Mac OS X: Resolving permissions (umask) issues in a server-based group folder environment
Note: This article assumes that you know how to read permissions values such as "775." If you don't, please review this article first to learn how.
Each operating system has a default permission value (such as 755 in Mac OS X 10.4) that it assigns to files and folders. Default permissions exist to ensure that the appropriate users have correct levels of access to a file in the most common situations and thus represent a balance of security and access.
In Mac OS X and other POSIX-based systems, a value known as a umask is subtracted from the system's maximum permissions value (typically 777) to determine the default permission value of a newly-created file. For example, a umask of 022 will typically result in a default permission of 755. The umask can play a role in a group working environment, such as sharing files in a group folder on a server.
By enabling or disabling a scheme generally known as inherited permissions (the exact name varies from one operating system to another), the server administrator decides whether the permissions of files written to the server will be determined by the permissions scheme of the client writing the file or by the server itself.
In a cross-platform environment, it's important to note that Windows-based systems don't employ a umask. Rather, Windows clients set the permissions of a file to match those of the target directory, regardless of whether or not the server is enforcing inherited permissions. Here's a common scenario:
- The administrator sets up an SMB server with inherited permissions disabled and a group folder with a permission value of 775.
- A Windows XP client saves a JPEG file to the group folder on the server, adopting the 775 permission from the server.
- A Mac OS X 10.4 client with a umask value of 022 opens the file and saves it, resulting in a permission of 755.
- The Windows XP client subsequently cannot save the file.
This happens because the Mac OS X client's umask of 022 wrote the file back to the group folder without group write permission (775 includes group write; 755 does not). Because inherited permissions were disabled on the server, the server did nothing to control the situation.
Using inherited permissions
To resolve this issue, make sure that you enable inherited permissions on the server (it's generally recommended that you not manipulate umasks, as unintended and possibly severe consequences may occur). Inherited permissions simply means that the files within a group folder will take on the permissions of the group folder itself, so that everyone in the group will be able to open and save the group files.
Had inherited permissions been enabled in the example above, the SMB server would have overridden the permissions written by the Mac OS X client, so that the Windows XP client would be able to save the file.
Depending on the server, you can enable inherited permissions for individual folders or entire shares. Consult your server documentation for instructions on how to enable inherited permissions.
Note: Inherited permissions is not a feature of Personal File Sharing in Mac OS X. If you're using Personal File Sharing in a workgroup environment, you should consider purchasing Mac OS X Server to enjoy a full server feature set.