minute read
When file permissions are properly configured, the ACL and unixpermbits security models can provide fairly consistent behavior, even when the environment contains multiple client platforms. However, some differences are bound to be encountered, especially when ACLs are used. As previously described, this is due to the fact that Windows systems only use ACLs for file permissions whereas other platforms use a combination of ACLs and Unix permission bits. Some of these differences are obvious and others are more subtle. One subtle behavior occurs when an environment initially does not contain Windows clients but later adds them.
When ACLs are enabled, the first time a Windows client mounts the file system, it checks whether there is an ACL on the root of the file system. If not, it applies an inheritable, permissive, “Everyone” ACE on the root directory. From that point on, this ACE will propagate down to every file and subfolder unless the ACE is removed from a subdirectory or its inheritance is disabled. The presence of this ACE allows users to perform actions on files.
If the environment is initially set up without Windows clients and files are created, they typically will not have an ACL. If no ACLs are explicitly applied to files and subfolders and a Windows client is later added, there is no impact to the Windows client because if a file or folder doesn’t contain any ACL, the Windows client will use the ACL on its parent and if its parent doesn’t have an ACL, it will search backward all the way to root and use the first ACL it finds which can be the root “Everyone” ACE.
However, if ACLs are placed on files before any Windows clients ever mount the file system, some unexpected, behavior may occur after Windows clients are added. For example, a Mac user named “jane” may put an ACE to a file that allows read access by “joe”:
jane@mac$ chmod +a “joe allow read” myfile
jane@mac$ ls -le myfile
-rw-r--r--+ 1 jane managers 0 Sep 30 11:02 myfile
0: user:joe allow read
This results in a file with one ACE since it did not inherit any ACEs from the parent directory. Suppose that a Windows system is then added to the environment. If “jane” attempts to access the file from Windows, she is denied access whether she tries to read the file, write the file, or simply display the security information. The reason for this is that while the file contains an ACL, it does not specify any ACEs that allow her to access the file, and Windows does not fall back to using the Unix permission bits.
The workaround for this scenario is to apply ACLs from the Mac on all files before attaching Windows clients. For example, “jane” could apply ACEs that allow full access to herself, and read access to the group “managers”:
jane@mac$ chmod –R +a "jane allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" /Volumes/snfs1/homes/jane
jane@mac$ chmod –R +a "managers allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_hinerit” /Volumes/snfs1/homes/jane"
