Mac OS X 10.4.1: AFP Issues: Not inheriting permissions, can't set file attributes

Several readers have noted an issue where permissions for files and folders created through AFP (Apple filesharing protocol) under Mac OS X 10.4.x. are not correct.

Under Mac OS X 10.3.x (Panther), access is given to both the Owner of the file and the Group when a file is created by a client machine on a server. However, under Mac OS X 10.4.x, permissions for AFP-copied/created are set as read/write for the owner but not for the group, meaning that files cannot be shared between client users.

Essentially, this issue boils down to permissions not automatically being inherited from the original file or enclosing folder to the server-copied file or folder.

MacFixIt reader Robert Gruber is one user suffering from this issue:

"I switched a small workgroup (10 people) over the weekend from Mac OS X 10.3.x to Mac OS X 10.4.x Server.

"Today my phone didn't stop ringing, customers where complaining that no files can be edited, saved, moved or deleted if they are not the owners or creators of the original files...

"Went back and installed a fresh Mac OS X 10.3.9 Server on the second startup partition. 3 hours later up and running smoothly, with correct permissions (and handling by Mac OS X 10.3.9 server (and all available security updates)."

Apple confirms this issue in a Knowledge Base document (#301601):

"When offering Apple File Protocol (AFP) service, Workgroup Manager allows you to set the default permission on new files and folders to "Inherit permissions from parent." This option does not work presently with Mac OS X Server 10.4. Specifically, AFP server is not setting the permissions on files created in subfolders of a shared folder when inherit permissions is enabled.

"If the file system being shared is HFS Plus, you can work around this issue by using access control lists (ACLs)."

Apple is purported to be working on a fix for this issue that will be released in a future update to Mac OS X 10.4.x.

In the meantime, you can find instructions for setting up ACLs (access control lists) in this Mac OS X Server 10.4 manual.

As noted by MacFixIt reader Mark Daniel:

"With 10.4.x Server, using Apple's Access Control Lists, newly created files/folders automatically inherit the parent folder's permission settings. If (a user) is having this problem, it's most likely because he didn't correctly configure the ACLs... which can be daunting at times, but provide for almost unlimited flexibility.

"I've moved a few offices over to Server 10.4, and they're loving it... ACLs rock. This includes the DetroitMac office, as well as numerous other testing and odds n' ends servers I've got laying about. Permission problems are FINALLY out the door. One thing to keep in mind, though, is that ACLs ONLY take effect if you have them enabled for the volume (done through Workgroup Manager), and you have at least one ACE (access control entry) specified for a particular sharepoint's permissions. If you have one specified, POSIX-style permissions are ignored."

Can't set file attributes MacFixIt reader Stephen Suess reports an issue with AFP-generated files -- an inability to set file attributes (including comments accessible via the "Get Info" window, labels, and more).

Stephen writes:

"I believe we are experiencing the AFP permissions share problem you mention over the past 2 days on our new Tiger Server (10.4.1) Dual G5 Xserve, but with a twist. We have setup ACLs and for the most part they seem to work for things like changing the contents of a file, creating and deleting files, etc. However, no matter what we do, no user seems to be able to set other finder file attributes such as comments or labels. As soon as one user connected to a share sets the label, clicks away from it and then back to the file, the label is gone. The comments seem to stick, but logging into the share as another user and trying to view them shows no comments at all. These worked very well in 10.3.8 and we use them often to indicate file status among our users."

Index:

• AFP Issues: Not inheriting permissions, can't set file attributes
• Distorted prints from Preview.app caused by ColorSync changes
• System freezes occurring when in/entering full-screen mode; QuickTime-related
• Problems creating disk images from Mac OS X 10.3.x (Panther)- burned media
• iSync 2.0: Problems synchronizing; potential solution
• Kernel panics when copying large files
• Live spell-checking problem, solution
• Loss of AirPort connectivity/weaker signal, solutions
• Problems with Mac OS 9 system access to Mac OS X Server-stored files
• Mail.app 2.0: Bundles now disabled; Problems with POP accounts, more
• Problems mounting disk images
• Printer Problems: Launching Epson's Printer Utility
• Problems with some internal modems
• Release Notes, difference between Software Update/download versions
• Safari 2.0: Downloads window re-sizing bug
• Problems with sleep; Solutions
• Spotlight: Tips for faster searches, problems with .DAT files; more
• Third-party applications
• Widgets: Conflict with Helvetica Neue; Dashboard crashes

Resources