What I learned about file sharing and permissions on Mac OS X Snow Leopard when I set it up as a file server for multiple users

For years I used an old laptop running Ubuntu as a combination web server and file server. It died a few weeks ago, and rather than find another old laptop and building another Linux server I decided to just set up my existing Mac Mini with (non-Server) Snow Leopard as a file server that my wife and I could access. Because it didn't "just work" I thought I would write down what I learned in the process. I have no idea how much of this is true for later versions of Mac OS X, so your mileage may vary on later versions.

My first thought was to see if I could get it to "just work." I plugged an external drive with the family files into the Mac Mini, turned on file sharing in System Preferences - Sharing while logged in as me, and then designated the top level folder on the external drive as a shared folder, and then in the Users box in System Preferences - Sharing I gave read and write permissions to my wife and I, and no access to Everyone.  I went and tested accessing the shared folder over the network as both myself and my wife, and everything seemed to work. Great! But then, just out of paranoia, I tried accessing the folder over the network without entering a username and password, and discovered that anyone on the network could not only see the folder and its files without entering a username and password, anyone on the network could modify any of the files. WTF? After a lot of research and poking around I finally figured out the following.

1. In Mac OS X Snow Leopard external drives have the property "Ignore ownership on this volume" turned on by default on the drive's Get Info screen, and when that is checked any and all users, including guest or nobody, are treated as the owner of every file and folder on that drive.

I guess this is so that if someone plugs a USB drive into a Mac with multiple user accounts then all the users on that computer can access it. Which seems reasonable enough, until you bring file sharing into the picture:

2. If you share a folder on an external drive that has "Ignore ownership on this volume" turned on then anyone on the local network can mount that folder, and read and write to every file in that folder, without entering any credentials and regardless of what permissions you set on the folder or its files.

My theory is that Mac OS X file sharing relies entirely on the basic Mac OS X permissions system to control access to folders shared using file sharing, so if the "Ignore ownership on this volume" box is checked for an external drive, and you designate a folder on that drive as a shared folder, then Mac OS X concludes that since ownership is ignored on that drive no credentials are required to read and write to files in the shared folder.

The obvious next step was to uncheck "Ignore ownership on this volume" for the external drive and try sharing the folder again, with permissions on the "Get Info" dialog for that folder set to Read & Write for myself and my wife, and No Access for everyone.  The group "staff" appeared on the list, but there was no "No Access" option for staff, so I left it at "Read only." After I did this the shared folder was no longer visible to people who connected to the machine without entering credentials, so one issue was solved.

Now that I had the shared folder on the external drive locked down so only my wife and I could access it I proceeded to test reading and writing files as myself and my wife. Here is what I observed when the "Get Info" permissions for the shared folder were set to Read & Write for both my wife and myself, the staff group was set to "Read only" and the everybody group was "No access":

  • I could open and modify existing files, and save new files.
  • My wife could open existing files I had created, but couldn't modify them.
  • My wife could save new files, but I couldn't modify any new files she created.
  • Looking at Get Info for a file created by one user showed that that user had Read & Write privileges, staff had Read only, and everyone had Read only.
Some more reading and poking around revealed that:

3. In Mac OS X permissions set for a folder using "Get Info" or the System Preferences - Sharing screen are not inherited by either files or sub-folders in that folder.  In other words, if Joe and Jane both have Read & Write permissions to a shared folder, and Joe saves a file on the shared folder, then Jane will be able to read the file (as part of the group everyone) but she will not be able to modify it because Joe is the owner of the file.

This situation was obviously undesirable for a shared folder where you want multiple users to be able to work on documents created by other users, so I went back to researching and poking around. What I discovered is:

4. In the non-Server version of Snow Leopard the only way to set inheritable permissions for a shared folder is by setting ACL permissions using the chmod command in Terminal.

Turns out Mac OS X has two different permissions systems, POSIX (the traditional *nix permissions system) and ACL (Access Control Lists).  There is no way to set inheritable permissions for a folder using POSIX, but it can be done with ACL.  Here is a article about the basics of ACL:

Introduction to OS X Access Control Lists (ACLs)

I won't try to explain the ins and outs of setting ACLs in Mac OS X in this post, but after a lot of research I discovered that the way to give multiple users inheritable read and write permissions to a folder is set up a new group, make your users members of this group, and then run the following command in terminal:

sudo chmod -R +a "group:my_new_group allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/my_external_drive/the_folder_I_want_to_share

See the chmod man page for the details on the syntax for this command.  If you don't run this as sudo then ACL permissions will *not* be set on files and folder you don't own, which can lead to confusing problems for users.  The -R option means recursive, so the ACL will be set on all sub-folders and files.

A file or folder can have multiple ACLs piled one on top of another, which the operating sifts through using some order of precedence.  This can lead to confusing problems for users.  One easy way to start fresh with ACLs on a folder is to run this command which recursively removes all ACLs in and under the folder:

sudo chmod -RN /Volumes/my_external_drive/the_folder_I_want_to_share/

Then run your chmod command to set fresh ACLs for the folder.

After I set up inheritable ACLs for my wife and I's group on the shared folder we were both able to read and write to files created by one another, like you would want in an environment where people are working on things together.

No comments: