OSX 10.5: How to create a public share folder…..


This problem has been around (I think) ever since the introduction of POSIX permissions. In pre-10.5 versions you could sorta do something like this by changing the default umask on the system, but that was system wide and applied to all folders/files a user created on the entire filesystem…..not nice. The real question is how do you create a directory that is totally public without mucking around with system/user wide settings. A folder that anyone on the system in question can read/write/modify/delete anything anyone else has put in there. A true shared directory with share permission inheritence. We call it “pub” directory at my place of work.

The old trick in OSX (in case someone is interested) was to write a small script that you ran via cron every 5-10 minutes that would “chmod” all the entries in a folder to be open to a specific POSIX group….something like the script below:

find /path/to/shared/directory ! -type l ! -perm -g=w -print0 | while IFS
= read -rd $'\0' filename
do
echo "*+*+*Permission changing program caught something"
if [ -d "$filename" ]
then
chmod g+rwx "$filename"
# echo Directory changed
stat -l "$filename"
fi
if [ -f "$filename" ]
then
chmod g+rw "$filename"
# echo File changed
stat -l "$filename"
fi
done

Well those were the old days and now with the help of ACL’s we can do this a lot nicer/cleaner. The procedure below is for OSX 10.5+ (it should also work on 10.4, although I haven’t tried it).

  1. Enable ACL’s on your computer. Type the following command in a Terminal window: sudo /usr/sbin/fsaclctl -p / -e and verify that ACL’s are now enabled by typing: sudo fsaclctl -p /
  2. Create a new group. The easiest way to do this is through the Accounts pane in System Preferences. Just click on the Plus sign to add a new account and then select Group from the New Account drop-down menu. Call this group anything you want; I called mine public. Add all the users who you want to participate in the file sharing to your newly-created group.
  3. Do the following steps in Terminal, in Applications -> Utilities:
  4. Change directory to /Users/Shared: cd /Users/Shared
  5. Create a new folder where the users will be able to share their files. I created a folder named Pub by typing mkdir Pub
  6. Change the group of the new folder to your newly-created group: sudo chown admin:public Pub
  7. Change the default permissions, if you wish: sudo chmod 770 Pub (this is optional if you’re happy with the default permissions).
  8. Create the ACL entry for the new folder:sudo chmod +a "group:public allow file_inherit,directory_inherit,readattr,readextattr,readsecurity,read,execute,list,search,writeattr,writeextattr,delete,append,write,delete_child,add_file,add_subdirectory" Pub

You now have a true public folder where all members of the group public can read, write and delete files, as well as read, write to and create new sub folders. The ACL rule takes precedence over standard UNIX file permissions and is automatically inherited. It’s this automatic inheritance that is really important.

IMPORTANT: You must copy (hold down Option in Finder prior to dragging), and not merely move, items. This is particularly important with bundles, such as the Aperture library bundle for example. Moving items doesn’t inherit/change the permissions/ACL’s. Copying ensures that the files are actually created in the shared folder, thereby forcing the ACL rules to be inherited. If you have moved files into this directory and the permissions are a bit messed up you can quickly fix that by issuing the following recursive command which will set the ACL’s and POSIX permissions to the “right” ones so that everyone can do anything in that directory:
sudo chmod -R +a "group:public allow file_inherit,directory_inherit,readattr,readextattr,readsecurity,read,execute,list,search,writeattr,writeextattr,delete,append,write,delete_child,add_file,add_subdirectory" /Users/Shared/Pub

, , , , ,

2 responses to “OSX 10.5: How to create a public share folder…..”

  1. Great tip!

    I have a standard user on my Macbook for sharing a folder in my admin user account with SMB. This is so I don't have to type in my admin password when accessing this share from a Windows machine.

    Was actually looking for something like a "create mask" in smb.conf.

    Only problem I have with the ACL method is that the permissions aren't immediately apparent when I do a ls -la

  2. I just setup two MacMini's with Leopard Client 10.5.8 as web servers and ftp servers and followed your example so that multiple developers could update the common web pages in the website folder. I was still having problems getting the permissions to inherit correctly so did some more digging on Google. I found a similar post which added an additional ACL to the pub folder. Here is my final configuration that worked:
    Shared Folder = Websites
    Folder Location = Users/Shared/
    Owner:Group of Websites = labadmin:admin
    chmod permissions = sudo chmod -R 755 Websites

    sudo chmod -R +a "group:webeditors allow file_inherit,directory_inherit,readattr,readextattr,readsecurity,read,execute,list,search,writeattr,writeextattr,delete,append,write,delete_child,add_file,add_subdirectory" Websites

    sudo chmod -R +a "everyone allow file_inherit,directory_inherit,readattr,readextattr,readsecurity,read,execute,list,search,writeattr,writeextattr,delete,append,write,delete_child,add_file,add_subdirectory" websites

    Once I added the "everyone" ACL the permissions were properly inherited. Without it they would not pass on the Execute bit and I would receive a permissions error message when I attempted to view the web page on the site. This may have been particular to my situation but others may find this useful.

Leave a Reply