ACLs and Posix Permissions | Apple 10.5 Leapard guide

ACLs and POSIX Permissions

Every file and folder has POSIX permissions. Unless an administrator assigns ACL permissions, POSIX permissions continue to define user access. If you assign ACL permissions, they take precedence over standard POSIX permissions.

If a file has ACL permissions, but none apply to the user, the POSIX permissions determine user access. If a file has multiple ACEs that apply to a user, the first applicable ACE takes precedence, and subsequent ACEs are ignored.

For more information about ACL and POSIX permissions, see File Services Administration.

SIDs and Windows Interoperability

Mac OS X computers work seamlessly with Windows computers because Mac OS X assigns a security identifier (SID) to a process or file when it assigns a GUID to the process or file. A SID is a Windows identifier that has similar functionality to a GUID on a Mac OS X computer.

When Windows users access share points using Server Message Block (SMB), they transfer SIDs, not GUIDs. When Mac OS X Server receives SIDs, it retrieves the user accounts with the corresponding GUIDs.

Windows servers use Active Directory as their directory domain. If a user account is moved to a different Active Directory domain, it receives a new SID but not a new GUID. The user still has access permissions assigned to old SIDs because Active Directory keeps track of SID history in user accounts.

Chapter 1 User Management Overview

29

Image 29

Apple 10.5 Leapard manual ACLs and Posix Permissions

Contents

Mac OS X Server 019-0938/2007-09-01 Contents Setting Up an Administrator Computer Configuring the Administrator’s Computer and AccountCreating a Domain Administrator Account Using Workgroup Manager Contents Where Group Accounts Are Stored Setting Up Group AccountsAdministering Group Accounts Creating a Preset for Group Accounts 118 Chapter Contents Contents If You Can‘t Change a User’s Password Type to Open Directory 267 257 What’s New in Workgroup Manager About This Guide What’s in This Guide To see the most recent server help topics Using Onscreen HelpTo get help for an advanced configuration of Leopard Server This guide Tells you how to Mac OS X Server Administration Guides User Management Getting Additional Information Getting Documentation Updates Workgroup Manager Tools for User Management See this document Server Admin Server Preferences NetBootNetInstall Accounts Command-Line Tools Server Administration Administrator Accounts Guest Account User Accounts Computer Accounts Group Accounts Computer Groups Authentication and Identity ValidationUser Experience Information Access Control Folder and File Owner Access ACLs and Posix Permissions User Management Overview Getting Started with User Management Setup Overview Set up an administrator computer Create user accounts and home folders Analyzing Your Environment Planning Strategies for User Management Determining Server and Storage Requirements Identifying Directory Services Requirements Users with local accounts typically have local home folders Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements Getting Started with User Management Getting Started with User Management To set up an administrator computer Configuring the Administrator’s Computer and AccountSetting Up an Administrator Computer To create a domain administrator account Using Workgroup ManagerCreating a Domain Administrator Account To connect and authenticate to directory domains Major Workgroup Manager Tasks Preference Description Modifying Workgroup Manager PreferencesTo set Workgroup Manager preferences Listing Accounts in the Local Directory Domain Finding and Listing AccountsWorking with Account Lists in Workgroup Manager To list accounts in a server’s local directory domain Listing Accounts in Search Policy Directory Domains Finding Specific Accounts in a List Listing Accounts in Available Directory DomainsRefreshing Account Lists To do this Do this Using Advanced SearchTo filter items in the list of accounts Sorting Users and Groups Using PresetsShortcuts for Working with Accounts Interface element Mixed-state appearance Editing Multiple Accounts Simultaneously To batch-edit accounts that match specific criteria Importing and Exporting Account Information Getting Started with Workgroup Manager About User Accounts Where User Accounts Are Stored User ID Predefined User Accounts To create a user account Administering User AccountsCreating User Accounts To make changes to a user account Editing User Account Information To work with a read-only user account Working with Read-Only User AccountsWorking with Guest Users Working with Windows User Accounts To delete a user account using Workgroup ManagerDeleting a User Account Disabling a User Account To create a preset for user accounts Working with PresetsCreating a Preset for User Accounts Renaming Presets Using Presets to Create AccountsEditing Presets To create an account using a preset Deleting a Preset Working with Basic SettingsTo edit a preset To delete a preset Modifying Short Names To work with the user name using Workgroup Manager Choosing Stable Short Names To work with a user short name using Workgroup Manager Avoiding Duplicate Names To change a user ID in Workgroup Manager Modifying User IDs Assigning Administrator Privileges for a Server Assigning a Password to a UserTo assign a password To set server administrator privileges in Workgroup Manager To change a user’s login picture Choosing a User’s Login Picture Giving a User Limited Administrative Capabilities Removing Administrative Privileges from a UserTo remove a user’s administrative privileges Working with Privileges Task Description To add limited administrative capabilities Giving a User Full Administrative Capabilities Working with Advanced SettingsTo change a user’s administrative privileges To enable a user’s calendar To choose a default shell Choosing a Default Shell To choose a user password type and set password options Choosing a Password Type and Setting Password Options To edit the master keyword list Creating a Master List of KeywordsApplying Keywords to User Accounts To work with keywords for a user account To work with a comment using Workgroup ManagerEditing Comments Choosing a User’s Primary Group Working with Group SettingsTo set a primary group ID using Workgroup Manager Adding a User to a Group To review group memberships using Workgroup ManagerReviewing a User’s Group Memberships To add a user to a group using Workgroup Manager Working with Home SettingsTo remove a user from a group using Workgroup Manager Removing a User from a Group Enabling Mail Service Account Options Working with Mail Settings Disabling a User’s Mail Service Working with Print Quota SettingsTo disable a user’s mail service using Workgroup Manager To forward a user’s mail using Workgroup Manager Enabling a User’s Access to Specific Print Queues Enabling a User’s Access to All Available Print Queues To delete a user’s print quota using Workgroup Manager Resetting a User’s Print QuotaTo restart a user’s print quota using Workgroup Manager Removing a Print Quota For a Queue To disable a user’s access to print queues enforcing quotas Working with Info Settings To change a user’s info Working with Windows SettingsChanging a Windows User’s Profile Location Changing a Windows User’s Login Script Location Changing a Windows User’s Home Folder Drive Letter Working with GUIDsChanging a Windows User’s Home Folder Location Viewing GUIDs To view a user or group Guid How Group Accounts Track Membership About Group Accounts Predefined Group name Group ID Use Where Group Accounts Are StoredPredefined Group Accounts To create a group account Administering Group AccountsCreating Group Accounts To create a preset for group accounts Creating a Preset for Group AccountsEditing Group Account Information To make changes to a group account To create a hierarchical group Creating Hierarchical Groups Working with Read-Only Groups To convert a legacy group to an upgraded group accountUpgrading Legacy Groups To delete a group using Workgroup Manager Working with Basic Settings for GroupsDeleting a Group Naming a Group Defining a Group ID To work with group names using Workgroup Manager To choose a group’s login picture Choosing a Group’s Login PictureTo work with a group ID using Workgroup Manager To enable a group’s web services Enabling a Group’s Web Services Adding Users or Groups to a Group Working with Member Settings for Groups To remove group members Working with Group Folder SettingsRemoving Group Members To specify no group folder Specifying No Group FolderCreating a Group Folder 102 Designating a Group Folder for Use by Multiple Groups 104 About Computer Accounts Setting Up Computers Computer Groups To create a computer account Creating Computer Accounts Working with Windows Computers To set up the guest computer accountWorking with Guest Computers About Computer Groups Administering Computer GroupsDifferences Between Computer Groups and Computer Lists Creating a Computer Group To set up a computer group Creating a Preset for Computer Groups To use a preset for computer groups Using a Computer Group PresetTo set up a preset for computer groups To add computers or computer groups to a computer group Adding Computers or Computer Groups to a Computer Group Deleting a Computer Group To upgrade computer lists to computer groupsUpgrading Computer Lists to Computer Groups To delete a computer group About Home Folders Setting Up Home Folders Hosting Home Folders for Other Clients Hosting Home Folders for Mac OS X Clients Distributing Home Folders Across Multiple Servers Setting Up a Share Point Administering Share PointsTo set up a share point Unix Class Name Permission To set up an automountable AFP share point for home folders Setting Up an Automountable AFP Share Point for Home Folders To set up an automountable NFS share point for home folders Setting Up an Automountable NFS Share Point for Home Folders Setting Up an SMB Share Point To create an SMB share point and set permissions To define no home folder Administering Home FoldersSpecifying No Home Folder To create a home folder for a local user Creating a Home Folder for a Local User To create a network home folder for AFP or NFS share points Creating a Network Home Folder Creating a Custom Location for Home Folders To create a custom home folder using Workgroup Manager Element Do this To set up a home folder in an existing share point Setting Up a Home Folder for a Windows User \\servername\usershortname Setting Disk Quotas Using Presets to Choose Default Home Folders Setting Disk Quotas for Windows Users to Avoid Data LossMoving Home Folders Deleting Home Folders About Mobile Accounts Managing Portable Computers About Portable Home Directories Logging In to Mobile Accounts Resolving Sync Conflicts About External Accounts Logging In to External Accounts Applications locally cache temporary files Advantages of Using Mobile AccountsConsiderations and Strategies for Deploying Mobile Accounts You can manage individual mobile accounts Considerations for Using Mobile Accounts 138 Mobile accounts can’t restore deleted files through syncing Strategies for Syncing Content To set up portable computers for use on your network Setting Up Mobile Accounts for Use on Portable ComputersConfiguring Portable Computers Unknown Mac OS X Portable Computers Managing Mobile Clients Without Using Mobile Accounts Using Mac OS X Portable Computers with Multiple Users 143 Optimizing the File Server for Mobile Accounts Securing Mobile Clients To optimize the file server for mobile accounts 146 Client Management Overview There are several key network-visible resources Using Network-Visible Resources Limits access Power of PreferencesCustomizing the User Experience Environment Control By letting you manage Environment Desired effect Designing the Login ExperienceKey login settings Choosing a Workgroup Improving Workflow Working with Synced Homes 153 154 Preference pane What you can manage Using Workgroup Manager to Manage Preferences Understanding Managed Preference Interactions 157 158 Understanding Hierarchical Preference Management Setting the Permanence of Management Caching Preferences Preference Management Basics To manage user preferences Managing User Preferences Managing Computer Preferences Managing Group PreferencesTo manage group preferences To manage computer preferences To manage computer group preferences Managing Computer Group PreferencesDisabling Management for Specific Preferences To selectively disable preference management Managing Access to Applications Icon Indicates the application has this type of signature What you can control To allow users to open specific applications and folders To allow specific Dashboard widgets Allowing Specific Dashboard Widgets Disabling Front Row To disable Front Row Managing Classic Preferences To set up a list of accessible applications Classic preference pane What you can control Selecting Classic Startup OptionsTo work with various startup options for Classic To choose a specific Classic System Folder Choosing a Classic System FolderAllowing Special Actions During Restart To hide or show items in the Apple menu Controlling Access to Classic Apple Menu ItemsTo allow special actions during restart To adjust Classic sleep settings Adjusting Classic Sleep Settings Managing Dock Preferences To choose where Classic user preferences are storedMaintaining Consistent User Preferences for Classic Controlling the User’s Dock To add a Dock item for a group folder Providing Easy Access to Group Folders To add items to a user’s Dock Adding Items to a User’s Dock To prevent users from adding items to their Docks Managing Energy Saver PreferencesPreventing Users from Adding or Deleting Dock Items To set sleep and wake settings Using Sleep and Wake Settings for Desktop Computers To manage portable computer settings Setting Energy Saver Settings for Portable Computers Displaying Battery Status to Users To schedule automatic actions To show battery status in the menu barScheduling Automatic Startup, Shutdown, or Sleep Finder preference pane What you can control Setting Up Simple FinderManaging Finder Preferences To turn on Simple Finder Controlling the Behavior of Finder WindowsTo hide disk and server icons on the desktop To set Finder window preferences Making Filename Extensions Visible Hiding the Alert Message When a User Empties the TrashTo hide the Trash warning message To make filename extensions visible Preventing Users from Ejecting Discs Controlling User Access to Remote ServersControlling User Access to an iDisk Controlling User Access to Folders Hiding the Burn Disc Command in the FinderTo hide the Burn Disc command To hide the Go to Folder command To hide the Restart and Shut Down commands Adjusting the Appearance and Arrangement of Desktop ItemsRemoving Restart and Shut Down from the Apple Menu To set preferences for the desktop view Adjusting the Appearance of Finder Window Contents Changing the Appearance of the Login Window Managing Login PreferencesLogin preference pane What you can control List setting Mac OS X version Effect To change the appearance of the Login Window Option What this does when enabled Configuring Miscellaneous Login Options Choosing Who Can Log To configure miscellaneous login options To choose who can log Customizing the Workgroups Displayed at Login To customize the workgroups displayed at login Enabling the Use of Login and Logout Scripts Trust value name Requirements To enable the use of login or logout scripts Click Edit Choosing a Login or Logout Script To set an item to open automatically To choose login or logout scriptsAutomatically Opening Items After a User Logs Providing Access to a User’s Network Home Folder To automatically mount the Network Home Providing Easy Access to the Group Share PointTo add a login item for the group share point To control access to disc media Managing Media Access PreferencesControlling Access to CDs, DVDs, and Recordable Discs Ejecting Removable Media Automatically When a User Logs Out Controlling Access to Hard Drives, Disks, and Disk ImagesTo restrict access to internal and external disks To automatically eject removable media Mobility preference pane What you can control Managing Mobility PreferencesCreating a Mobile Account Preventing the Creation of a Mobile Account To create a mobile account using Workgroup Manager To remove a mobile account Manually Removing Mobile Accounts from ComputersTo prevent the creation of mobile accounts OptionEffect Enabling FileVault for Mobile Accounts To enable FileVault for mobile accounts To select the location of a mobile account Selecting the Location of a Mobile AccountHome folder location Description Type Name Privilege To create an external account Creating External Accounts Setting Expiration Periods for Mobile Accounts To set an expiration period To stop files from syncing Stopping Files from Syncing for a Mobile Account To set the frequency for syncing background folders Setting the Background Sync FrequencyShowing Mobile Account Status in the User’s Menu Bar Managing Network Preferences Configuring Proxy Servers by PortTo show mobile account status in the user’s menu bar Network preference pane What you can control Allowing Users to Bypass Proxy Servers for Specific Domains To configure proxy servers for a user or a groupTo choose the domains that users can access directly To enable passive FTP mode Enabling Passive FTP ModeTo disable Internet Sharing Disabling Internet Sharing To disable AirPort Disabling BluetoothTo disable Bluetooth Disabling AirPort To prevent access to specific websites Preventing Access to Adult WebsitesManaging Parental Controls Preferences Hiding Profanity in Dictionary To allow access only to specific websites Allowing Access Only to Specific Websites Setting Time Limits and Curfews on Computer Usage Printing preference pane What you can control Managing Printing PreferencesTo set time limits and curfews Making Printers Available to Users To restrict access to the printer listPreventing Users from Modifying the Printer List To create a printer list for users To set the default printer Restricting Access to Printers Connected to a ComputerSetting a Default Printer To restrict access to a specific printer Restricting Access to PrintersAdding a Page Footer to All Printouts To add a footer to all printouts To manage access to Software Update servers Managing Software Update PreferencesManaging Access to System Preferences Managing Time Machine Preferences To manage access to System Preferences To manage Time Machine preferences Universal Access Preference pane What you can control Managing Universal Access PreferencesAdjusting the User’s Display Settings Adjusting Keyboard Accessibility Options Setting a Visual AlertTo adjust screen appearance To set a flashing alert Option Effect To set the way the keyboard responds to keystrokes To control mouse and pointer settings Adjusting Mouse and Pointer ResponsivenessEnabling Universal Access Shortcuts To allow Universal Access Shortcuts Using the Preference Editor with Preference ManifestsAllowing Devices for Users with Special Needs To allow assistive devices Adding to the Preference Editor’s List Frequency Description To add to the preference editor’s list To edit application preferences Editing Application Preferences with the Preference Editor To disable management of an application’s preferences Manifest Examples of things you can change Using the Preference Editor to Manage Core Services To add Safari to the preference editor list Using the Preference Editor to Manage Safari 238 Testing Your Network’s Time and Time Zones Diagnosing Common Network Issues To test your network’s DNS service on a single computer Testing Your DNS Service To test your network’s Dhcp service on a single computer Testing Your Dhcp Service If You Can’t Edit an Account Using Workgroup Manager Solving Account ProblemsIf Users Can’t See Their Names in the Login Window If You Want to Use Earlier Versions of Workgroup Manager If Users Can’t Log In or Authenticate If You Can’t Modify a User’s Open Directory PasswordIf You Can’t Assign Server Administrator Privileges If Users Relying on a Password Server Can’t Log If Users Can’t Access Their Home Folders Problems with a Primary or Backup Domain ControllerIf Users Can’t Change Their Passwords If a Windows User Can’t Log in to the Windows Domain If a Windows User Has No Home Folder If a Windows User’s Profile Settings Revert to Defaults Testing Your Managed Client Settings Solving Preference Management ProblemsIf Users Don’t See a List of Workgroups at Login To view managed client settings in System Profiler If Users Can’t Add Printers to a Printer List If Login Items Added by a User Don’t Open If Users See a Question Mark in the Dock If Items Placed in the Dock by a User Are MissingIf a User’s Dock Has Duplicate Items If You Can’t Manage Network Views If Users See a Message About an Unexpected Error Understanding What You Can Import and Export Importing and Exporting Account Information Limitations for Importing and Exporting Passwords Archiving the Open Directory Master Using Workgroup Manager to Import AccountsTo import accounts using Workgroup Manager Using Workgroup Manager to Export Accounts To export accounts using Workgroup Manager Using XML Files Created with AppleShare IP Apple Filing Protocol See AFP Access control list See ACL Directory node See directory domain See also computer list Full name See long name Globally unique identifier See Guid Home directory See home folder Local home directory See local home folder 262 Primary domain controller See PDC Security identifier See SID Search path See search policy Weblog See blog 266 Index 268 269 270 271 272 273 274 275