WebDAV and ACLs

I'm writing some software that uses WebDAV to access data on iFS. I would like to be able to retrieve ACL data with WebDAV calls, but I can't see how to do this. Although I can retrieve file properties (with the PROPFIND method), they don't seem to include any ACL data.
There is a proposed extension to WebDAV that covers ACLs (see http://www.webdav.org/acl/). It outlines an additional ACL method (a WebDAV HTTP extension) for retrieving ACL data. However, when I've tried this, I get a response 500 Internal Server Error, subsequent WebDAV requests get a 503 Service Unavailable, and I have to re-start server-side processes!
Is there any way to retrieve ACLs from iFS with WebDAV?

Thanks, Matt.
It would be nice if sending an unsupported request didn't crash anything. Try opening a telnet connection to the relevant port and sending this:
ACL /some/file/that/exists HTTP/1.1
Host: whatever
<-- blank line
I would expect the response 501 Not Implemented, but I get 500 Internal Server Error, further requests give 503 Service Unavailable, and I have to re-start things.

Similar Messages

WebDav and ACL's problem

Hello,
i've the folders:
..\test\a
\b
The subfolder "a" has other ACL's than "b". User
"A" has an ACL to access "a" but not "b" and user
"B" has one to access "b" but not "a".
With WebUI and SAMBA, user "A" can only see subfolder
"a" and "B" can only see subfolder "b", witch
is ok.
With WebDAV user "A" and "B" can see subfolder "a"
and "b" and the have read/write access to both
subfolders, witch is not ok.
Please had someone an idea what could be wrong ?
Sincerly
Robert Brandl

I have applied an acl that allows access to one server as well as ICMP. When I apply it to the guest VLAN, I have connectivity issues. As in I cannot access the servers to which I gave explicit permission to access.
When I remove the ACL, I can connect to the remote servers.
I finally decided that a ACL on the WLC was not the way to go as I could not find supporting docos on the WLC 4.X software. So, I applied VACLs to the VLAN for the Guest WLAN and it works.

Authentication to XML DB via WebDAV and SSO

Hi,
Is there any way to be authentified by XML DB via WebDAV and SSO ?
If the access to our infrastructure of database servers is controled by SSO, once I'm authentified by OID (SSO), is it possible to pass that authentification to XML DB through standard port 8080 ?
Thank you for your help

This is planned for a future (not 10g) release

Errors found when using tar and ACL's

Having difficulties with TAR and ACLs, and wondering if anyone had seen this before.
Here's the scenario: create a few directories and a few files. Tar it up and extract the files. Now assign some ACL's to them (some default for directories), tar it up, and extract the files. Permissions should remain the same. Under most circumstances they are.
Now repeat the procedure, but put a default directory ACL on the parent directory where the TAR is created. What happens is that the group permissions for anything un-tared gets trashed.
Here's a script to test it out.
Create a dummy user (I called mine foobar) -- required for setting ACL's. Run the script with the "-d" option at first. Things appear good. You can compare the permissions on the bottom for each file/directory.
Run the script with the "-s" option setting default ACL's on the parent.
#!/usr/bin/sh
ROOTDIR=/export/home/christian/config
TESTDIR=/export/home/christian
USER_X="oam"
# Run the script once with normal permissions (no ACL's) in the test directory (where tar is located)
# --> ./test.sh -d
# look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
# They should be relatively the same:
# --> rwxrwxrwx permissions on directories
# --> rw-rw-rw- on files
# Now run the script but set the parent directory of the script (where the TAR's are located) to have default ACL's
# --> /opt/MMSsyscnf/sub2dir/test/test.sh -s
# Now look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
# They are COMPLETELY skewed. Both times we tried to untar the files, ACL's wound up
# all over the place and permissions were not set correctly.
# --> rwxrwxrwx permissions ONLY on original directory (not the product of an UNTAR)
# --> rwxr--rwx permissions on directories created by untar
# --> rw-rw-rw- on files ONLY on original directory (not the product of an UNTAR)
# --> rw-r--rw- on files created by untar
# ****** Why is group affected by this, but "other" is not?! It's gotta be a bug!
# MAIN
ACTION="NOPREP"
while [ -n "$1" ]
do
if [ "ABC$1" = "ABC-d" ]; then
#flag set to try and remove default directory ACL's
setfacl -d u:$USER_X $TESTDIR
setfacl -d d:u:$USER_X $TESTDIR
setfacl -d d:u::,d:g::,d:m:,d:o: $TESTDIR
elif [ "ABC$1" = "ABC-s" ]; then
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $TESTDIR
setfacl -r -m d:u:$USER_X:rw- $TESTDIR
setfacl -r -m u:$USER_X:r-x $TESTDIR
fi
shift;
done
# clean up previous run of the test
rm -r $ROOTDIR
# create files/directories
mkdir $ROOTDIR
mkdir $ROOTDIR/sub1dir
mkdir $ROOTDIR/sub1dir/sub2dir
mkdir $ROOTDIR/sub1dir/sub2dir/sub3dir
#set permissions
chmod 777 $ROOTDIR
chmod 777 $ROOTDIR/sub1dir
chmod 777 $ROOTDIR/sub1dir/sub2dir
chmod 777 $ROOTDIR/sub1dir/sub2dir/sub3dir
# create files
echo "" > $ROOTDIR/sub1dir/sub2dir/file1.txt
echo "" > $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
chmod 666 $ROOTDIR/sub1dir/sub2dir/file1.txt
chmod 666 $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
# tar/zip the files:
/usr/bin/tar -cvf $ROOTDIR/tarBeforeACLs.tar $ROOTDIR/sub1dir
/usr/bin/gzip $ROOTDIR/tarBeforeACLs.tar
# move the directory (so we keep the original as a template of what things should look like)
mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_orig
# untar/zip the files:
/usr/bin/gunzip $ROOTDIR/tarBeforeACLs.tar
/usr/bin/tar -xvf $ROOTDIR/tarBeforeACLs.tar
ls -lR $ROOTDIR
# Ok. These have been tested to be the exact same.
echo "********************************************************************************"
echo "********************************************************************************"
echo "********************************************************************************"
# Let's try using ACL's now
# --> directories (owned by root) must be acessible to OAM user.
# --> files (owned by root) must be read/writable by user OAM when created in the directories
setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir
setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir
setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir/sub3dir
setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/file1.txt
setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir
setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir
setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir/sub3dir
setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir
# here are things as they stand
ls -lR $ROOTDIR
echo "********************************************************************************"
echo "********************************************************************************"
echo "********************************************************************************"
# tar/zip the files:
/usr/bin/tar -cvfp $ROOTDIR/tarAfterACLs.tar $ROOTDIR/sub1dir
/usr/bin/gzip $ROOTDIR/tarAfterACLs.tar
# move the directory (so we keep the directory that was applied ACL's)
mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_acl
# untar/zip the files:
/usr/bin/gunzip $ROOTDIR/tarAfterACLs.tar
/usr/bin/tar -xvfp $ROOTDIR/tarAfterACLs.tar
# here are things after we've untared them
ls -lR $ROOTDIR
echo "********************************************************************************"
echo "********************************************************************************"
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig $ROOTDIR/sub1dir_acl $ROOTDIR/sub1dir
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir $ROOTDIR/sub1dir_acl/sub2dir $ROOTDIR/sub1dir/sub2dir
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir $ROOTDIR/sub1dir_acl/sub2dir/sub3dir $ROOTDIR/sub1dir/sub2dir/sub3dir
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir/file1.txt $ROOTDIR/sub1dir_acl/sub2dir/file1.txt $ROOTDIR/sub1dir/sub2dir/file1.txt
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir_acl/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
echo "********************************************************************************"
Any ideas?

UFSDUMP has some limitations, including being on a file system that is read-only. Yes, I could force it on a read-write FS, but I normally stay away from big sticker labels found in man pages when I encounter them. :-(
What I was originally after was a script that makes a backup of application configuration files before I modify them. Thus, I tar/zip the directory.
These config files/directores have ACL's attached to them to allow various roles to access them (group permissions are not fine-grain enough). However, when I ran through a couple of tests, I came across a scenario that overwrote the original permissions. Tested it on Solaris 10 and Solaris 9, and both fail.
So now (very late into the feature design) I'm VERY concerned about using ACL's on Solaris, and wonder what other side-effects there are that I'm not aware of. Can't seem to find a bug report on it, so I thought I'd ask around to see if it was just the behaviour of the TAR/ACL that I'm not quite getting, or if it really is a bug.
/chris

Role based security and ACLs

Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.

Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.

Document browser and ACL Authorization

Dear friends,
We are working on ECC 6.0 and required to implement SAP DMS. As of with every ERP 2005 default two features are coming, document browser and ACL Authroization. These features are not required by users, so we need to de-activate these. We have a note for these wherein it is mentioned that one of the component is required to upgrade. We dont want to go with this. If any note is there by applying which we can de-activate those features will be well and good, instead of upgrading component.
Regards,

Dear Tushar,
This t-code will be enable only after support pack SAPKGPAD11 or greater version is implemented. Our client is not in the position to upgrade, by implementing support packs. Alternate solution if any, pls suggest. By applying any notes if we can de-activate these features, let us know.
Regards,
Punam

Activate Document Browser and ACLs

Hi all,
I want to activate the Document Browser and ACLs tab in the DIR.
I have followed CAC--> Document Management --> Control Data --> Activate Document Browser and ACLs and then I've maintained "X" for each tab, but in the DIR nothing appear.
Have you any suggestions?
Thanks,
Marco.

Hi,
In this activity, you can activate the document browser and ACLs independently of one another.
When you select the indicators, the tab pages Document Browser and Authorizations are available in document editing.
The document browser contains the folder structure of SAP Easy Document Management, which you can use to edit documents. For more information about the document browser, see SAP Library under SAP ERP Central Component -> Cross-Application Components -> Document Management -> Document Browser.
You use ACLs to pass on access rights that you created for a particular folder to other folders in the same structure. For more information about ACLs, see SAP Library under SAP ERP Central Component -> Cross-Application Components -> SAP Easy Document Management -> Work with SAP Easy Document Management -> Authorizations in SAP Easy Document Management
Also check ,
As of SAP ERP 2005, all ACLs are automatically available in SAP Easy Document Management and the back-end system. As of SAP R/3 4.7, it is possible to implement ACLs and you have to implement ACLs up to SAP ERP 2005 (see SAP Note 798504).
http://help.sap.com/saphelp_erp60_sp/helpdata/en/7c/4ca9429888b111e10000000a155106/frameset.htm
https://www.sdn.sap.com/irj/scn/wiki?path=/display/plm/newFunctionalitiesinERP2005
Benakaraja ES
Edited by: benaka rajes on Jun 11, 2009 10:48 AM

Webdav and Win7

Dear Experts,
I am trying to configure webdav on windows 7 and followed suggestions at here, here and other administration guides and still facing connection issues.
Can someone give me some tested pointers on how to configure webdav on win7.
Thanks,
Srikanth.

Hi Srikanth ,
DIS also behaves the same way as WebDAV and it provides far more functionalities compared to native WebDAV .
If you have UCM 11g server then go to Administration - Component Manager and enable Desktop Integration Suite component , restart the server .
Then from UCM - My Content Server - My Downloads - select DIS client and install it .
From DIS client create the server connection (exactly same as WebDAV)
With this you can bulk upload as many contents as your requirement is just like the way is done with native .
Hope this helps .
Thanks
Srinath

Reset Pasword - do I need to reset Directory Permissions and ACLs?

I reset the password as described below on my mom's computer, as she forgot it.
http://support.apple.com/kb/HT1274
I did not reset Directory Permissions and ACLs.
Do i need to do this?
Thanks!

JulieK23 wrote:
I reset the password as described below on my mom's computer, as she forgot it.
http://support.apple.com/kb/HT1274
I did not reset Directory Permissions and ACLs.
Do i need to do this?
only if there was something wrong with them. otherwise this is quite independent of resetting the password and is not necessary if all you need is to reset the password.
Thanks!

Reset Home Folder Permissions and ACLs spinning forever

Hi, all.
The performance of my Intel iMac (circa 2008 or so) had degraded quite a bit, so I decided it was time to reinstall Snow Leopard. Did so, then restored my apps and documents via Time Machine. Suddenly, it was impossible to launch most applications (Chrome, the App Store, etc.) Repairing permissions using Disk Utility did not help.
Upon reading an article on this, I booted from the Snow Leopard disk, entered the Reset Password utility, and attempted to Reset Home Folder Permissions and ACLs. The process has been running for several hours with no end in sight and no error message. Is this normal? And if not, what should my next step be?
Thanks so much!

Do a force shutdown holding the power button and reboto to get into the machine (might have to hold Shift Key) and get a copy of your users files off and onto a external storage drive (not TimeMachine)
Then start all over using this method select the entire drive to zero erase and install, that should clear the bad sector issue it appears your having.
How to erase and install Snow Leopard 10.6
Do not restore anything from TimeMachine, it's corrupted data, reinstall all apps fresh from original sources and only files (you know are good) from the storage drive.
This is known as a "fresh install method" later you can update TM to backup this newer and cleaner configuration.
Why is my computer slow?
For Snow Leopard Speed Freaks
once you get all tweaked, clone it.
Most commonly used backup methods
https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

Webdav and InCopy compatible?

My company has had continual problems with file sharing externally.
We tried Dropbox and Xythos. Dropbox lets you save multiple versions of the same problem which causes obvious problems when 5 people are working simultaneously. Xythos was giving our off-site mac user download problems.
It's now been proposed that we use WebDav as our file sharing place. Does anyone know if this will mesh with InDesign and InCopy? I'm worried that the fact that you have to download a file will prevent the InDesign user from working while the editors are in InCopy. Or if there are multiple InCopy files in one InDesign file, only one person will be able to work on any of those at once, right?
Has anyone used this software?
Thanks!!
Kate

hi BWer,
check sap help ?
http://help.sap.com/saphelp_bw33/helpdata/en/9e/9f653ade969f4de10000000a114084/frameset.htm
You can access pre-calculated HTML pages in different ways:
· Using the BEx Download Scheduler
SAP recommends that you use the BEx Download Scheduler as an assistant when you download pre-calculated Web templates as HTML pages from the BW server. More information is available under Offline Scenario.
· Using a Web folder
As an alternative to the BEx Download Scheduler, you can also use the WebDAV Service of the document storage facility in the content management framework, to store pre-calculated HTML pages locally and easily. (Restricted) offline reporting options are available using this method. You can find further information about the WebDAV service under Implementing External Tools . See also: WebDAV (World Wide Web Distributed Authoring and Versioning). You can find additional information about this procedure under Downloading Web Templates Using WebDAVs and Web Folders
WebDAV (BW-BEX)
http://help.sap.com/saphelp_bw33/helpdata/en/e9/440042fe7cd511b1250008c784efb1/content.htm

Webdav and xdb, xml-files are automatically deleted (or hidden)

Hi All.
In our project we have mounted webdav from a Linux box against an IBM database server running AIX and Oracle 11g.
The file system on the Linux box is mounted to the xdb-schema on the dbserver.
When placing xml-files into the database through the webdav-catalogue on the Linux-box the files are copied over, but almost immediatly removed (or hidden) from the target directory in the database.
I´m thinking there might be a trigger that tries to validate the xml-file against an xsd that isn´t registered in XDB. The reason for this is that when suffixing these files with something other than .xml the files are kept visible to all users.
What I´d like to know is how to disable this check/trigger, and which trigger does this.
Can anybody tell me if my assumtion is correct, and if yes, how to disable this checking?
Our users in the project will also be given access to folders through this webdav mount, and they will use this as a storage space for other xml-files as well. Files we do not have xsd´s for. Another function for this webdav directory is to serve as a source directory for ODI, and ODI validates the files against the xsd when transferring data to the database, so we don´t need this extra validation in the database.
Thanks,
Bob

Hi,
What's the database version? (select * from v$version)
When placing xml-files into the database through the webdav-catalogue on the Linux-box the files are copied over, but almost immediatly removed (or hidden) Does that mean you see them for a short period of time, and then they disappear, or you never see them at all?
Are you using XML DB events?
You can check if there's any resource configuration defined, and that may explain this behaviour :
select x.*
from xdb.xdb$resconfig rc
   , xmltable(
       xmlnamespaces(default 'http://xmlns.oracle.com/xdb/XDBResConfig.xsd')
     , '/ResConfig/event-listeners/listener'
       passing rc.object_value
       columns description varchar2(300) path 'description'
             , schema      varchar2(30) path 'schema'
             , source      varchar2(30) path 'source'
             , events      varchar2(300) path '(#ora:xq_proc#){string-join(for $i in events/child::* return name($i), ", ")}'
             , condition   varchar2(300) path 'pre-condition/existsNode/XPath'
     ) x
DESCRIPTION                                                    SCHEMA    SOURCE                         EVENTS                                             CONDITION
Register event handlers for users.                             SYS       DBMS_XS_PRINCIPAL_EVENTS_INT   Pre-Create, Post-Create, Pre-Update, Pre-Delete    /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/principal.xsd#user"]
Register event handlers for role sets.                         SYS       DBMS_XS_ROLESET_EVENTS_INT     Pre-Create, Post-Create, Pre-Update, Pre-Delete    /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/roleset.xsd#roleSet"]
Register event handlers for roles.                             SYS       DBMS_XS_PRINCIPAL_EVENTS_INT   Pre-Create, Post-Create, Pre-Update, Pre-Delete    /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/principal.xsd#dynamicRol
Register event handlers for dynamic roles.                     SYS       DBMS_XS_PRINCIPAL_EVENTS_INT   Pre-Create, Post-Create, Pre-Update, Pre-Delete    /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/principal.xsd#role"]
Register event handlers for function roles.                    SYS       DBMS_XS_PRINCIPAL_EVENTS_INT   Pre-Create, Post-Create, Pre-Update, Pre-Delete    /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/principal.xsd#functionRo
Register event handlers for Data Security.                     SYS       DBMS_XS_DATA_SECURITY_EVENTS   Post-Update, Post-Delete                           /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/dataSecurity.xsd#DataSec
Register event handlers for Security Classes.                  SYS       DBMS_XS_SECCLASS_EVENTS        Pre-Update, Pre-Delete                             /r:Resource[r:SchemaElement="http://xmlns.oracle.com/xs/securityclass.xsd#securi
                                                               SYS       DBMS_NETWORK_ACL_ADMIN         Pre-Delete
               PL/SQL Network ACL Resource Configuration
Handling of Office Open XML spreadsheets                       OOX       OOX_SML_STORE                  Pre-Create, Pre-Delete                             /Resource[ContentType="application/vnd.openxmlformats-officedocument.spreadsheet
9 rows selected
{code}
And if your target folder has any config file associated, for example :
{code}
SQL> select *
2 from table(dbms_resconfig.getResConfigPaths('/office/excel/docs'));
COLUMN_VALUE
/office/excel/conf/sml_rescfg.xml
{code}

Anyconnect ssl vpn and acl

Hi Everyone,
I was testing few things at my home lab.
PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
anyconnect ssl is working fine and i am also able to access internet.
I am using full tunnel
i have acl on outside interface of ASA
1
True
any
any
ip
Deny
0
Default
i know that ACL is used for traffic passing via ASA.
I need to understand the traffic flow for access to internet via ssl vpn.?
Regards
MAhesh

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

Problem with cp and ACL default entry for mask

I am having a problem with the cp command, copying to a directory with default ACL entries.
I don't think it is creating the ACL's of the resultant files correctly.
I have two users (let's call them mark and john).
As john I create a directory and give it ACL privledges to mark, as well as setting defaults to give john writes to anything mark creates.
john> mkdir for-mark
john> setfacl -rm 'user:mark:rwx,default:user::rwx,default:user:john:rwx,default:group::r-x,default:mask
:rwx,default:other:r-x' for-mark
john> getfacl for-mark
# file: for-mark
# owner: john
# group: john
user::rwx
user:mark:rwx #effective:rwx
group::r-x #effective:r-x
mask:rwx
other:r-x
default:user::rwx
default:user:john:rwx
default:group::r-x
default:mask:rwx
default:other:r-x
As mark I copy files to that directory:
mark> cp myfile /home/john/for-mark
mark> getfacl /home/john/for-mark/myfile
# file: /home/john/for-mark/myfile
# owner: mark
# group: staff
user::rw-
user:john:rwx #effective:r--
group::r-- #effective:r--
mask:r--
other:r--
The mask is incorrectly set to r-- instead of rwx.
This leaves john unable to write to myfile (although, strangely he can delete it).
I am NOT using the -p option on cp. I would expect this behavior if I did.
Mark can create a file with touch or vi and the mask is incorrectly set to rw-, which is a little better. Compiles are definitely created correctly with rwx.
Is this a bug? Or am I doing something wrong.

You are having issues in client 000 rite ?
I dont think login/no_automatic_user_sapstar = 0 will help you , This parameter will help you to login newly created client ( other than 000/001) with sap* and passowrd PASS.
login/failed_user_auto_unlock = 1 , will enable automatic unlock off locked user at <b>midnight</b>
Did you use the correct Maxdb sql command ?
Thanks
Prince Jose

10.4.8 Server, AFP and ACLs

Hello all!
Before escalating I would like to have others take a look a this and confirm.
Setup:
- 10.4.8 Server, OD-master
- AFP Share: "Test"
- Usergroup: standard
AFP-Share "Test":
- Posix: ralph:standard, 644
- ACE: 0: group:standard allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit (ie allow all)
- create Testfile in share:
anotheruser@server:/Volumes/Storage/Test$ touch testfile
anotheruser@server:/Volumes/Storage/Test$ ls -ale testfile
-rw-r--r-- + 1 anotheruser standard 0 31 Okt 11:20 testfile
0: group:standard inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
Ok, here we go:
a) chown testfile for a user of the group standard will succeed when ssh'ed to the server
b) chown testfile fails when working on a client computer that is bound to OD and mounts the share via afp.
a)
testuser@client-comp$ ssh server
testuser@server$ chown testuser:standard /Volumes/Storage/Test/testfile
testuser@server$ ls -al /Volumes/Storage/Test/testfile
-rw-r--r-- + 1 testuser standard 0 31 Okt 11:20 testfile
b)
Computer bound to OD:
- 10.4.8
- testuser is a true OD user, not a local user
- log into client computer as testuser
- mount share via afp with testusers credentials
testuser@client-comp:~$ cd /Volumes/Test
testuser@client-comp:/Volumes/Test$ ls -ale testfile
-rw-r--r-- + 1 anotheruser standard 0 31 Okt 11:20 testfile
0: group:standard inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
testuser@client-comp:/Volumes/Test$ chown testuser:standard testfile
Permission denied
testuser@client-comp:/Volumes/Test$
Ooops!!!!!
This breaks saving in Freehand MX of opened and edited documents that you want to save and replace (Command-S).
Awaiting thoughts/confirmation before filing bug report.
-Ralph

I've experienced the same problem. My users can chown by ssh'ing to AFP server of file in question but can't in Terminal perform chown on same file logged in to localhost by default.
This subverts ACLs' usefulness in at least the respect that allowing group members to change ownership of files served in accordance with AFP is rendered unduly complex. One might as well not try that setting--for most clients, anyway.
Moreover, my take is that this is no small matter. I've posted more here. http://discussions.apple.com/thread.jspa?threadID=831517
In this thread, though, can anyone comment on this or suggest how my users can invoke their ACL permission as members of a certain group to chown files on AFP shares in a local shell or--imagine this--in the "Get Info" interface?
PS In my search for a workaround, I posted under the topic "Command Line & Terminal":
http://discussions.apple.com/thread.jspa?threadID=830698&tstart=0
PPS Maybe this is an old problem. See this 2004 posting about "a bug lingering somewhere in the afp client code".
http://discussions.apple.com/thread.jspa?messageID=3855261&#3855261
PowerMac Mac OS X (10.4.8)

WebDAV and ACLs

Similar Messages

Maybe you are looking for