Download   Report
  1. technology and computing
  2. hardware
  3. computer
  4. servers

Change the umask and ACL (Access Control List

Change the umask and ACL (Access Control List) Directory and File Settings
How to stop OS X 10.9 Mavericks from changing you directory and file permissions by changing the umask and ACL settings
By Todd Duell
Background:
You have FileMaker Server
hosting your database and web site on a Mac
running Mavericks 10.9. On that server you have
set the htdocs web folder to be shared using the
System Preferences so that you can transfer files
to it for your web site. When you transfer files to
the htdocs folder you can’t figure out why
FileMaker Server gives you a nasty error on your browser saying
the page can’t be found. You check your path… sure enough. The
path is correct. The file is there in the folder. You check the
Privileges and you see that the everyone account is set to No
Access. You’re thinking what the hell… how did that happen? I
already set the sharing preferences and authenticated to the server
as the Admin account when I opened the shared folder and
transferred the file.
The short answer is because of how Mavericks is now
enforcing the ACL (Access Control List). The real problem with
transferring files to the htdocs web server folder is the everyone
account will be set to No Access, which renders that file
unreadable on the web site. Obviously that’s not going to work on
Todd Duell is the Vice President & CIO of Formulations Pro, Inc and has been creating powerful commercial and custom solutions using FileMaker Pro since 1989. He holds an
MBA in Technology Management, is a Certified FileMaker Pro Developer, and has been a member of the FileMaker Business Alliance since 1998. Author of FileMaker API for
PHP, A Practical Guide for Creating Database Driven Web Sites with FileMaker Pro 12 and FileMaker Server 12. Todd may be reached at [email protected]
© 2014 Formulations Pro, Inc. All rights reserved. www.formulationspro.com
a web server because the everyone account needs to be set to at
least Read Only and you certainly don’t want to manually change
the permissions of each file every time you transfer it from your
development computer. Here’s the rub, so you decide to go to the
htdocs folder and choose Get Info and manually set all the
accounts to the Privileges you need on the web server (i.e.
everyone Read). Then you click the cog and choose Apply to
enclosed items. Great! Everything is where you want it. But wait…
you transfer another file and the everyone Privilege is back to No
Access. What the hell? I just changed that setting! Why isn’t it
propagating through to the new files I transfer and retaining my
settings? In older versions of the OS it used to retain what is called
the ACL inheritance as “file_inherit” and “directory_inherit”. This
would make any subsequent addition of a file or folder retain the
parent folder’s Privileges. That’s perfect… it’s exactly what I
want. So what do I have to do to make that work again?
Technically, there’s two ways to do it. The easiest way to
make that happen on the web server is to set the user default umask
setting. umask? What’s that, there’s no System Preference setting
for umask? When you create a file or a folder in OS X, the system
initially doesn’t know what permissions it should set, so it attempts
to apply full read, write, and execute for the user, group, and
everyone. The system then adjusts this behavior by using the
default umask as a filter to reduce the default mode value from
“777” or 7 for the owner, 7 for the group, and 7 for everyone to a
more “desired” value for security (see the value list below). That’s
not what I desire! I just want it to work and not hassle me for
account names and privileges or render my web pages and content
inaccessible until I change the permissions for the nth time. Well…
I hate to rain on your parade, but Mavericks now reduces the folder
and file privileges for transferred files by a default value of 022
using a global setting in the OS. For example, if the htdocs folder
started out with Privileges Read, Write, and Execute for all the
groups (777), when you transfer a file to that folder it will reduce the
Privilege settings to 755 or Read, Write, Execute for the user, Read
and Execute for the group, and Read and Execute for everyone else.
The problem is that FileMaker Server installed the htdocs folder with
everyone set to Read and Execute (5). That means you can transfer a
file to that folder, but it will end up with a setting of 3 Write and
Execute, which really translates to No Access for files once you
transfer it over the network to the web site. That’s great for network
security, but it still leaves you with a headache having to constantly
change the permissions of the files you transfer to the htdocs folder.
Follow the instructions below to change the default user umask setting
to 000 so the folder and directory permissions don’t change when you
transfer a file to the htdocs folder.
0 - No Access
1 - Execute Only
2 – Write Only
3 – Write and Execute
4 – Read Only
5 – Read and Execute
6 – Read and Write
7 – Read, Write, and Execute
1. Open Terminal
2. Change to the to root directory
cd ../../
3. Change to the etc directory
cd etc
Page 2
4. Add a file named launchd-user.conf using nano.
5. Enter the command:
sudo nano launchd-user.conf
umask 000
6. Write out the file by clicking control-O. Make sure to save the file
name as
launchd-user.conf
7. Exit nano by typing control-X.
8. Check to make sure the file was created by typing ls –al.
Page 3
modifying the inheritance value of the folder for a specific user or
group. In other words, if you want to control exactly which account
can log into the htdocs folder, transfer files to it, and retain all the
sharing and permission of the parent folder, so they actually work as
expected you’ll need to change the ACL setting of the htdocs folder
using the Terminal and the chmod command. For more information
about the chmod command you can open Terminal and type man
chmod.
1. Open Terminal
2. Change to the htdocs directory
cd ../../Library/FileMaker\ Server/HTTPServer/
9. Technically you’re supposed to be able to log out of the account,
and then log back in for the new umask setting to take effect.
However, I’ve found that this doesn’t always apply the new user
umask rules. Therefore, you may have to restart the computer for
this to take effect.
The second method to change the permissions of the htdocs
folder is geared toward a more granular approach for security by
Page 4
Find out what ACL’s are assigned to a folder (if any)
ls –el
In this case you can see ACL 0 is assigned to user:fmserver for the
htdocs folder.
specify the number of the ACL (1), the user/group account name
(tduell), and all the Privileges you want that account to have. Since the
intent of this section is to force the folder to provide file and directory
inheritance be sure to add those settings as well. Finally, apply the
setting to the htdocs folder.
sudo chmod +a# 1 “tduell allow
list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,rea
dextattr,writeextattr,read security,file_inherit,directory_inherit”
htdocs
If for some reason you absolutely obliterate the owner and the
group from the htdocs folder permissions you can always get them
back.
To change the owner of the htdocs folder to FMServer
Navigate to the HTTPServer folder and type the following command:
sudo chown –R FMServer htdocs
Deleting an ACL from the htdocs folder
Specify the number (0) assigned to the ACL you want to remove
for the htdocs folder.
sudo chmod –R –a# 0 htdocs
Adding a new ACL
You have to spell out everything exactly the way you need
the settings. If you make a mistake you have to delete the ACL (as
described above) and try again or use the method =a#, which will
re-write a specific ACL with the values you specify. Be sure to
Page 5
To change the group of the htdocs folder to FMSAdmin
Navigate to the HTTPServer folder and type the following
command:
sudo chgrp –R fmsadmin htdocs
The sad truth to the problem with Mavericks is that for the
average user that has taken the time to set up file sharing in the
System Preferences and assign an account and it’s privileges to the
shared folder, Mavericks is completely disregarding those settings
and making it incredibly difficult for the average user to simply
transfer and share a file between computers. The information about
how to change the umask and the inheritance settings is so buried
at Apple that it’s near impossible to figure out what to do. What
happened to the days at Apple when things “just worked” and you
didn’t have to be an expert IT administrator to do a seemingly
simple task?
Page 6
Document 227866

Document 227866

How to upload files to Elsevier FTP

How to upload files to Elsevier FTP

10 Tips to Stay Organized 


10 Tips to Stay Organized 


How to connect to the CBIA CORE Network

How to connect to the CBIA CORE Network

IV th - St.Angel's Rohini

IV th - St.Angel's Rohini

How to back up your Livescribe data (Windows 7/Vista)

How to back up your Livescribe data (Windows 7/Vista)

  How To Set Network Sharing for  Amiko SHD‐8900 Alien www.amikostb.com 

  How To Set Network Sharing for  Amiko SHD‐8900 Alien www.amikostb.com 

Mississippi Department of Education o

Mississippi Department of Education o

How to add SniperSpy in exception list of Windows Defender. Step

How to add SniperSpy in exception list of Windows Defender. Step

ACCESS TO YOUR VOICEMAIL:

ACCESS TO YOUR VOICEMAIL:

abcdocz.com

© Copyright 2024