Mac OS X Server: About Inherit Permissions
Summary
Apple File Service (AFP) offers Inherit Permissions as an alternative for share points in Mac OS X Server 10.2.4 or later. This document discusses the differences between this model and the earlier, standard UNIX-style model.
Products Affected
Mac OS X Server
Background
Mac OS X applies a default set of permissions to newly-created files and folders. The owner has full read and write access and everyone else has read-only access for a local file. This is also known as a umask of 0022. This was also the standard for files and folders created on or copied to an AFP share point in Mac OS X Server versions prior to 10.2.4
In certain collaborative workspaces this model is not effective, because the default value for group users does not allow changes. As a result, Mac OS X Server 10.2.4 or later includes an extension to the AFP protocol to allow for a different permissions model. The alternative permissions model is called Inherit Permissions.
Requirements
Inherit Permissions requires that both the Mac OS X client and server be version 10.2.4 or later. Earlier versions of Mac OS X will always use the standard UNIX-style permissions model.
When to use Inherit Permissions
Generally, a share point should use the standard permissions model, since it will make new files in the same manner as those created locally on a client volume. Some programs may depend on this, even when storing data files on a network volume.
However, if your use of the server includes the need to share and communally-edit data files such as word processing documents, graphics, or other application program data, use Inherit Permissions on the share point that stores the shared data.
Warning: Inherit Permissions should never be used on a share point that hosts users' home directories.
What it changes
When a registered user creates a file or folder on a share point with Inherit Permissions enabled, the group of the file is changed to be the group of the enclosing folder, and the privileges of the file will be changed to that of the enclosing folder. Note that this does not change a file to use the group or privileges of the share point, but that of the enclosing folder.
If a guest creates a file on a share point with Inherit Permissions enabled, the file gains all permissions of the share point, since there is no real user that corresponds to a guest user.