Permissions on root home
Creating a new home folder for as yet to be decided users, and the permissions are
Technical_group ..... full control (this is me and my boss)
SADMIN ..... read/write
ADMIN ..... read
OTHERS ..... read
If I were to change 'OTHERS' to 'NONE' at root, would this cause me any problems when creating home folders within?
It will be a student year group who are in the folder, and I don't want anyone else to see their folders except those who I specify in the ACL's, i.e. the technicians and maybe READ ONLY for teachers. Everyone else needs to be denied (we don't use public folders or drop boxes)
Or do I need to leave the permissions as they are and specify "EVERYONE" as 'DENY' in the ACL? Should In fact, should I be making changes to POSIX at all? My own feeling is that I shouldn't, but I'm taking advice here!
Should be noted that this is a completely separate Mac network to our Windows environment, we are not bound to Windows AD, server is an xserve running 10.5
When creating any folder (either at the Finder level or using the option within Server Admin) that is to be used for 'housing' users' home directories/profiles the System 'sets' the default POSIX permissions at the moment of creation. Generally at the Finder level and depending which OS Version it is these would be:
Owner : root/admin : R/W
Group : admin/staff : R
Everyone/Others : R
Don't be tempted to change these. You may find network users won't be able to login as you've denied them access to their home folders at a level higher up than their homes. Setting the POSIX value for Everyone/Others to None is useful for denying a 'view' in certain circumstances depending on what you want to achieve. But denying a 'view' in POSIX is not the same as adding the $ symbol in Windows. It really does mean "No Access". With 10.5 and even more so with 10.6 you should not 'mix' the permissions models to control access. Whatever the system sets as the default POSIX permissions leave well alone and concentrate solely on ACLs. Once you drill down to Users individual home folders you should see the System has added an overriding 'deny' ACL anyway. There really should not be anything else you need do with regards to permissions unless you want to add an access ACL for desired staff.
A 'Deny' takes precedence over an 'Allow'. If a 'Deny' is set at a level higher up than an 'Allow' the 'Deny' will be 'read' first. The 'Allow' won't ever happen. You can alter this behaviour with a custom ACL that will allow folder traversal. This can get complicated very quickly so use with caution. A 'Deny' in both permission models can cause major problems although this does depend on what you want to achieve.
Antonio Rocco (ACSA)
Brilliant, that's what I needed to know.
Originally Posted by AntonioRocco
I'm getting there :D
Thanks for your help :yo: