Permissions for File Connectio API

Similar Messages

• How do you change the default permissions for files?

  I have all my users saving (via AFP) to an Xserve RAID, I am using ACL to control who has access to certain area.
  This is fine when moving files in the finder, all ACL are respected, however when saving files from Photoshop it ignores the ACL's.
  So if user A saves a file they become the owner- which is fine, but the group and everyone permissions are read only, so when user B ammends the file they get a permission warning when they try to save, the work round I'm using is to trash the file just before you try to save- not ideal cos if the save fails you've lost the work.
  What I would like is for the default permission to be group "design" Read and Write and leave everyone as read only
  So when any designer goes to oversave a file in photoshop they can do.
  I needf to leave ACL's on as they are working well in every other situation, i.e I have certain folders set so once images have been added they cannot be deleted or renamed by certain users.
  It only seems to be Photoshop that gives us this problem, Quark files and other docs are able to be saved according to the ACL

  Hi
  There are some important distinctions and points to be made here.
  POSIX Permissions are always set for every file and folder. ACLs are optional for any file, folder or share point and work IN ADDITION to POSIX Permissions. SACLs (Service Access Control Lists) are optional for specific services such as AFP, FTP, SMB, Mail etc and are independent of files and folder as well of standard POSIX Permissions and file system ACLs. Allow access is cumulative and Deny access is first match.
  ACLs supersede but don’t necessarily override Standard UNIX permissions.
  The best way to use ACLs is to enable Access Control Lists on the desired volume, create the share point folder from within Workgroup Manager, define the Users and Groups and then drop the relevant User and/or Group into the ACL window and define access privileges from there. Don’t be tempted to use the Standard UNIX permissions in addition to ACLs as all sorts of problems can ensue.
  Privileges and access can quickly get confused and share points can be broken. Deny settings defined in ACL take precedence over all other privileges settings. Deny settings defined using Standard UNIX as well as ACLs can, in some cases, mean share points becoming inaccessible to all users even those with administrative privileges.
  Wherever possible try not to set access privileges using the Finder.
  For a much fuller explanation and a method for calculating umask values consult Gerrit de Witt’s series of articles:
  http://discussions.apple.com/thread.jspa?messageID=648307&#648307

• Permissions for files saved on another machine's shared disk

  I'm having problems with permissions on files that I create on my Macbook but save on my Mini. They are all created as read only for everyone except me, which rather defeats the purpose of having the shared directory on the Mini. I want to change the default permissions, but I can't even change them on a file by file basis - it simply doesn't allow me to change "everyone" to read & write. Really, changing the default will do, but I can't find where to change that. Can anyone point me in the right direction please?

  Is it possible to reformat the disk with other filesystem, like HFS?
  The drive will always be mounted as FAT32 when inside the Time Capsule because of the method used to mount it. Click here for more information.
  (31452)

• How to set permissions for files created by Windows on OS 10.8 volume

  I am in process of upgrading from an iMac with OS 10.6 to an iMac with OS 10.8.  In my office network, I store all files on my iMac and let the Windows PCs act as workstations to read/write onto the Mac.  (It's simpler to have all files centralized in one location, and only have to be concerned about backing up one volume.)
  When I had OS 10.4 and OS 10.6 any newly created file saved by the Windows PCs onto the Mac could be opened by the Mac.
  But with OS 10.8, I can not open newly created files from Windows.  The file permissions for the newly created files from the Windows PCs are: 
       PCUser = read/write;  Everyone = no access.
  What do I need to do so that newly created files from the Windows PC (currently Windows 7) can be opened by the Mac, without having to use Get Info to reset the permissions each time?

  You could try adding this Access Control Entry (ACE) to the folders you let them save to:
  sudo chmod -R +a "accountinggroup allow delete,chown,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Path/to/topmost/folder
  You first need to create a group for all the sharing people you want to have access to that folder, if you don't already have one. In the example, "accountinggroup" is the group, so change that to whatever you want to use.
  The ACE allows them full access to the files in the folders. If you want to limit that, remove the option (such as delete).
  You create Groups in Users & Groups System Preference just like creating a new user. Just change the account type to Group.
  If you want a GUI to do the settings, try Sandbox.  It's got a few glitches in the Interface, but it seems to write the ACL correctly. One glitch is selecting the Group or User. I had just a list of Continuing in the popup menu. I typed in the Group name I wanted and it worked. Some errors pop up as you traverse the file hierarchy, but you can dismiss them.
  Here is an old hint, which gives a little background, and some other options: http://hints.macworld.com/article.php?story=20090219133314985
  The Server tools would allow you to set this up more easily, but if this is all you need as the server, I don't know if it is worth it.

• Permissions for file sharing to Windows users

  Greetings, I would be very pleased if someone could help me with file sharing permissions for Windows users of a Mac mini file server running Snow Leopard 10.6.1 (not server).
  I have a folder in my root directory, lets call it Project, that holds a series of 10 sub folders, say 1 through 10. Some of my users I wish to have read/write access to the whole Project directory, and, having enabled file sharing in System Preferences (and SMB for Windows), I did cmd to get info on the Project folder, ticked sharing, added the users (whose user accounts I had replicated on the Mac from their Windows machines), gave them read/write access, and then was able to map a drive to Project in their machines. All good so far, notwithstanding an hour tussle with a Vista laptop . The other user 'groups' were set the following permissions: me - read/write; Admin - read/write; Everyone - no access; which seemed sensible.
  Then, when I wanted to only share say sub folders 4, 5 and 6 with other users, who will not have access to the whole Project directory, things were not as straight forward. I followed the same procedure as above, but for the particular sub folders. However, I think they are only able to see them if I provide read or read/write access for Everyone to the parent Project directory. This of course then lets them at least see all the other folders I do not want to share with them. I don't seem to be able to remove the Everyone group from the Project directory, which occurred to me might resolve this.
  Any thoughts? Thanks.

  "On the way down, it seems to me that you still can prevent that user from using folders that he or she is not supposed to use by setting appropriate permissions."
  I don't think this is the case. If I allow someone read & write access to a folder because they need to have read & write access to two of three subfolders, I cannot deny them (at least) read access to the third folder.
  In respect of a particular folder:
  1. You can only assign read; read & write; or write (drop box) to an individual user; and
  2. You can only assign No Access to everyone.
  Do I need to use Snow Leopard Server to be able to assign No Access to a particular folder for an individual user?

• Set Permissions for file deletion

  I need to create a new temp directory and at the end of my program, I need to delete the temp files...pretty common thing to do.  My problem is the permissions dont allow me to delete the files unless I set them first somehow.  I want to know what the settings must be in the Set Permission.VI so I can then delete the files.  How do I mechanize this? 

  Are you having this issue in both the Development Environment and the Run Time Environment? The second solution that I linked is for executables only, and only makes it so that you don't have to turn off the UAC because it has administrative privilages. Anything that an administrator is able to do, the executable will now have permission to do. To test if this solution will work at all, just right click on the executable and select "Run as Administrator". If you are still having issues when the executable is running as administrator, the above solution will not work. 
  Try running this snippet and let me know what happens. All it does is create a file in the temp directory, read its permissions, then deletes the file. This runs on my computer with no error in the Development Environment and has the permissions of binary 110110110 (Decimal 438). 

• Force permissions for file sharing (acl)

  Hi all
  I'm trying to set up a server so that multiple users can share files over sftp and ssh.
  To do this I did the following:
  0. Mounted an ext4 partition with acl enabled
  1. Created a folder with an appropriate group (say 'sharing')
  2. Set the gid flag on it (chmod g+s)
  3. Added all the users to the sharing group
  4. Setup acl on the folder :
        setfacl -dm u::rwX,g::rwX,o::- /path/to/folder
        setfacl -dm m::rwX /path/to/folder
        setfacl -dm g:sharing:rwX /path/to/folder
  Now, whenever I create files or folders inside my shared folder they have the correct permissions (660) and the sharing group. However, when the files are *transferred* in via sftp, scp, unison etc the acl permissions do not take hold.
  With unison I've tried setting perms=0 and dontchmod=true but this just gives all files -rw------- permissions.
  SFTP mirrors the original permissions but is 'masked' by acl: i.e. a 666 file is set to 660 (as expected) while a 644 file becomes 640 (what i want is for it to be set to 660)
  Is there any way to force permissions (with acl or some other tool) on files added or transferred into a folder regardless of the software doing the transferring? Ideally, I'd like it if this were something that happened completely on the server and did not depend on me configuring client tools.
  Thanks!
  Last edited by harshad1 (2014-05-22 15:09:10)

  rune0077 wrote:
  Change the umask of the sftp process.
  In your sshd_config there's a line that says:
  Subsystem sftp /usr/lib/ssh/sftp-server
  Append -u 0002 (or whatever umask you want) to the end. Like this:
  Subsystem sftp /usr/lib/ssh/sftp-server -u 0002
  First thing I tried. Doesn't seem to work.
  I should mention that I'm using sftp-chroot and I've used mount -bind to allow sftp users access the the (shared) data folder from with the chroot.
  I don't know how this might affect the application of umask.. which i'm enabling by:
      ForceCommand internal-sftp -u 0007
  I was really hoping i'd be able to force this on the file-system level with acl or something similar

• Setting Oracle Permissions for file access from a pl/sql function

  I have a pl/sql function that calls a java method which moves a
  file from a directory to another.
  Since we are using Linux, Oracle wants some permissions.
  Those permissions are set using:
  call dbms_java.grant_permission(USER, 'java.io.FilePermission',
  FILE, permission)
  OK, i want to use this in my pl/sql function, but it doesn't
  work.
  My function looks like something like this:
  -- some pl/sql code
  dbms_java.grant_permission(someUSER, 'java.io.FilePermission',
  sourceFILE, 'write');
  dbms_java.grant_permission(someUSER, 'java.io.FilePermission',
  destFILE, 'write');
  flag := move(sourceFILE, destFILE);
  -- flag is for 1 -> done and 0 -> error
  -- some more code ...
  The problem is the lines of
  dbms_java.grant_permission(someUSER, 'java.io.FilePermission',
  sourceFILE, 'write');
  do not work!
  When i grant permissions manually in sql plus it works great,
  but when i do it from the function it does not work!
  Any ideas anyone?
  Any help would be appreciated.

  The command :
  dbms_java.grant_permission
  (someUSER, 'java.io.FilePermission',sourceFILE, 'write');
  is right.
  Open sqlplus
  Connect as sys or system
  type :
  execute dbms_java.grant_permission
  (someUSER, 'java.io.FilePermission',sourceFILE, 'write');
  commit;
  try to compile again your procedure...does it work now ?
  bye
  Giovanni Regola

• Permissions for files in /sys

  Many files in /sys or /proc/sys are not readable (I get a "permission denied"), even as root. Now I do some experiment:
  cat /sys/module/usbhid/uevent
  cat: /sys/module/usbhid/uevent: Permission denied
  and now:
  [root@pcolivier /sys]# ls -l /sys/module/usbhid/uevent
  --w------- 1 root root 4096 May 6 09:22 /sys/module/usbhid/uevent
  [root@pcolivier /sys]# chmod a+r /sys/module/usbhid/uevent
  [root@pcolivier /sys]# cat /sys/module/usbhid/uevent
  cat: /sys/module/usbhid/uevent: Input/output error
  There is something a don't understand in this. Normally we may read a file as root, whatever the permission of this file is (this is true for normal files). It seems here that the kernel enforces the permissions bits of the file in order to access it; without the read permission it denies access to the file, with the read permission it tries to read the file (and fails for another reason). My question how the permissions of the files in /sys are sets? Why they are enforced as root contrary to normal files?
  Last edited by olive (2012-05-06 07:30:00)

  The file /etc/ftpd.conf should have the line
  umask all 022
  in it somewhere. This will cause files to be created with permissions of 644 (rwxrw-rw-) and directories to be created with permissions of 755 (rwxr-xr-x).
  For more info 'man ftpd.conf' in the terminal.

• Implementing file "Save as" functionality for file download api

  Hi,
  I want to implement File Download (Open/Save as/Cancel dialogue box) programmatically.
  I am displaying list of links to document in a web dynpro table and I dont want to set IWDResource data for all entries in table.
  And on Click of a button/link to action, I want to open up a File download box.
  I have URL to the file with me and I'm able to convert it to IWDResource.
  Following are the things available with me for a selected file:-
  -- Complete name of file along with extension
  -- byte[] of file.
  Please help.
  Thanks and regards,
  Amey Mogare

  I could achieve it with following code:-
       String l_str_LinkValue = null;
       String l_str_LinkName = null;
       URL l_url = null;
       InputStream  l_is_inputS = null;
       try {
            l_str_LinkValue = wdContext.currentCtx_vn_KmFolderDataElement().getLinkValue();
            l_str_LinkName = wdContext.currentCtx_vn_KmFolderDataElement().getLinkName();
            l_url = new URL(l_str_LinkValue);
            l_is_inputS = l_url.openStream(); 
            IWDResource res = WDResourceFactory.createResource(l_is_inputS, l_str_LinkName, WDWebResourceType.UNKNOWN, true);
            if(res != null){
                 wdContext.currentContextElement().setFileRes(res);
            }else{
                 myMessage.reportException("Unable to create file", true);
       catch (MalformedURLException mfurle) {
            myMessage.reportException("MalformedURLException : "+mfurle.toString(), true);
            wdContext.currentContextElement().setFileRes(null);
       catch (IOException ioe) {
            myMessage.reportException("IOException : "+ioe.toString(), true);
            wdContext.currentContextElement().setFileRes(null);
       catch (Exception e) {
            myMessage.reportException("Exception : "+e.toString(), true);
            wdContext.currentContextElement().setFileRes(null);

• How to set default permissions for files and folders

  We have mac and windows computers on a network where we use Mac OSX Server 10.4 to share files. When files are created on windows computer, no problem, all users can read/write these files. However on our 2 macs (1 10.3 and 1 10.4), other users are blocked from using the files, only the owner has "read/write", group and others are "read only". As far as I can tell, file sharing is turned on ok in Workgroup Manager for the folders we share files from. How can we establish sharing for all users on our network?

  Niel's suggestion is good. You might also try posting your question in the Tiger Server forums. I'm sure Tiger Server has several ways of dealing with this.

• What is the Type of Permissions for Eloqua REST API 2.0?

  As mentioned in http://secure.eloqua.com/api/docs/Static/Rest/2.0/doc.htm#Minimal permission is of Type InstancePermissions.
  and has values as read, write, fullControl.
  On the other hand, in http://secure.eloqua.com/api/docs/Static/Rest/2.0/t_accountfield_37f2676a9bc7f0e4199ad4858790c53d.htm permission is
  of Type ActionType and valid values for it are Activate, Create, Delete, Retrieve, SetSecurity,Update.
  Which reference documentation is correct ?

  Well obviously it is an Ant build.
  It looks to just compile/build a web application into a war so you can deploy it where you want to.
  You don't need to edit it every time you are making a new page. It should work for any generic struts web application laid out in the fashion it expects.
  Cheers,
  evnafets

• Solved - How to take ownership and change permissions for blocked files and folders in Powershell

  Hello,
  I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
  file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
  I was not able to find any information about someone successfully using native PS to resolve the issue.  As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
  Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
  Problem: 
  Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
  PS C:\> Get-Acl -path F:\testpath\locked
  Get-Acl : Attempted to perform an unauthorized operation.
  + get-acl <<<< -path F:\testpath\locked
  + CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
  If you create a new ACL and attempt to apply it using Set-Acl, you get:
  PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
  Set-Acl : Attempted to perform an unauthorized operation.
  At line:1 char:8
  + Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
  + CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
  Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
  How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
  Tony

  Hello,
  Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
  Example:  Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
  #Script to Reset MyDocuments Folder permissions
  $domainName = ([ADSI]'').name
  Import-Module "PSCX" -ErrorAction Stop
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
  #Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
  $Directorypath = "F:\Userpath" #locked user folders exist under here
  $LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
  Foreach ($Locked in $LockedDirs) {
  Write-Host "Resetting Permissions for "$Locked.Fullname
  #######Take Ownership of the root directory
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  $Locked.SetAccessControl($blankdirAcl)
  ###################### Setup & apply correct folder permissions to the root user folder
  #Using recommendation from Ned Pyle's Ask Directory Services blog:
  #Automatic creation of user folders for home, roaming profile and redirected folders.
  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
  $propagation = [system.security.accesscontrol.PropagationFlags]"None"
  $fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
  $DirACL = New-Object System.Security.AccessControl.DirectorySecurity
  #Administrators: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
  #System: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
  #Creator Owner: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
  #Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
  #$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
  #Remove Inheritance from the root user folder
  $DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  #Set permissions on User Directory
  Set-Acl -aclObject $DirACL -path $Locked.Fullname
  Write-Host "commencer" -NoNewLine
  ##############Restore admin access & then restore file/folder inheritance on all subitems
  #create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
  #$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
  $NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
  $subFileACL = New-Object System.Security.AccessControl.FileSecurity
  $subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
  $subFileACL.SetOwner($NewOwner)
  $subDirACL.SetOwner($NewOwner)
  ######## Enable inheritance ($False) and not copy of parent ACLs ($False)
  $subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  $subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  #####loop through subitems
  $subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
  foreach ($subitem in $subdirs) {
  #take ownership to insure ability to change permissions
  #Then set desired ACL
  if ($subitem.Attributes -match "Directory") {
  # New, blank Directory ACL with only Owner set
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  #Use SetAccessControl to reset Owner; Set-Acl will not work.
  $subitem.SetAccessControl($blankdirAcl)
  #At this point, Administrators have the ability to change the directory permissions
  Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
  } Else {
  # New, blank File ACL with only Owner set
  $blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
  $blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  #Use SetAccessControl to reset Owner; Set-Acl will not work.
  $subitem.SetAccessControl($blankfileAcl)
  #At this point, Administrators have the ability to change the file permissions
  Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
  Write-Host "." -NoNewline
  Write-Host "fin."
  Write-Host "Script Complete."
  I hope you find this useful.
  Thank you,
  Tony
  Final Thought: There are great non-PS tools like
  Set-Acl and takeown which are external to PS & can also do the job wonderfully.  It may be much simpler to call those tools than recreate the wheel in pure
  code.  Feel free to use whatever best suits your time, scope & cost.

• How to set file permissions for SFTP uploaded file?

  Hello,
  is it possible to set file permissions with the SDK for files uploaded via SFTP transfer? I use the default sample plugin ftp_upload.lrdevplugin to transfer the files, but would like to tweak it to set the uploaded file(s) to permission 644 (rw-,r--,r--) on Linux server. Currently the server sets new file(s) by default to 600 (rw-,---,---).
  I am looking for an option to do the "chmod" directly from Lightroom without doing any modificatios in general to default umask, etc. settings on the server. No real UI is needed for this. Just hardcoded setting for 644 in the .lua.
  So far I've been unsuccesful in finding the way. Googled, read this forum, looked at the API. Maybe I just missed it, or does this functionality exist?
  All advice is appreciated!
  Cheers,
  Timo

  Niel's suggestion is good. You might also try posting your question in the Tiger Server forums. I'm sure Tiger Server has several ways of dealing with this.

• Read-only access permissions for new files/folders?

  System:
  Clean Install on new intel Xserve
  10.4.8 Server w/ Open Directory
  Windows clients can read/write completely fine...
  Clients connecting using AFP (whether Standard or Kerberos authentication) can access files, but when new files/folders are created on the server, they register as full permissions for the user who created them, but not for the rest of the group.
  The share(s) in question are set using POSIX from WGM: Full access for owner/group/everyone (changed it to this thinking it would help, but it does not). Of course, no one can make changes to a newly-created/deposited files/folders, which is just plain silly.
  I can chmod the permissions recursively from a script (which fixes the problem, of course) on a regular basis so that its not (as much of) an issue, but there is still a 5-minute lag for the script to kick in, since we don't want to bombard the server with chmod requests every minute....which is unnecessary in the first place!
  I have plenty of other setups which are identical but have no such issue...
  Any reason why POSIX permissions on the share are being ignored from every user account?
  Thanks,
  k

  "That's default posix behaviour no matter what access permissions you set on the sharepoint."
  I'm afraid this is dead wrong. What matters most is how you set permissions on the share, not if you've chosen to inherit vs. using POSIX. POSIX is still used in inherit functions, though you can use ACL's to override them. In this case, ACL's are not being used on those shares (though we tried it).
  After all, why would Apple (let alone anyone else) even offer the ability to change POSIX permissions on a share if it didn't have any effect? That would be somewhat contradictory in nature.
  Like I said before, I have several other installations which are identically setup that have no such issues.
  As for Windows, it is also not set to inherit permissions; we're setting those explicitly. And they work fine.
  Any other ideas?
  Thanks,
  k