10.5 Server: Permissions on new files no longer inherited properly?

[Makosuke]

I recently upgraded a 10.4 Server install to 10.5. This is mainly a fileserver for about 20 people, including a few Windows XP boxes and the rest on 10.4 or 10.5. The upgrade went quite smoothly, and I like the new Admin tools, but I've been fighting with permissions issues since doing the upgrade.

Specifically, I always had the option under previous versions of OSXServer set to create new files with permissions inherited from the parent. The file structure is one large shared volume with a couple of folders with permissions restricted to a specific Group, and the rest R/W-able for the main staff group. I have no need nor desire for users to be able to override their own permissions granularly--I just want to inherit appropriately from the parent folder. Under 10.3 and 10.4, files/folders created or copied by users always had the correct permissions, and I had no complaints from anybody.

Now, however, Apple seems to have removed that override for AFP from the admin tools (I still have the SMB "inherit" box checked, and it seems to work correctly).

The documentation I found searching indicated that I should be using ACLs to deal with this, but despite creating top-level ACLs with the appropriate settings and set to apply to all decedents, then stripping ACLs off of all sub-folders and setting the POSIX permissions to what I want, some of the time newly created files/folders will end up with the wrong POSIX permissions and the parent ACL will not override this.

So basically some one will create a folder that is, for whatever reason, set as R/W for their POSIX user, and R-only (or no-access) for POSIX group and everyone. Since the parent ACL isn't overriding this, nobody else can modify this file until I go in via the admin tools and fix the permissions.

Am I doing something wrong here? What settings should I be using to replicate the (simpler) functionality I had under 10.3/10.4?

 

[Les Kern]

Do you have the group ACL set to "full control" instead of "read/write"? If not, do that and it will work. As long as the users are in that group of course. (Don't forget to send those permissions down through the directory)

 

[Makosuke]

I do have it set to Full Control, but maybe what you said about propagation is my issue; I currently have not propagated the ACL down to everything, only the POSIX permissions. What I got off the Apple forums implied that I should only have the ACL set for the group at the top level and nothing underneath should have an ACL, but it sounds like that's wrong, and I should be propagating the appropriate ACL to everything?

Will this still handle situations where somebody drags a file/folder with inappropriate permissions from their local machine to the share?

The picture is my top-level permissions for the share; everything under that isn't overridden has no ACL.

 

[Les Kern]

I propagate ONLY when the initial settings were wrong and folks in the group cannot modify a shared file from another user, so no, the ACL is set to the top as described. As for posix, I take out that group altogether. At that point all users in that group, no matter what's shared, has the group as owner with full control. So I'd suggest propagate once, remove the posix for the group, should be good to go.

 

[Makosuke]

Ok, I think I figured out my misunderstanding; I was under the impression that propagating ACLs via the Server Admin tool would *explicitly* set the ACL on everything below, when from the looks of it what it actually does is set the inherit flags.

So basically, by leaving the ACL off all the sub-folders, I had left them all falling back to POSIX permissions rather than looking up the hierarchy for what they should be doing; I wasn't understanding that the inherit properties of an ACL only apply if the sub-folder actually has the inherit flag set.

At least, I hope this is the case. After propagating ACLs, I now have everything showing (in grey) the permissions I expect, which appears to correctly set the flags on any files/folders copied over, and overrides incorrect POSIX permissions if they exist.

I do still wish you could set the POSIX defaults like before, though; it was a more obvious system from a setup standpoint, and it keeps the POSIX settings cleaner when migrating or whatever. That said, the new 10.5 permissions browser in Server Admin is great, partly because of the simple fact that it actually works (is Apple EVER going to fix the damned Finder permissions sub-tab?).

Thank you for the help, Les Kern!