How to Set User Group Permissions in macOS Server

The use of macOS Server is an extremely convenient way to share files with multiple macOS devices. Once shared, folders can be accessed by group members. To increase the security of the server, it is recommended to control who has access to file-sharing services. For this reason, folder permissions should be used to either allow or restrict access to files for three categories of users: Owner, Group, and Others.

The permissions are metadata attributes that let the system know who is allowed to create, modify, and delete files and folders. Although permission attributes have been designed to improve the file sharing process and restrict certain users from having access to administrative functions by virtue of compartmentalization, they do not allow a great degree of access control. Specifically, a file created or modified in a shared folder doesn’t inherit the permissions of the parent folder. In other words, even the users with Read & Write permissions can only read the file. The lack of fine-tuned controls for folder access substantially complicates the use of the file sharing function of macOS Server.

The article explains how to obtain a greater degree of access control for the three categories of users.

Workaround

To make new files accessible to everyone who has Read & Write permissions for the shared folder, it is necessary to apply a complicated workaround. Launch the Terminal app from the Utilities folder. Then make the contents of /Users/Shared/reeallyshared reachable to everyone having Read & Write access to the shared folder by using this command:

sudo chmod -R +a “staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit” /Users/Shared/reallyshared

The inherit part of the command allows automatically applying the permissions to the newly created items in the folder and –R extends the permissions to already existing items. It should be kept in mind, however, that the workaround has a substantial downside. Namely, the permissions won’t be inherited by files transferred to the folder from other directories. Therefore, it is recommended to try another approach to solving the issue.

ACLs

macOS Server offers its users two types of permissions for shared folders and files as well as a share point: Portable Operating System Interface for Unix (POSIX) and Access Control Lists (ACLs). The latter type of permissions is more complicated than the former because it allows assigning four forms of inheritance, which is convenient for organizations that need to set different levels of access to a shared folder. The problem with the inheritance is grounded in the use of POSIX permissions, which do not propagate the inheritance automatically. To check the listing of ACL permissions, do the following:

  1. Launch macOS Server;
  2. Launch the Terminal on the server;
  3. Enter this command verbatim: Is-ale
  4. Then, hit the Space button and enter the path to the shared folder (alternatively, drag and drop the folder into the Terminal);
  5. Press the Enter button;

To manage ACL permissions in macOS Server, follow the steps below:

  1. Launch the Server app;
  2. Click on the Server tab;
  3. Click on the Storage button;
  4. Change the settings of POSIX Owner and Group to Read & Write;
  5. Change the settings of Other to None;
  6. Click the gear button and select the Edit Permissions option to set ACL permissions.
  7. Click on the triangles next to users to configure ACL permissions.

It is essential to avoid POSIX-ACL collisions. Also, it is not recommended to change drive permissions because it can substantially disrupt the system.

Sidebar