Propagating permissions

Similar Messages

• ACL Not Propagating Permissions to All Descendants

  I am curious why new files and folders added by users do not retain the permissions allocated to the parent folder by an ACL.
  The ACL description says that the permissions are propagated to the child files and folders as well as all descendants. But when a user logs in and creates a new item to share in a group folder, the ACL does not apply. Instead the new item takes on the individual user's permissions (Owner is the User, instead of the Group.)
  Is the new folder too far down in the directory to be considered a descendant? (3 layers deep.) Is there a known issue with Leopard users logging into a Tiger server?
  Any light shed on this issue is greatly appreciated. Thank you.

  I should add that I can remedy this problem by manually going in to Server Admin and propagating permissions on the troubled share-point, but I would rather not have to do this every time a user creates a new item.

• Sharing a Raid and Propagating Permissions

  I have an Xserve running 10.4.11. I just recently upgraded my Storage to a 24bay Infortrend drive from my old XRaid. Everything works great except permissions at times. A shared folder will at any moment not let anyone read or write to it. So i have to go into my Work Group Manager and propagate the permissions. Seems like the folder times out or something. What do i need to do to make this be a permanent fix? Thanks in advance!
  -Ryan

  Agreed.
  But, it gets more complex on servers if you've got ACL's with different groups, etc.
  I'm trying to get up to speed using the terminal when the GUI fails on propagating big directories.
  Such and odd thing really - you'd think this would be pretty easy to fix, but even on the latest tools, still happens.
  Scott

• Need help with ACLs and propagating permissions

  I'm currently setting up our new server, for which we're moving away from Windows entirely (both on the server and user workstation ends), and I'm currently having some questions about permissions. I've been scouring the OS X Server Advanced Admin pdf, but there are numerous holes in the exposition of permissions from the ACLs down to the proper way to propagate permissions when a manual touch is required. What I'm trying to do is allow one group to have read access only until they get to a certain subdirectory, at which point they can then write to that level; then for the second group, they only need read access for a specific folder down the line from the starting directory. I'll include some example images with a test folder I've created so that it may be a little easier to understand what my goals are with the Server app's permissions. Thank you in advance for all your help.

  You need the advanced permissions editor.  You are trying to convert inherited permissions to explicit.  If I understand what you want, you would go about it like this.
  You have two groups; GroupA and GroupB.  GroupA is the limited group.  You want them to be able to read everything and write to limited locations.  GroupB can read and write everywhere.  So based on your example, you would do this to start:
  At the parent folder level, you are defining GroupA to be able to read and GroupB to read and write.
  Now to drill down.  In Server.app select your server.  This is the first item in the side bar.  On the right, choose Storage.  Drill down to where your shared folder is located and select it.  From the Gear menu, chose Edit Permissions as shown here:
  You will note that GroupA and GroupB are both gray.  This denotes that they are inherited entries at this level.  You must break the inheritance and start over.  To do this, press the small gear icon on the edit permissions sheet and choose "Make Inherited Entries Explicit."  GroupA and GroupB will turn black, allowing you to edit them.  Change GroupA from Read to Read Write.  Press OK to close the sheet.
  Now, if you already have data inside the folder, you can use the large gear menu and choose Propagate Permissions.  This will ensure that your data will reset with the new ACL.
  Reid
  Apple Consultants Network
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
  Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

• AD permissions/Leopard 10.5.2/New Xserve

  Hi all.
  I have a win2k AD which appears to be running normally, I have three DC and they all sync with each other so all is good. I have put in an Xserve running 10.5.2 and have successfully added it to the AD using Directory Utility.
  I have AFP and SMB service running. Due to the ongoing problem with 10.5.2 and ACLs and SMB in general I’m using POSIX permissions on my test shares (new server, still at the testing stage). I was told the best thing to do was set up a new user group in AD, populate it with desired users then on the Xserve, using Server Admin drag this new group from the User and Groups window onto the default group in the POSIX permissions list thus providing access to all members of this “dedicated” group to the test shares on the Xserve. Great.
  The problem is that the Xserve does not seem to recognise when members have been removed or added to this group in the AD. Users who have been removed can still access the shares points even after they’ve been removed from the AD group created just for this purpose.
  I have propagated permissions, (Group name and Group permissions only, ACL box unchecked), restarted AFP, SMB services, removed Xserve for AD then rebinded, ditched “ActiveDirectory.plist”. Rebooted, I’ve run out if ideas!
  I know the AD is working because I’ve tested the group/member access using Win2sever and XP clients.
  I need help!
  Any ideas?
  Paul.

  sacha prins wrote:
  How can you say that? Have you actually read all the problems people are having on this discussion board and on the 'net with Leopard?
  People that don't have problems rarely post to the forums that are devoted to solving them. Millions of people are using Leopard. Do you think it would be the most successful Mac OS release ever if the problems were so widespread?
  There are bugs in it but most of the problems end up being traced to issues that don't have anything to do with the OS itself: incompatible or out-of-date software running with it, file corruption, bad preference files, mis-set permissions, even user errors.
  Before deciding you are suffering from a bug in the OS, consider the normal troubleshooting techniques that apply to every version of OS X: run Disk Utility's First Aid tests, create a new user account for testing, check your apps & utilities for updates or information about Leopard compatibility, etc.
  When you post about a problem here, be sure to include relevant details, like your make & model of Mac, what software you are running when problems occur, any patterns you notice in when or how it occurs, anything unusual you have installed, etc. Don't assume somebody else's problem is caused by the same thing as yours, even if the symptoms are the same. It may be, but until we can spot commonalities, it isn't a safe assumption.
  And don't forget, every OS Apple has ever released has been condemned by some as the worst ever.

• Allow other users to create subfolders in Public w/ correct permissions?

  Hi,
  I have a Public sub-folder called "Shared" which is set with permissions Everyone: Read & Write. Everyone in my workgroup should be able to have full access control to content in this folder.
  This works great, except when someone else creates a subfolder, so that there is a structure like:
  Public > Shared > Widgets
  If I create the Widgets folder and save a document into it, it has the correctly propagated permissions (Everyone: Read & Write). However, if someone else in my workgroup creates the Widgets folder and saves a document into it, it has incorrectly propagated permissions (Everyone: Read Only).
  Is there a way to adjust my settings so that Read & Write applies not only to documents within "Shared", but to any subfolders that "everyone" creates?

  More like:
  *$ chmod +a "everyone allow addfile,add_subdirectory,file_inherit,directoryinherit" /Users/Shared*
  See http://www.afp548.com/article.php?story=20050506085817850&mode=print for more details.

• Permissions issues?  !!sabotage!!

  Colleague phoned at end of day - "was I working on server?" - she had been connected all day, but now could not create a new folder on a share...
  she could access all folders and read but not write...
  she is member of group with read/write privileges.
  I logged in as her and confirmed this, logged in as her co-worker, he retained full access.
  Permission inspector revealed that about half of 36 employees had somehow lost read/write permission and downgraded to read only.
  I created another version of the staff group (renamed it), added to the ACL, this too had read only for certain staff members.
  Propagating permissions did not help...
  adding the 36 staff as individuals rather than as group allowed me to give them read/write access, but clearly 36 was slow- if one had a larger workforce this would be totally unacceptable...I would rather work with groups or department teams rather than individual accounts.
  This is third time in six weeks that permissions have been lost.
  I'm in a transitional role looking after a system set up by a late colleague - I cannot believe that this situation is down to my stewardship.
  Is it possible that an employee is somehow tweaking permissions to make me look bad? !!just my PARANOIA!!
  I did change existing passwords after last incident...
  Any guidance,please?

  GWD2008,
  I too am having permissions issues with Front Row, iTunes, and iLife it happen just after the update. However researching into the problem they are just shortcuts to an original files. Which on the original files Permissions are correct and the reason the permissions are wrong on the shortcuts is because of the little l. I was unable to fix the permission error myself in Terminal and in Finder. And in my opinion as long as the programs are running with no problems its nothing to be to concerned over. As for ACL or SUID files you can just ignore according to apple. See this link: http://support.apple.com/kb/TS1448
  Resolution
  You can safely ignore any "SUID file" or "ACL found but not expected..." message. These messages are accurate but are not a cause for concern.

• Clients can't save to the server, access denied no permissions, how to give permission?

  I set up my school lab with an xserv 10.6.8. Everything was fine in terms of the users logging in to their respective groups. However, they weren't able to save anything to the server , they had access denied errors or you don't have permissions, even the keychain app was giving the users an error that said it couldn't save  to reset to default values. Anyhow, I tried using the Server Admin application to propagate permissions, selected the hard drives and propagated permissions by clicking all the selections in the dialog. Now, the server wont start and only shows the grey Apple and the spinning gear, please help, I am so frustrated, I was so close to have this server running. All I want is to be able to have the students in my school log in to the server from the computer lab and save their work on the server. Simple service, I have running AFP, OD, DNS and SMB. I don't knowe if SMB is neccesary either.

  Yes, I created the users using WGM home tab and then clicking on the create home now and then save. No, I didn't use terminal with the command, maybe that's one of the things I needed to do so that the problems with permissions wouldn't show. I used the secondary HD to create the sharepoint folder "Users" and that's the folder I used when creating the home directory for that specific part of the setup. My setup is pretty simple, I just want a Groups folder(sharepoint) where I can store the diffrent grades or classes that come to my lab and I have a "Users" folder(sharepoint) where the kids can use to login and save their work. Later, I may add another folder to place videos so that the folder can mount when they log in and all they have to do is go to the folder and double click on the video. Can you ellaborate more on how to use the command with terminal? Would the "a" be the name of the sharepoint? I created the folders using Server Admin, I believe that clicking on the sharepoint button, there is another button that says "new", would that be the correct way to do it? When I get back to school tomorrw I will post more specifics on the way that I setup the server and maybe it will give you a better picture of how I did it.
  I really appreciate your assistance, I am trying to use the limited knowledge I have to setup this lab which will enable me to do a lot of things with the kids and make their lives easier, so they don't have to bring flash drives to save their work. Thanks again for your time!

• How do you properly propagate permissions on an xserv 10.6.8?

  I finished setting up my school computer lab with xserv 10.6.8. The client macs were logging in to the servers into their groups, all sharepoints were fine except that the users weren't able to save anything to tthe server, getting an error saying that the client didn't have permissions to see administrator. So I used Server admin, selected both hard drives and propagated permissions to all the items in each drive. I checked every box on the dialog I got when I selected propagate. I don't know if I shouldn't done that, probably not, in any case, after I did that the clients were able to save their files to the server. Now the server will not boot, and stays on the grey apple logo with the spinning gear. I was so happy and excited I was able to set it up until this happened. I booted from an external drive and ran DiskWarrior but it didn't do much, I also ran Disk First Aid and it said it repaired the disk =, then I ran the repair permissions on both drives. I hope it works when I go back to school Monday. This mess was as a result of clients not being able to save anything to the server, so I thought it was a permissions issue. Any help or assistance on this matter will be deeply appreciated.

  What OS are you running? If 10.7 or later, Rosetta isn't an option.
  Look on the Snow Leopard DVD, Rosetta was an optional install.

• NFS does not have permissions

  I have been running 10.4.7 on an X server. I just upgraded to 10.4.8 and all of my SGI work stations can not write to the disk. The permissions are restriced. I have propagated permissions and still no luck. I'm in serious trouble with this, we have no work around. NFS was working till this upgrade. HELP. I check the permissions and it says that they all have read and write permissions. On my remote mac that I access the server it can read and write to the files (AFP) but on the NFS side, no luck.
  When I go to the Server Admin and list the computer & services, I try to stop the NFS and the button never allows you to stop the NFS service. This used to work. I am at a loss how to correct this.
  G4   Mac OS X (10.4.8)  

  Max:
  Have you checked the filesystem integrity of the volume that houses the troublesome share point? You can use Disk Utility (select volume, First Aid tab, click Repair Disk) or diskutil repairVolume /Volumes/<name> to do so. This will require that you stop any file services that use the volume, so it will be disruptive to your users.
  If you're using ACLs, you may want to try unmounting and remounting the affected volume or simply restarting the server. This will force Mac OS X Server to reload the permissions model on that volume.
  --Gerrit

• "Inherit Permissions From Parent" doesn't work

  In OS X 10.5 server, selecting the option for an AFP share to inherit permissions from its parent does not work for users on OS X 10.3. All files created by users running 10.3 have 755 permissions, regardless of the parent folders permissions.
  Clearly, this rather dramatically reduces the utility of AFP in 10.5 Server for anyone with users running OS X 10.3.
  OS X 10.3 server did not have this problem.
  Manually propagating permissions is futile for two reasons. First, the needed set of nested permissions is complex enough that propagating them manually would take hours, and secondly there would be intervals between the propagations when documents would not be accessible to the right people.
  Consider a drastically simplified example:
  Imagine a share named "Share" with a folders inside it named Admin. Inside the Admin folder might be two additional folders named Accounting and Personnel. Inside Personnel there are folders named Performance Review and Forms. It would look like this:
  Share
  -- Admin
  ----- Accounting
  ----- Personnel
  -------- Performance Review
  -------- Forms
  Now consider several groups: Employees, Accounting, HumanResources
  Employees should have read write access to Share, and everything under it unless more restrictive permissions are explicitly created. Only the Accounting group has access to Accounting, and everything in Accounting should only be accessible to Accounting. Performance Reviews should only be accessible to the HumanResources group, but Forms should be accessible to all Employees.
  Now a member of the employees group saves a new file in the Forms folder, but the group doesn't have, and needs, read/write privileges. To fix this the permissions from Share can't be propagated to all the files and folders inside it because that would nuke the special privileges for Performance Reviews and Accounting.
  It might be conceivable that every n minutes a script could run that would recurse, depth first postorder, through the hierarchy assigning all files in each folder the permissions of the enclosing folder, but there are at least two problems with that. First, it would be slow and between runs the files wouldn't have the right permissions. Second, sometimes we might want a file to have special explicitly specified permissions that differ from the parent, but it would be terribly cumbersome to specify the exceptions for this sort of script.
  POSIX behavior also doesn't solve the problem because it will set the same permissions as we're seeing already, there's no obvious way to change the default permissions, and doing so would have security implications elsewhere on the server if that "umask"ish setting couldn't be specified exclusively for the share.
  Inherited permissions would solve the problem, and have solved the problem under past versions of OS X server, but they don't work on 10.5 with 10.3 clients.
  Does anyone know of a workaround or have any additional details?

  glad someone else is experiencing this, I'm having the same problem with inherit from parent.
  I was going to start using inherit because Leopard has ruined ACL's, Leopard clients don't honour the deny delete subfolders and files ACE, basically the leopard permissions systems seem to be flawed

• Schedule permissions propegations

  Hi guys, hoping someone can help me here.
  We have a Mac Server running OS X 10.6.8. We use it as a file server and have it set up using an 8TB RAID volume. Within this volume we have an archive folder that only certain people within the organization have write access to, everyone else has read only. This is set up using ACL. From time to time someone who has write access will move a file/folder to the archive and it will copy it previous permissions with it (full access for everyone). This is easily sorted by propagating permissions using Server Admin.
  What I want to do is set up an automatic task that does this daily. I have been researching:
  1. a terminal command that will do this and
  2. how to run it as a scheduled task.
  If anyone could point me in the right direction I would be very grateful!
  Thanks
  Adam

  Some search hints, per request...
  You could use launchd to schedule the task — with the launchd entry generated via the Lingon tool, or by editing and entering the plist data manually — there are examples of launchd and launchctl commands around — and then a shell script (running as root) that does something akin to the following shell script:
  #!/bin/bash
  chmod -R u=rwx,g=rwx,o= /path/to/files
  chown -R user:group /path/to/files
  The launchd stuff is a cryptically-formatted wad of data for which Apple still provides no tool to generate, but it's pretty easy to generate the stuff manually after some research into the format, or use the Lingon or similar tool to generate the plist for you.
  You could also have a script (bash or AppleScript) trigger when the directory is modified, as an alternative approach.
  You could also use the periodic stuff — at the command line, issue man periodic with a very general overview of periodic here — to invoke the script nightly without needing the plist.
  Somebody has probably already written this tool, too.
  Alternatively, you could provide the users with a tool which migrates the files, and sets things up appropriately to start with.  That might be a droplet, some Python or such, or an AppleScript.  Related discussions here and here.  (The droplet means the users drag the file onto the script icon, and the script then moves the file to the archive file and prepares and protects it appropriately.)
  Hopefully you now have a few more search targets for your research...

• Propagate permissions with Server Admin?

  Can someone help me change permissions using Server Admin under Mac OS X10.5.7?
  I am able to set permissions to a single file or folder, but when I go to propagate the permissions to sub folders and files server admin just hangs. The status bar pops down and spins until I force quit. The permissions never propagate.... This is driving me nuts! ( I could do it by file by file, folder by folder but I have thousands to change.)
  Am I doing something wrong? This seemed to work fine in past versions of the OS....
  Thanks,
  Robert
  Message was edited by: Robert LaRocca

  A better way to propagate permissions is to use chmod to set your ACL. See the following post for a basic example that resets ACLs and adds a new one granting read/write access for a group:
  http://discussions.apple.com/thread.jspa?messageID=9488313&#9488313
  As mentioned, you could simply change the POSIX permissions to 0777 (which grants read and write for the POSIX owner, POSIX group, and POSIX everyone fields). This solution will not apply the same permissions to newly-created files or folders and copied items, however.
  This means that you'll have to continue propagating permissions (chmod -R 0777 /example) each time a new file or folder is created or copied. Not fun.
  Using an ACL entry that has file_inherit and directory_inherit controls will ensure that the particular ACL entry is inherited to a newly-created or copied file or folder.
  See my other posts for a detailed explanation of how new, copied, or moved items get their permissions:
  http://discussions.apple.com/message.jspa?messageID=9209840#9209840
  and
  http://discussions.apple.com/message.jspa?messageID=9134807
  Hope this helps!
  --Gerrit

• Propagate Permissions...

  Workgroup Manager has stopped giving me the option to propagate permissions. It's just grayed out. What have I done?

  Hi
  As the other post has already advised. However there is another possibility. Propagating permissions may be grayed out because (a) you have disabled ACLs or somehow ACLs have been disabled (b) there is a problem with the drive/directory structure. If you are only using standard POSIX permissions then look under the Protocols tab and re-define them from there. If ACLs are enabled, disable them, Save, unshare any sharepoints and restart the server. Re-enable them, Save, re-share share points and restart the server.
  If there is a problem with the drive/directory structure, boot from the installer disk and run DU's repair disk on all volumes as well as repairing privs/permissions for the boot drive. Consider using something more robust in addition to DU, something like DiskWarrior, Drive Genius, TechTool Pro etc. You may be ultimately looking at backing up, reformatting and reinstalling. If all of your drive bays are not full you could purchase an similar or larger sized drive, install that, clone the existing server drive over and boot from that to see if the problem goes away. If you are going to clone a server boot drive make sure it is not active. Target disk mode is a good method of doing this.
  Hope this helps, Tony

• Hard Drive Died - After Rebuilding Wiki & Blog Not Working

  My Snow Leopard Server hard drive died.
  I did a clean install of Snow Leopard on a new drive.
  I then created fresh accounts and settings similar to my old server manually.
  I then copied over content from a backup.
  I copied over the following folders:
  /Library/Web Server/Documents
  /Library/Collaboration
  I made sure the settings looked correct (although I noticed that the collaboration GUI has changed from when I originally created the site back on 10.5, so maybe I missed something) and restarted the server.
  Static pages of website works fine, mail works fine, etc.
  But when I attempt to go to a blog or wiki page I get an animated gif showing the startup spinning gears with a message that says "Server starting up..."
  Even the root web page "/groups" page just displays the Server starting up... message
  Logs don't seem to be helpful.
  I am thinking there is probably a folder or domain reference in one of the wiki plists that uses an index value instead of a folder path or something like that, so the server can't find the wiki content.
  Ideas?

  Figured it out.
  Luckily I had the foresight to make a backup copy of the clean install colloboration folders before I copied my collaboration folders from my older server over.
  I noticed one key difference:
  My files were owned by root (as that is how I copied them from backup)
  And the clean install collaboration folders we all owned by _teamsserver
  I changed the owner on my folders to _teamsserver, verified the appropriate r/w settings for the different sub-folders and propagated permissions down.
  restarted the server, and all was well.