Propagate ACLs

Similar Messages

• Lion: problems with resume, reboot, move, delete ...

  Some of the Lion problems I've been having (on 2 laptops: an older "Pro" and a new "Air"):
            -can't delete some files without password;
            -can't move some files or folders, only copy;
            -opening a program by clicking a data file also opens other data files from previous uses (not necessarily the most recent use);
            -rebooting opens several programs, always the same ones with the same data files (not necessarily from the most recent uses);
            -opening Safari opens several tabs always with the same sites;
            -Safari's History is gone, except for 2011 items, and new items are not being recorded;
            -Keychain issues, often needing repair;
            -MobileMe syncing issues.
  Why and how do all of these things happen? How are they related to each other? Why should I have to tinker like this? And what would happen if I weren't geeky? (I've left my iMac on Snow Leopard, which is wonderful.)
  Things are coming under control, but I have pulled all sorts of information from a variety of Web sources, none of which I found all in one place; hence this compendium. The exact sequence of what I did is lost, and what factors were the ones which worked I do not know. (Very time-consuming …) Comments welcome!
  Should I just have re-installed Lion on the laptops?
  ====
  Permissions:
  A lot of these problems seem related to obscure permissions.
  Here is a Terminal command which clears all ACLs, at least in the "Home" folder.
            chmod -R -N ./*
  (But it generated this message on the MBPro:
  chmod: Failed to clear ACL on file abc.numbers: Operation not permitted
  chmod: Failed to clear ACL on file Commands: Invalid argument
  chmod: Failed to clear ACL on file Notification: Invalid argument
  chmod: Failed to clear ACL on file ubiquity.socket: Invalid argument
  chmod: Failed to clear ACL on file Saved Application State: Operation not permitted
  … partly perhaps because I had "locked" the abc.numbers file and the Saved Application State folder. I doubt if these things matter.)
  Reboot while holding Cmd-R: this is something like "re-install" mode; when it opens, instead of choosing one of the options presented, open Terminal from the Utilities menu, and type "resetpassword". A program opens but don't reset the passwords, but rather reset all of the permissions, including ACLs, using the button at the lower right. Close it, close Terminal, and the reboot normally.
  Safari:
  File menu, Empty Cache and Reset Safari
  Library (from Home folder, requires special steps to get to it in Lion, e.g. hold the Option key when at the Finder "Go" menu):
            Library/Preferences: moved then later deleted several plist files for offending programs, which I then had to reconfigure (e.g. Safari: reconfigure Toolbar, go through Safari Preferences …) -(they will all reappear instantly in some "default" state) -trying to delete the plist.lockfile as well caused problems - Trash wouldn't "empty" it ("in use"), but doesn't seem to matter.
            Library/Preferences, ByHost: see below
            Library/Saved States: see below
  ByHost:
  Some users opine to go to ByHost, close all apps, then "lock" (using the "Get Info" feature) the file com.apple.loginwindow{…}.plist. See this "discussion: https://discussions.apple.com/message/17213577#17213577
  Saved States:
  Some users say to delete "Library/Saved Application State" files (folders) before doing the above (https://discussions.apple.com/message/17499355#17499355 and http://applehelpwriter.com/2011/09/13/turn-off-resume-the-definitive-solution/). Then "lock" the "Saved Application State" folder. There may be some problems getting it to stay locked(?).
  But I moved several  of the "Saved Application State" folders and I forget just what, but one computer seemed unhappy afterwards, the other fine. On the unhappy one, I replaced them (but not yet having locked the overall folder), and deleted some of the files inside the individual folders, like com.apple.TextEdit.savedState. (I suspect this paragraph is unimportant, but cannot be sure.)
  Sharing: remember that the settings under System Preferences, Sharing, also matter. (So do the settings under "Accounts and Users", Guests.)
  The "resume open applications feature" on reboot seems weird. If I say "no", I wonder if it wasn't bringing back all of the programs from some distant previous reboot.
  Make sure that under System Preference, General, the option to restore on restart is unchecked.
  I have learned that Disk Utility's "Repair Permissions" works for quite specific files and doesn't work for the Home folder.
  http://support.apple.com/kb/HT1452
  Make sure that there aren't numerous "Login" items under System Preference, Users/Accounts.
  Changing permissions via the "Get Info" windows, and "applying to enclosed folders" can be a bad idea, especially if applied to something like the Home folder. Apparently it propagates ACLs too(?), although not visible there, and the effects can be undesirable.
  Some permissions on "Get Info" panes have two "everyone"s, and the one with "Custom" settings can not be changed nor deleted.
  Make sure all systems updates have been done (as usual).
  MobileMe sync issues are another story - seems to be settling - perhaps related to "Permissions" issues above …
  And what about Preferences, Caches? Anything there that would help with the above problems? What about the "root"(?) Library?
  Some of the above tasks can be accomplished by 3rd-party software, but I'm getting there without using anything other than native Mac OS X Lion tools.
  ====
  Anyway, as said, it's all settling down.
  Comments/corrections most welcome.
  Charles

  Boot from your recovery partition by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
  When the recovery desktop appears, select Utilities ▹ Terminal from the menu bar.
  In the Terminal window, enter “resetpassword” (without the quotes) and press return. A Reset Password window opens.
  Select your boot volume if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Under Reset Home Directory Permissions and ACLs, click the Reset button.
  Select  ▹ Restart from the menu bar.

• Permissions in 10.5 Server - old solutions updated?

  Hi
  Not being in any way, shape or form/proximity to an expert, I would like to ask a few dumb questions.
  In server 10.2, 10.3 and 10.4 I'd worked out (losing a lot of hair in the process) a simple cron script that kept the problem at bay.
  I'd point out that the fileservers are purely being used for sharing files to graphic designers, nothing more. A sharepoint would be a single folder (with subfolders) accessed by users in the appropriate group. Obviously, as we know, the permissions problem generally appears when folders and/or files created on the various workstations are moved to the sharepoint and, as if by magic, frequently and randomly revert to their original permissions, causing a collective disruption.
  Using Cronnix to keep things simple (there's that word again) and allow me to start and stop the scripts to avoid them running during overnight backups, I set up the following under Cronnix System Crontab (run as root) to re-fix the Owner, Group and Others, changing the details of the groups and sharepoints as required.
  chown -R administrator /Volumes/'route to sharepoint/
  chgrp -R requiredgroup /Volumes/'route to sharepoint/
  chmod -R ug=rwX /Volumes/'route to sharepoint/
  I set this to run every 10 minutes (guesswork) and haven't had the problem again. Now we have a 10.5.6 server and I want to ensure the same solution, but I understand that cron is no longer available in 10.5.6 or is due for the chop soon? In any case I'd like to move the 10.4 and 10.5 servers to launchd in case cron completely disappears, and to have the same solution for both.
  This is not my area of expertise, and the various 'quick' solutions of Launchd Editor and Lingon I find completely baffling. I simply (it's getting to be my middle name round here) want to move the script that I know works to another way of launching it with sudo capability, then forget about it until Apple come up with a fix or I have to find another way.
  Is there a way to do this, or can someone recommend a tutorial that is literally step by step and assumes very little expertise?

  Hi John
  Although you should move to launchd and try to understand it you can still use Cron in 10.5.
  I'm struggling to see why you should have a problem? What you want should be achievable using ACLs in 10.5 or even 10.4. There are lots of threads discussing permissions on these boards:
  http://discussions.apple.com/message.jspa?messageID=8788751#8788751
  http://discussions.apple.com/message.jspa?messageID=8788860#8788860
  http://discussions.apple.com/message.jspa?messageID=8788898#8788898
  You can search for more yourself. If the command line is not to your taste you can still use the interface to achieve what you want. Once you realise you have to move away from standard POSIX permissions and stick with ACLs things should become simpler? Create users in WGM, assign passwords. A single user will do if you want? Keep passwords simple if you want? Use the spacebar or even a single letter. Create a group. If it's a single user don't bother with a group. Add users to the group and drop the Group into the ACL Window in the Sharing part of Server Admin for the Share you're interested in. If it's a single user drop that in instead. Select Read/Write. Don't touch the POSIX permissions. Leave them alone. They should be reset to their default: Owner: Root or Admin (you choose) R/W; Group: admin Read Only; Everyone: Read Only. Now click Save. At the bottom of the window is a small gear wheel. Select this and select Propagate Permissions. Another window will appear with ACL already selected. Click OK and let it do its thing. If you've reset standard POSIX tick the appropriate boxes. Educate your users to create files/folders on the Server directly. If they forget and copy over a file/folder created locally it should still inherit permissions set at the parent folder. However this can be hit and miss sometimes. In which case select the gear wheel again and propagate ACL permissions again.
  ACLs offer a far greater level and degree of control than POSIX permissions.
  Hope this helps?
  Tony

• Photo folder changes permissions

  I manage a Snow Leopard server. Mainly it's used just for file sharing. It contains many shared folders, including one called zPhotos. zPhotos is where our reporters drop their photos. These photos are placed in a folder on a G4 PowerMac, and then that folder is dragged into zPhotos.
  I then drag these folders out of zPhotos and onto my desktop and eventually upload them to an e-commerce Web site. But when I go to delete the folders in zPhotos, I'm told I don't have access privileges. I then go into Server Admin, propagate ACL and Owner Name, Group Name, Owner Permissions, Group Permissions and Other Permissions to zPhotos. After I do that I can delete the folders within zPhotos. This process is done on almost a daily basis.
  What I don't understand is why the ACL and other permissions on zPhotos change? Is it something to do with the G4 PowerMac? I readily admit I'm no IT guy and have only a very rudimentary understanding of permissions.
  Thanks.

  I manage a Snow Leopard server. Mainly it's used just for file sharing. It contains many shared folders, including one called zPhotos. zPhotos is where our reporters drop their photos. These photos are placed in a folder on a G4 PowerMac, and then that folder is dragged into zPhotos.
  I then drag these folders out of zPhotos and onto my desktop and eventually upload them to an e-commerce Web site. But when I go to delete the folders in zPhotos, I'm told I don't have access privileges. I then go into Server Admin, propagate ACL and Owner Name, Group Name, Owner Permissions, Group Permissions and Other Permissions to zPhotos. After I do that I can delete the folders within zPhotos. This process is done on almost a daily basis.
  What I don't understand is why the ACL and other permissions on zPhotos change? Is it something to do with the G4 PowerMac? I readily admit I'm no IT guy and have only a very rudimentary understanding of permissions.
  Thanks.

• Wacky login behavior, lots of beach balls

  So get this. My browser and then my machine crashed after going to wikipedia.org. I repaired disk permissions, and the main thing that happened was that all my flash plugins had bad permissions that were fixed. But wikipedia kept crashing Safari. I thought it was a font cache problem. I used Font Finagler to clean the font cache (this is something I run into because I do a lot of graphic design and am running Suitcase X1). Font Finagler uses Font Book to track certain font things, but Font Book was crashing too, so I let Font Finagler run without needing to launch Font Book.
  This is where it gets interesting.
  Now my MBP is very slow starting up. It takes four of five minutes to get to where you choose the user and enter password.
  Even more strange, I choose the user, enter the first character of the password, and I get a spinning beach ball for about 30 to 45 seconds, then screen turns blue, and I get sent back to where I have to choose the user again. The second I select my user, I can enter the password without problem.
  Still, all sorts of applications and standard operations cause a spinning beach ball....that....lasts....a....long....time. Ouch.
  Also, this began with 10.5.3 installed. Frustrated with the problem, I thought that upgrading to 10.5.4 might magically fix it, but no dice. Same issues as before. At least nothing got worse...
  Thoughts about what I should do?
  Message was edited by: eric1321

  There is a possibility that your user accounts and possibly your applications in the /applications directory might have some corrupt ACL entries assigned to them. It was more of a problem under 10.5.0 - 10.5.1 than 10.5.2 and later. Disk utility will not detect them either as the permissions database does not include entries for user and application folders, so DU ignores them.
  You can use the new free tool SandBox to manage the new ACL permissions in Leo.
  http://www.mikey-san.net/sandbox/
  The only ACL entry Leo assigns to user folders by default is "everyone deny delete".
  If you find other ACL entries that look something like this:
  "group:admin,allow,list,addfile,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit"
  then you have ACL permission problems.
  Check folders in your user directories for them and in the application directory.
  Most of the time I have found what starts the problems are incorrect permissions assigned to applications, such as some user owning an application that everyone uses. I always set my applications posix permissions as owner:root, group:admin, chmod (read,write,execute) 755 or 775.
  This will allow everyone to use the applications without problems. Not logging in as administrator when installing applications that others will be using is generally the culprit. Also the get info box will propagate ACL entries without telling you if you click the "apply to enclosed" button.
  Itunes and quicktime directories seem to be the most common place most corrupt ACL permissions appear first.
  A decent posix permission GUI application is FileXaminer.
  Kj

• Photoshop files & ACLs?

  I am going out of my mind here trying to figure this out. First my needs. I have two users on a 10.4 machine that need to be able to create, save and edit Photoshop files (their own and each others) in the same folder. Until now, the only way I could figure it out was to create a second volume and "ignore" ownership on that volume. I know that I could go into the "file info" permissions everytime one of us creates a new file and modify the permissions to allow the other to edit the file but what a pain that is.
  I thought my answer would lie in enabling and using Access Control Lists (ACLs) so I used Tinkertool system to enable ACL support on my main volume and then grant full access with inheritance enabled to both users. This works great for any file (MS Word, Excel, etc.) but not photoshop files. The Word, Excel and any other file created by one user correctly inherits the permissions from it's parent folder's ACL settings but not the Photoshop files. They don't seem to inherit them at all.
  I can go into Tinkertool System and propagate the settings and the files seem to pick up the settings but when one users tries to edit another's photoshop files, it shows up as a locked file. I can use the "get info" dialog to confirm that the file does possess the ACL settings but it is almost as though Photoshop CS & CS2 don't recognize the ACL properties of the file.
  In summary, my two issues are:
  1. Photoshop files are not automatically inheriting the ACL permissions.
  2. Even after manually propagating the ACL permissions to a photoshop file, it shows up as being locked (from within photoshop, not the finder) when the non-owner user tries to edit it.
  Does anyone have any ideas as to what is going on here.
  Thanks,
  Troy

  Troy,
  I'm suspecting that we are using ACL differently. On tiger, you have to enable them specifically. The e flag on ls will show ACL's and from your post - you don't seem to have ACL installed.
  Please have a look at the first page of this article. It describes ACL's and shows you how to manipulate them:
  http://arstechnica.com/reviews/os/macosx-10.4.ars/8
  You can accomplish what you need with traditional groups - if you want that - simply post the id for each user and I'll send back steps to make a group for this folder. (Or someone else here might just guess and propose something)
  Also - have you contacted Adobe to see if the version of Photoshop you are using even supports ACL? I honestly don't know what layer of command they use to access the disks - it's not unlikely that their application might not support reading the meta data if it accesses the files directly. It's unlikely (but not impossible) that they used high level API from Apple that would enable them to simply work with ACL out of the box.

• Not able to move/rename folders despite ACL settings

  I'm having a maddening issue with a Mini server running 10.6.8 (all updates installed, configuration imported from a 10.5 XServe, recently did a full reinstall of the OS due to some odd behavior and Server Admin errors/slowness).
  It is sharing a few volumes on an external drive via AFP and SMB, with relatively simple permissions configured via ACLs.  For practical purposes, users are in two groups:  Staff and Bookkeepers (I'm simplifying names, but they're not the stock system groups).  All employees are in the Staff group, a few are also in the Bookkeepers one.
  A couple of folders on one share have "deny : full control" set for the Staff group, and "allow : full control" set for the Bookkeepers group above that.  The intent is to allow bookkeepers access to the folder, and not general staff.
  This has worked as expected for years.
  Then, for no readily apparent reason, a few days ago some users lost the ability to delete folders they created within the restricted folders (other folders on the share were fine).  I spent a while going around as to why this was, eventually deciding that something was wrong with either the ACLs or the groups themselves.
  My final solution was to completely remove the ACL from the restricted folder via the command line, then delete both groups, create two new groups, NewStaff and NewBookkeepers (with new GIDs and shortnames), then re-add the correct ACL to the restricted folder, and propagate permissions down (done with Server Admin and Workgroup Manager, latest versions, running on a 10.6.8 workstation).  I also rebooted the server and cycled AFP.
  Now the problem is only slighgtly different:
  Within those restricted folders, users can create new folders, but cannot rename or move any existing or newly-created folders, although now they CAN delete either. The "Effective Permissions" browser in Server Admin shows my user as having full permissions for the folder in question to do everything, I've logged out and back on to make sure it's not a cache issue, and I've run out of ideas short of an OS reinstall.
  The command line says the Bookkeepers group has the following permissions for one of the folders within a restricted directory, which I cannot rename or move:
  inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
  versus this for a folder I CAN edit, outside one of the restricted folders:
  inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,re adextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_i nherit
  ...the notable difference in there being lack of "delete" permissions on the problem directories. Which is bizarre, because that group is set to "full control", and I CAN delete it--just not move or rename. (Perhaps that's the "delete_child" of the parent directory allowing me to do that?)
  (Unix permission is: rwxrwx---   admin admin Others)
  Notably, when directly accessing the server, the Finder also suffers from this problem--if I try to move a folder, I'm prompted to enter an admin password before I'm allowed to, so the issue isn't restricted to just AFP.  I just can't figure out where the weird permission is propagating from, or how to get rid of it.
  What the heck is going on here?  Any suggestions on how I might try to fix it?  I'm about to upgrade to 10.8 Server, and if that doesn't work reformat the external RAID array, which will be a huge pain.

  This is really an OS problem as it sets permission levels for operations.   What OS?
  If using Win OS and an external drive, you can start Bridge by right clicking and choosing "run as administrator".

• ACL - how to (easily) deny access to everthing but home directory

  I was trying to set up a very restrictive drop box for users to leave and take files from. I set up a special USER and then thought I could use the ACL's to deny access to the system except for the home directory. From reading the documentation I tried the following
  1) at the root level I denied read/write access for USER
  2) at the home directory I allowed read/write access for USER
  and then I tried to 'remove inherited' ACLs. I can't seem to get this to work. USER is always denied. Any help appreciated

  Never mind. I figured out how to do this from the command line using chmod +a to do multiple directories at once. I still don't know why the top level ACL wouldn't propagate to the lower directories but once I did this on the /* directories everything was fine.

• Need help with ACLs and propagating permissions

  I'm currently setting up our new server, for which we're moving away from Windows entirely (both on the server and user workstation ends), and I'm currently having some questions about permissions. I've been scouring the OS X Server Advanced Admin pdf, but there are numerous holes in the exposition of permissions from the ACLs down to the proper way to propagate permissions when a manual touch is required. What I'm trying to do is allow one group to have read access only until they get to a certain subdirectory, at which point they can then write to that level; then for the second group, they only need read access for a specific folder down the line from the starting directory. I'll include some example images with a test folder I've created so that it may be a little easier to understand what my goals are with the Server app's permissions. Thank you in advance for all your help.

  You need the advanced permissions editor.  You are trying to convert inherited permissions to explicit.  If I understand what you want, you would go about it like this.
  You have two groups; GroupA and GroupB.  GroupA is the limited group.  You want them to be able to read everything and write to limited locations.  GroupB can read and write everywhere.  So based on your example, you would do this to start:
  At the parent folder level, you are defining GroupA to be able to read and GroupB to read and write.
  Now to drill down.  In Server.app select your server.  This is the first item in the side bar.  On the right, choose Storage.  Drill down to where your shared folder is located and select it.  From the Gear menu, chose Edit Permissions as shown here:
  You will note that GroupA and GroupB are both gray.  This denotes that they are inherited entries at this level.  You must break the inheritance and start over.  To do this, press the small gear icon on the edit permissions sheet and choose "Make Inherited Entries Explicit."  GroupA and GroupB will turn black, allowing you to edit them.  Change GroupA from Read to Read Write.  Press OK to close the sheet.
  Now, if you already have data inside the folder, you can use the large gear menu and choose Propagate Permissions.  This will ensure that your data will reset with the new ACL.
  Reid
  Apple Consultants Network
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
  Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

• ACL group permissions not propagating

  I have a group of designers that are connected to X Server running Snow Leopard.
  I have placed them in a group, "MarComm"
  I have granted everyone full read/write access. ( I can trust them all)
  I have tried to propagate these permissions..I saved the changes and restarted server.
  For some reason there are 2 sets of permissions.
  1) full access (desired configuration)
  2) "custom" access
  This "custom" access does erratic things..for ex:
  Allows the designer to pull off a job folder containing 12 items. He has permission to use 8 items, but not the remaining 4.
  Perhaps I need a step by step tutorial on how to create a proper "group" and to propagate permissions. I understand that the ACL should take precedence over the POSIX. I am not well-versed in using the terminal, but I am a careful person, and willing to try it.
  Thank you in advance

  Setting up groups in WGM is pretty fool proof.  What I would try first is to remove all of the ACL's for the folder in question first.
  Ensure that all of the files and folders within your folder have ACL's that can be removed.  If not, then you'll have to clear the ACL's on each, one at a time.
  The command to clear the ACL's from a folder and it's subfile and folders looks like this:
  sudo chmod -R -N /path/to/folder
  If you want to just remove an ACL from one file or folder, remove the -R from the command.
  To write an ACL and have it apply to all folders within looks like this: (two commands, one to add read and one to add write permissions)
  sudo chmod -R +a "groupname allow read" /path/to/file/
  sudo chmod -R +a "groupname allow write" /path/to/file/
  HTH!
  -Graham

• Propagating ACLs to child objects via command line

  Hello,
  I have ACLs enabled on a volume and am applying various ACL rules on already existing directories. I use a script to do that.
  Some of these directories have sub dirs and files. The child objects do not pick that they need to inherit the rules unless I click on the "Propagate permissions" button in WGM. I have set the options 'file_inherit' and 'directory_inherit' in the parent objects.
  Does anyone know how can I propagate these ACLs down to all child objects/descendants from the command line without using WGM?
  I would prefer not to do it recursively if there is some other way of doing it. Thank you

  Nevermind, just use -R option, duh

• Problems with ACLs

  I performed a fresh install of OS X Server 10.5 this morning. I have the server configured as an OD Master and have several sharepoints configured. All users are members of a specific group (in addition to their primary group being OD Users). I have added an ACL on the share points that should allow read & write privs to this group. However, the users are not receiving these permissions. The effective permissions viewer shows that the individual users have no permissions to the share point.
  Here's an example of what it looks like on my side in the permissions tab for this particular sharepoint:
  SpecificGroup Read & Write Inherited by all child folders and files
  Owner: diradmin Read & Write This folder only
  Group: admin Read & Write This folder only
  Others Read only This folder only
  Anybody have a suggestion what might be causing this?

  Please see my post here: http://discussions.apple.com/message.jspa?messageID=8456140#8456140.
  I've got an example that shows how to set read/write access with inheritance for a group of users. I also explain what inheritance can and cannot do. In short: if files are already in the share point, then newly-assigned inheritable ACLs do not propagate permissions to existing items. That's the way it's supposed to work, and propagating is fairly simple.
  Also, in your example, I don't see any ACL entries listed. Use *ls -el /path* to show the ACLs with POSIX information.
  --Gerrit

• Propagate permissions with Server Admin?

  Can someone help me change permissions using Server Admin under Mac OS X10.5.7?
  I am able to set permissions to a single file or folder, but when I go to propagate the permissions to sub folders and files server admin just hangs. The status bar pops down and spins until I force quit. The permissions never propagate.... This is driving me nuts! ( I could do it by file by file, folder by folder but I have thousands to change.)
  Am I doing something wrong? This seemed to work fine in past versions of the OS....
  Thanks,
  Robert
  Message was edited by: Robert LaRocca

  A better way to propagate permissions is to use chmod to set your ACL. See the following post for a basic example that resets ACLs and adds a new one granting read/write access for a group:
  http://discussions.apple.com/thread.jspa?messageID=9488313&#9488313
  As mentioned, you could simply change the POSIX permissions to 0777 (which grants read and write for the POSIX owner, POSIX group, and POSIX everyone fields). This solution will not apply the same permissions to newly-created files or folders and copied items, however.
  This means that you'll have to continue propagating permissions (chmod -R 0777 /example) each time a new file or folder is created or copied. Not fun.
  Using an ACL entry that has file_inherit and directory_inherit controls will ensure that the particular ACL entry is inherited to a newly-created or copied file or folder.
  See my other posts for a detailed explanation of how new, copied, or moved items get their permissions:
  http://discussions.apple.com/message.jspa?messageID=9209840#9209840
  and
  http://discussions.apple.com/message.jspa?messageID=9134807
  Hope this helps!
  --Gerrit

• ACLs to allow read/write to folders but prevent name changes folders

  Merger of two sites - need common file structure for storage - both differ at present
  I want to set up an initial number of departmental folders for clients to store files.
  Clients should not be able to rename any of these top level folders.
  They should not be able to add additional folders at the top level.
  But they should be able to write to the folders, and be allowed to create sub-folders within the toplevel folders.
  How do I set up ACLs to allow this...

  Create an ACL with a group containing all of your clients.
  At the top level of that folder, set the ACL and the Everyone group in POSIX permissions to Read Only.
  You can then change permissions on all the sub-folders as you wish. One easy example: let's say that this client has read/write access to all the subfolders, but you don't want them to have anything other than read access for the top folder. You can then set the ACL for the share point that the client group has read/write access, and propagate permissions for the ACL set.
  THEN, once you have done this, change the top folder to Read only. do NOT propagate permissions again. Then the top folder will have read-only access, clients can't change or create folders at this level, but have full access to all subfolders.

• IWork09 + Mac Os X Server Snow Leopard 10.6 - ACL problem

  I have a client with 6 users who are having issues saving iWork files in our MacMiniServer running 10.6.6.
  Users, in MacOsX server are setting inside a group "i.e. GROUP". GROUP, in ACL field, have Full Control of Folder, child foldes, child files, all discendants and I propagate permissions.
  One client, member of GROUP, can save pages/numbers/preview files into server, but every time other client, member of same GROUP, try to modify that document in mainly, Numbers or Pages (and also Preview) it is giving errors, "I don't have the specific ones at this time". So we have to drag the documents to our Local Desktop, save and then drag drop back into the Server folder, we all have read and write access to these documents.
  I have seen in Server Admin File Sharing that iWork and Preview files lose their ACL information, while Office files, Archicad files and other don't have any problem.
  Anyone have any ideas?
  Thanks

  Hi Yvan!
  Few minutes ago I resolve my problem and now I tell you how.
  The problem isn't that several users may work simultaneously on a given document (iWork files), but my typical situation was:
  A user (X) saves a new pages files into server shared folder. He closes file and Pages.
  After time, other user (Y) goes to open that file but for him it is impossible resaving the file. Not simultaneously, but in different time. IWork files lost their ACL.
  In my server user X and user Y are inside the same group (AAA) and, in the share folder, ACL permissions are Full Control for AAA Groups.
  This morning I have generated a new Share Points, I propagate permissions (Group AAA Full Control) to This Folder, Child Folders & Files and then I have transfered all my files from older Share Points to newest Share Folder. All iWork file now are working without permission problems.