Read-only permission not respected in shared volume?

I have an external drive, attached via firewire, formatted in HFS+ Journaled.
This drive was first formatted with Tiger (10.4); I have now upgraded the OS to 10.6.
I specify, in sharing this volume, that there are two users (including me) who should be able to access this volume read-write, and one user that should be able to access it read-only (this is a photo archive, and I want to prevent my kids from inadvertently deleting some photos).

All seems perfect: when I select that volume, or any sub-directory, in Finder, and click on Get Info, it shows clearly that I and my wife have read-write permission, and our child read-only. Yet, from my child' laptop, I have no trouble making copies of files, moving them to trash, renaming them, etc etc.
In essence, it looks like the read-only permission is not respected.

How comes? Are there known "gotchas"? I am not a Mac OS X expert sysadmin (I thought the beauty of Mac OS X is that one did not need to be an expert sysadmin to use it , but neither am I a fully clueless user... any suggestions of things to watch for?

Note: I don't know anything about how ACLs are implemented on Macs, except for the information I can read in the "Info" tab I obtain when I click on "Get Info", or the setting I select in the Settings / Sharing setup menu.

Many thanks! Luca.

If I read this post correctly, you have your own Mac that you and your wife use primarily and a second one that your kids use?
If so, try hooking the drive to your kid's lappy and change the permissions there so that they only have read privileges, and don't change yours at all. You should be able to do this with the Sharing menu if I am not mistaken, though as a Linux vet I always dive right into the command line with the "chmod" command and haven't used "Sharing" yet...

mr.lumberg said:

If I read this post correctly, you have your own Mac that you and your wife use primarily and a second one that your kids use?
If so, try hooking the drive to your kid's lappy and change the permissions there so that they only have read privileges, and don't change yours at all. You should be able to do this with the Sharing menu if I am not mistaken, though as a Linux vet I always dive right into the command line with the "chmod" command and haven't used "Sharing" yet...

Click to expand...

Not quite... We have 4 Macs: one for me, one for my wife, one for the kid, and one, this Mac Mini, which I would like to use as a file server (and I use it for some long-lasting computation, as it is the only non-laptop). To this Mac Mini are attached a bunch of firewire-chained drives. I was hoping to be able to define the sharing permissions of those volumes from the Mac Mini: there is a menu in "File Sharing" that seems to be trying to do just that. So in that menu, I carefully chose the permissions, giving the kid only read-only permission, and me and my wife read-write, but as I said, it does not seem to work.

Precisely, I gave me and my wife read-write permission. The kid has an account also on the Mac Mini that acts as file server, and on that Mac Mini, I have BOTH set up the file sharing permission for the kid to read-only, AND the permission of every file (at all levels of the hierarchy) to read-only. Yet, the kid is able to attach the volume, rename files, delete them, etc etc, as if the permissions were completely disregarded.

I have to say that the volume was originally formatted with 10.4 (Tiger); I am not sure if this makes any difference.

Luca

Maybe try a check and repair of the permissions on the tyke's machine and the Mini after verifying/resetting the permissions on their machine. Also: are the accounts on their machine and the Mini the same? It may be that you only limited the access the account on the Mini.

Also, HFS has been the Mac file format for a while now, so that fact that you originally formatted using Tiger shouldn't be an issue.

mr.lumberg said:

Maybe try a check and repair of the permissions on the tyke's machine and the Mini after verifying/resetting the permissions on their machine. Also: are the accounts on their machine and the Mini the same? It may be that you only limited the access the account on the Mini.

Click to expand...

I am not sure I understand... I checked and repaired the permissions from the Mac Mini, and on the Mac Mini, when I define sharing, I clearly put the kid's permissions for that share as read only. From the kid's laptop, however, when I do "Get Info" for that volume, I get that the kid has write and read permission, and there is nowhere where I can go and modify permissions for that.

Interestingly, when I do ls -l on the volume from the Mac Mini, it tells me that I am the owner of all files, and no-one else has write access.

I am a linux expert, and I really don't understand the Mac OS X ACL model, which seems to overlap the good-ol' unix-style permissions.

Luca

lucapcp said:

I am not sure I understand... I checked and repaired the permissions from the Mac Mini, and on the Mac Mini, when I define sharing, I clearly put the kid's permissions for that share as read only. From the kid's laptop, however, when I do "Get Info" for that volume, I get that the kid has write and read permission, and there is nowhere where I can go and modify permissions for that.

Interestingly, when I do ls -l on the volume from the Mac Mini, it tells me that I am the owner of all files, and no-one else has write access.

I am a linux expert, and I really don't understand the Mac OS X ACL model, which seems to overlap the good-ol' unix-style permissions.

Luca

Click to expand...

I hear ya'; the permissions model is juuuuust different enough to cause a bit of head scratching.

Aside from trying it on the command line, I don't know what else to recommend.

The problem is with the difference between an external drive and an internal drive. External drives are treated differently, in terms of permissions. In my opinion, this should not matter, and the AFP server (the bit of software that allows remote access to this folder) should handle the read/write permissions according to what you have set in the Sharing control panel. Unfortunately, it doesn't work this way.

You will need to do something like the following:

In Finder, select the drive and Get Info (apple-I or File->Get Info).

In the Info window, if there is a lock icon near the bottom, click it and enter your password. You should see a tick box called "Ignore ownership on this volume" -- uncheck it.

At this point, I recommend that you "Get Info" on your internal hard drive as well, for comparison.

Expand the "Sharing and Permissions" area. You will see your username, with Read&Write privilege. You will also likely see "everyone" and "staff."

In the Info window for your internal drive, you will not see "staff," but instead "admin." This is a key difference. The "admin" group contains only those users who have administrative accounts on the machine. The "staff" group includes everyone with login accounts.

If you are sharing the entire drive, you would make changes here at the drive level. However, if you are making only a folder of the drive shared, then you are done with this part, and may close the Info window now.

Next, you need to change the group ownership of the shared folder. In a terminal window, do the following according to my example. On my machine, I share a folder called "Video" on a drive called "RAID 00." So at the command prompt, I type:

sudo chgrp -R admin "/Volumes/RAID 00/Video"

This will change group ownership of everything in this directory to the "admin" group.

The problem with external drives is the combination of "Ignore ownership on this volume" coupled with the fact that all users who can log into your computer have "group" write permissions to the external drive. It is meant to make things easier when moving drives from one machine to another, but makes it more difficult to do sensible things with permanently-attached external drives. Though, as I said, if the file server were designed sensibly, it wouldn't matter. Unfortunately, SMB has never been brilliant, and NFS is a pain in the posterior even for those who know how to configure it. Mac-to-Mac, I've had the best luck, stability-wise, with Apple's AFP. Unfortunately, it appears to be brain-dead in terms of security.

Anyhow, this should resolve the issue.

But beware: if you move or copy files or folders into this location from elsewhere on your computer, the group permissions will be copied as well.

This means that if a file was owned by the group "staff" it will be writable (and deletable). I would recommend that, any time you add files to the shared folder, you either re-run the aforementioned command line, or use "Get Info" on the folder, expand "Sharing & Permissions," select the "gear" icon, and select "Apply to enclosed items..." -- this will copy the group ownership and ensure all files and sub-folders are not shared "writable."