> Can anyone help me with a pointer to a document or a short desciption of
> - the exact mapping of access privileges on a Mac vs those on Unix (Linux)
> and vice versa?
> - the inheritance of access privileges when copying files and folders to a
> shared disk.
> - the inheritance of ownership of those files.
I was hoping someone else would answer authoritatively, but here's what
I've
surmised from behavior:
- afpd processes run as the user who logged into the Mac, so the Mac has
access to everything the user would ordinarily. This is the only thing
you need to decide if a user can *read* a file.
- Afpd gives newly-created directories the same permissions bits as those
of the parent directory, including the setgid bit.
- Newly created files will get the same permissions bits as the parent
directory, with the x bits stripped.
- Newly created files and directories will be owned by the creating user.
If the parent directory has the setgid bit set, new files and directories
will be in the same group as the parent; otherwise they will be in the
creating user's primary group. (This is normal Unix behavior.)
- Files and directories can only be created in directories to which the
user has rwx access (as opposed to Unix, where only wx access is needed.)
- These rules apply to the .AppleDouble directories as well, but not to
Network Trash Folder.
> One of the things I'd like to have is a 'drop box' where a file can be
> copied to, and where the owner of the drop box can pick it up.
> But a complete overview would be great to set up the right privileges for a
> shared network disk.
I don't believe you can do this in general without letting all users
overwrite and delete files created in the dropbox by other users; you
can't have files created in the dropbox that can only be modified by the
creator and drop-box owner.
Now, if you're willing to create a subfolder for each user within the
dropbox, so that users can only drop files into their own folder, then you
can do it.
- Create a group "dropbox", whose only member is the owner of the dropbox
mkdir DropBox
chown owner DropBox
chmod 755 DropBox
- then for each user:
mkdir DropBox/user1
chown user1 DropBox/user1
chgrp dropbox DropBox/user1
chmod 775 DropBox/user1 (or maybe 770 to omit world readability)
chmod g+s DropBox/user1
... and repeat for all other users. In each subfolder, only two users
will be able to create or delete files, the owner of the dropbox subfolder
and the owner of the drop box itself.
Users should *not* cut/paste files into the dropbox or the permissions
will get screwed up. Copy/pasting works okay, though.
