shared folder to inherit permissions

  I have a shared folder that I share with a co-worker and having trouble with the permissions for new files/folders.
  When he creates a new file or new folder, the permissions for that file/folder are set as read only for myself. The parent shared folder is set at "Read/Write" for both of us.
  Is it possible to control the permissions for new files/folders?

  Actually, that property used to go in the entry for that sharepoint in the "NetInfo" database, and really only worked properly when 'afpuse_parentowner' was also set. The .plist file controls the behaviour of the afp server as a whole, not that of individual share points.
  I'm not sure what the "DirectoryService" equivalent is - a lot of the things have similar names but differ in "case", but some things are completely different or absent.
  Unfortunately, I'm not equipped to test these things myself but changes can be made using 'dscl', or possibly by editing the flat files directly in a manner similar to what is described here:
  http://www.macgeekery.com/hacks/software/netinfo_dead

• Permissions in a folder are not applied to new files added by users over shared network

  New files added to a shared folder do not inherit the permissions of the folder but rather retain the permissions of the user. Because the purpose of the folder on the network is to allow multiple users access to all the files (read and write), these new files cannot be accessed and editd by others.Is there a way to have the new files automatically inherit the folder permissons? I am aware of the "Apply to enclosed items " drop-down in the Get Info window but this is not practical given the number of new files that are produced and filed.
  THanks,
  JD

  If it's the folder is on the boot drive then the only way to accomplish this is with a combination of groups and ACL's as far as I know. There may be other ways but this is the one I know.
  You say the folder is on the network but is on the boot disk, how are you setting this up and are the users accessing this all from Mac's? And they all have accounts on this Mac?
  In a nutshell you would setup a group that all the users needing to access the folder belong to and then setup the ACL on the fodder so that all member's of that group will have full permission to whatever is in the folder.
  So first in Users&Groups create a group for this and add all the users who need access.
  The do to the folder and change its group to the group you created and change its mode to 775 (or 770 if you don't want anyone else having even read access on the folder)
  Then enter this
  sudo chmod -R +a "GroupNameCreated  allow delete,chown,list,search,add_file,\
  add_subdirectory,delete_child,file_inherit,directory_inherit"  folderToChange
  Now the weird thing is if you look at files in the folder they will appear to have the normal Unix mode of 644 but anyone in the group will have read, write and delete permission on the items in the folder.
  I suggest you play with this on a test folder and seeing if it meets your needs before changing the working folder.
  Also this will not change anything already in the folder it only applies to newly created files/folders
  regards

• All new files have 644 (group read only) permissions!?

  Why do all new files created through AFP have rw-r--r-- (644) permissions? I haven't figured out any way to change it so the group can read and write the new files, without manually chmoding them to something useful.
  OS X Server 10.3 and 10.4 didn't have this problem, nor did any other server OS I've ever used. Is this a feature? Is there something obvious I'm missing!?
  The server sure doesn't seem very useful when only the person who created the file can edit it...seems to defeat the purpose of a file server, no?
  Please help!

  Are you using ACLs on that volume so files can inherit priviledges from the folder you put them in?
  In Tiger you could choose betwen using POSIX inherited priviledges and ACLs.
  In Leopard ACLs are on by default but you have to set/enforce them in Server Admin.
  But I hav to admit I'm a bit bewildered about "inherit" setting in Leopard Server Admin.

• How to set file permissions for SFTP uploaded file?

  Hello,
  is it possible to set file permissions with the SDK for files uploaded via SFTP transfer? I use the default sample plugin ftp_upload.lrdevplugin to transfer the files, but would like to tweak it to set the uploaded file(s) to permission 644 (rw-,r--,r--) on Linux server. Currently the server sets new file(s) by default to 600 (rw-,---,---).
  I am looking for an option to do the "chmod" directly from Lightroom without doing any modificatios in general to default umask, etc. settings on the server. No real UI is needed for this. Just hardcoded setting for 644 in the .lua.
  So far I've been unsuccesful in finding the way. Googled, read this forum, looked at the API. Maybe I just missed it, or does this functionality exist?
  All advice is appreciated!
  Cheers,
  Timo

  Niel's suggestion is good. You might also try posting your question in the Tiger Server forums. I'm sure Tiger Server has several ways of dealing with this.

• Itunes saves my songs in a new file that is not the default setting

  My settings for downloading purchased music from itunes is c:\pop\music.
  Since a few months itunes generates a 2nd file named "music" within the existing file "music" and downloads all new songs in there. (It just happens, I surely didn´t tamper with the settings.)
  So everytime I buy music from the itunes store the new files are now saved under c:\pop\music\music.
  Also my ipod now only synchronizes the new files as long as they´re in c:\pop\music\music and not under c:\pop\music where I want to have them to be able to combine them with the others.
  I checked under "Information" of the new songs and for each song the setting for the place where it´s (supposed to be) saved under is still c:\pop\music. Also my default settings are still c:\pop\music.
  So why does itunes create a new file?????
  I can change almost every entry under "Information" but not the storage location.
  I don´t know why this happened and how I can change this back. Can anyone help me here, please!

  What im trying to say is, i purchased a imac after getting a new phone, which was on windows.
  So i now need to sync it so i can enjoy all the easy pleasures of genius so on and so on
  However not eveything made the shift over, so now my itunes on phone has songs from my old library, that due to whatever multiverse lays between mac and pc, are now not available on my new smarter and amazing mac.
  So if i sync the phone i will lose my songs, yes which did cost me money!! Does anyone know a way to prevent this?
  please bare in mind I am Mac simple, quite ******** really
  thank you in advance

• File Name not set when creating new file in EP 6.0 SPS20

  Hi,
  We recently upgraded from EP6 SP15 to SP20. Now when I create a new file or folder in a KM folder, the name that I give for the resource is not taken into account. The display name  of the newly created resource will be <b>New Text</b> or <b>New HTML Document</b> or <b>New Folder</b>, etc. Even if I open the Properties and change it there, it is not getting reflected. But if I select Rename from the Context menu and give a new name, it gets set. What could be the problem?
  Thanks in advance
  Regards
  Ranjith

  Hi,
  It was an issue with the customized PropertiesControl class.
  Regards
  Ranjith

• Setting the UNIX file permissions after writing the file to a directory

  Hi Experts,
  Can we set the UNIX file permissions after writing the file to a directory using Receiver File Adpater in SAP PI 7.1 ?
  Thanks in Advance.
  Regards,
  Jyoti

  Hi
  you can use the option "Run Operatiing system Command after File Processing" in the file adapter.
  Thanks
  Rinku Gangwani

• How to set default sharing permission for new files???

  Hello. I have an imac 24" and a macbook pro 15". they are connected over an airport network. i have file sharing set up, which is working great. i am having one problem though.
  whenever a file is created on either computer, it defaults to only allow the other computer to access it read only. is there a way to set a preference that will make all new files that are created to have read & write permission by the other computer????

  the easiest way to do that is to connect from one computer to the other not as a guest but as a registered user. then any files you create will be owned by that user. so if you have user1 on imac and user2 on mbp connect from the imac to the mbp as user2.

• Is it possible to set up a script to auto render as new files appear in queue

  We have a system that creates images automatically and we need to be able to automatically convert and re-size them and move them to a new location. Some are needed as .gif animations but most are stills.
  I can set up a series of comps with the appropriate render queues
  Is there a way to trigger a render when new files are written to the project's images folder.
  Every day these images would be updated several times. The old images would simply be overwritten.
  An additional component would be to stop the warning message that I am about to overwrite an existing file on the render.
  Thank you in advance.

  When you say "the project's images folder", do you mean a folder in the file system, or a folder in the AE project window?  Although I can't help you with the specifics, I'm pretty sure the former is possible (using scripting at the OS level to trigger an AE script), while the latter is not.

• Permissions of new files

  Running Leopard Server AFP shares need to know is there a way to force new files copied to AFP shares to get the folders permissions applied automatically currently I have to propagate other wise user B cannot open content created and copied to server by user a

  The short story, you should use ACLs to setup permissions the way you choose.
  Any new files/folders will inherit permissions from their parent.
  A few resources:
  Starting on page 17 of this manual
  http://manuals.info.apple.com/enUS/FileServerAdminv10.6.pdf
  Pay attention to ACLs and inheritance.
  And more
  http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c1fs4.html
  http://www.bresink.com/osx/193281/Docs-en/ACL.html
  And of course, search the discussion forums for: ACL, Inherit, permissions, etc.
  Jeff