Folder Permissions 'challenge'

[theeldergeek]

I have created a network "student share" folder that all students can access (read/write).

I want to put a "rules and regs of using this folder README" .pdf in there.

Although I want the student to be able to read this file, I do not want them to be able to delete it.
I can't find an easy way to do this.

So, how do I have a read/write folder but have a read only and delete protected file existing in there too?

The folder in question exists on our Xserve but is set as a login 'map' on their desktop when students log in.

Mac OS X

A virtual pint to the author of the easiest method! (in respect of what I have to do and understand!!)

[Marci]

Terminal...

What account do you log in as that has local admin permissions for updating this file? Substitute that accounts' login for admin in the below example.

Code:

sudo chown admin:system /path/to/filename.meh && chmod 744 /path/to/filename.meh

First part of command sets the owner of the file to the supplied username, and group... second part makes it read/write/executeable to the owner (the 7), read only to group members (4), read only to everyone else (4).

If you're logged in as the local admin user, then you can do what you want with the file... if you're logged in as anyone else, then it's completely read only, despite residing in a read/write enabled folder.

[theeldergeek]

Terminal...

What account do you log in as that has local admin permissions for updating this file? Substitute that accounts' login for [admin] in the below example.

Code:

sudo chown [admin]:nobody /path/to/filename.meh && chmod 744 /path/to/filename.meh

If you're logged in as the local admin user, then you can do what you want with the file... if you're logged in as anyone else, then it's completely read only, despite residing in a read/wrtie enabled folder.

Wow thanks! Will try it tomorrow when I can access the Xserve.

[theeldergeek]

Terminal...

What account do you log in as that has local admin permissions for updating this file? Substitute that accounts' login for admin in the below example.

Code:

sudo chown admin:system /path/to/filename.meh && chmod 744 /path/to/filename.meh

First part of command sets the owner of the file to the supplied username, and group... second part makes it read/write/executeable to the owner (the 7), read only to group members (4), read only to everyone else (4).

If you're logged in as the local admin user, then you can do what you want with the file... if you're logged in as anyone else, then it's completely read only, despite residing in a read/write enabled folder.

OK, didn't work :-(

the file is called readme.pdf residing in a folder called Student Share on a volume called Data

so what I actually typed into terminal was :

sudo chown sadmin:system /volumes/data/'Student Share'/readme.pdf && chmod 744 /volumes/data/'Student Share'/readme.pdf

Press "Enter" and the terminal reports "chown: system: invalid argument"

Clearly I'm doing something wrong.

*update*

I can set the owner OK, done that in terminal and confirmed this with "get info".

What doesn't seem to be working is the chmod part because I can still rename the file as another user, so clearly the read only permission is not being set.

[Marci]

terminal reports "chown: system: invalid argument"

That means that you don't have a group on your server called system.

In terminal...

Code:

sudo touch /tmp/test.fil
cd /tmp
ls -ltra

You should see back something as follows...

-rw-r--r-- 1 user group 0 9 Jun 08:47 test.fil

What's in bold is what you need for the chown... so it'd be...

Code:

chown user:group /path/to/filename.meh && chmod *snip*

If it still lets users do stuff to it, then it's inheriting permissions of the share so you need to remove inheritance on that file...

Code:

chmod -I /path/to/filename.meh && chown user:group /path/to/filename.meh && chmod 744 *snip*

[theeldergeek]

That means that you don't have a group on your server called system.

In terminal...

Code:

sudo touch /tmp/test.fil
cd /tmp
ls -ltra

You should see back something as follows...

-rw-r--r-- 1 user group 0 9 Jun 08:47 test.fil

What's in bold is what you need for the chown... so it'd be...

Code:

chown user:group /path/to/filename.meh && chmod *snip*

If it still lets users do stuff to it, then it's inheriting permissions of the share so you need to remove inheritance on that file...

Code:

chmod -I /path/to/filename.meh && chown user:group /path/to/filename.meh && chmod 744 *snip*

Clearly something I'm doing isn't right.

If I type:

Code:

ls -l readme.pdf

I get:

Code:

-rwxr--r-- 1 sadmin:wheel

so permissions seem to be in order.

however, the file can still be renamed/deleted by anyone.

so, trying the inherited permissions approach, I try:

Code:

sudo chmod -I readme.pdf

I then get the response:

Code:

chmod: No ACL currently associated with the file 'readme.pdf'

?????

[Marci]

Dammit. Wish OSX'd stick to working by the rulebook...

Anyways... only fix I can find for you is to create a folder in there called "Rules and Regs"

Head to ServerAdmin > FileSharing > Sharepoints > Browse...

Browse thru your sharepoint til you hit your new folder. Select it. Hit the cog-button and choose "Make Inherited Entries Explicit", and that should then free up the ACL entries to be edited (they will have been greyed out previously as they were defined by inheritance)... and set whichever user types you want to readonly etc... and then pop your rules files inside that folder.

[rolfea]

Can't you just right click the file, get info and check the settings in there.

Might need to check the file doesn't inherit permissions in Server Admin, so the folder's permissions doesn't apply to all descendants before hand.

edit: sorry to repeat, I hadn't refreshed this page, done a job then come back to it and hadn't realised there was another reply.

But if you log in as the Server Admin, should be able to change all the permissions from the Get Info panel.

Or have I over simplified your problem?

[theeldergeek]

Dammit. Wish OSX'd stick to working by the rulebook...

Anyways... only fix I can find for you is to create a folder in there called "Rules and Regs"

Head to ServerAdmin > FileSharing > Sharepoints > Browse...

Browse thru your sharepoint til you hit your new folder. Select it. Hit the cog-button and choose "Make Inherited Entries Explicit", and that should then free up the ACL entries to be edited (they will have been greyed out previously as they were defined by inheritance)... and set whichever user types you want to readonly etc... and then pop your rules files inside that folder.

I've solved it!

on the server, I've 'got info' on the file, set permissions to read only for everyone (except admin) and then 'locked' the file using the checkbox within the info pane!

Seems to have worked!

Just doing some extended testing now....