Friday, May 17, 2019

Mac OS X ACL file sharing permissions nightmare and how to fix it

If you've ever had to set up a file share from within Mac OS X, you may have wanted to pull out your hair. Especially if you're trying to use account from somewhere like Windows Active Directory to grant access to the shares. I've struggled with share permissions on Macs for years, especially with permission inheritance or lack of it, but think I may have finally come across the solution.

One big reason that this is such a pain is because trying to juggle POSIX and ACL permissions on a Mac is not exactly straightforward. Which one is getting used? How do they interact? I'm not going to teach you about permissions and hope that if you're reading this you at least know the difference between the two and are familiar with how each works on its own.

Another reason is that ACL permissions aren't managed very well through the GUI tools in OS X, but it's made to look like you can do it that way. However, the "Read & Write" option that's available is not the same as full access, and doesn't include any inheritance features, which is one of the biggest pieces of ACLs that people want to use. Unless you know that, which I found out the hard way, you can be left wondering why someone can't access something.

First, if you're trying to set ACLs on the Mac from anywhere but Terminal, stop. I know command line tools aren't always user-friendly, but you'll regret it if you don't set your ACLs with Terminal.

Actually, that's the biggest secret to getting this working; Use Terminal to set the permissions.

For full access, use the command

chmod -R +a "group:groupName allow list,search,add_file,add_directory,delete,delete_child,read,readattr,readextattr,readsecurity,write,writeattr,writeextattr,write_security,file_inherit,directory_inherit,execute" pathToDirectoryToSetACLsOn

just change out groupName with the group, and pathToDirectoryToSetACLsOn with exactly that, the path to update permissions on

If you're working with a domain and want to assign permissions from a domain-based security group, you have to tweak the command slightly. Instead of group:groupName allow, you can instead use DOMAIN\groupName:allow. You don't need to word group at the beginning, need to include the domain, and should separate the group from the word allow with a colon. This also allows you to use domain-based security groups that have spaces in their name.

For read-only access, use the command

chmod -R +a "group:groupName allow list,search,read,readattr,readextattr,readsecurity,file_inherit,directory_inherit,execute" pathToDirectoryToSetACLsOn

Same rules from above apply to the syntax here if you want to use a domain-based group instead of a group local to the Mac.

For your POSIX permissions on the share, you should not have a group assigned for POSIX that also has an ACL defined. That will help you avoid conflicts. For me I had a local admin as the owner (with RWX), the built-in staff group as the group (with RWX), and everyone/global set with no access. Then I used Active Directory security groups with the ACLs. I also gave the local admin group the same access via ACLs because otherwise the local admin has no access to files created by the users that were logging in from Windows devices since it was setting those users as the file owners.

If you want more info on the ACL options, you can check the man page for chmod on the Mac, or this site looks to have the details too. Once you read up on them you can decide if you need to tweak the commands at all to avoid including certain options. I also need to give this page credit because that's where I landed before being able to get this working.

Good luck