Mac (10.6.4) AFP Share (Network Applications) permissions issue

afpfile-permissionsmac-osxpermissions

I have a share point for the shared applications folder. This auto-mounts on clients correctly but when a file is created the permissions are such that the owner can't write to it (locally: root:wheel rw-r–r– On the server: nobody:everyone rw-r–r– group:group1 inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown). The user is still able to delete the empty file.

I don't know what more info to provide, any help is appreciated! Thanks!

Best Answer

When /Network/Applications is mounted on the clients, it will be mounted before a user has logged in, so it will be mounted as a guest. It will stay mounted as a guest even when a user logs in. No matter what permissions you have on the client, the AFP server is mapping it to nobody. Please have a look at my answer to this question:

AFP uses a permission model that is quite different from NFS. Clients connect using their credentials, and then file access is controlled by the server. In some cases, Privilege Mapping occurs, which is the phenomenon you're describing.

In short, your clients will not reliably be able to create or modify anything in /Network/Applications because they will be doing so with no real credentials. You could possibly use NFS instead of AFP, because NFS uses a (less secure) model of trusting the client computer to control file access. However, you would be far better off using Mac OS X Server's concept of Group Folders to allow users to read and write using their own credentials.

Best Answer

Related Solutions

Linux – Remove Linux file permissions, in windows

Windows – Why does Mac OS X ignore the Windows NTFS and Share permissions

Related Topic