Solved

Mac Homes in Snow Leopard server Permission problem

Posted on 2010-11-24
9
1,235 Views
Last Modified: 2013-11-24
I think i have broken some permissions on the mac homes folders in snow leopard server:

Whilst trying to fix a save issue with an end user i propogated permissions through the machomes folder, Does anybody know what the default permissions should be for these files
0
Comment
Question by:lloydforth1
9 Comments
 
LVL 4

Expert Comment

by:GWNet-working
ID: 34205059
CNet has some solutions to this: (http://reviews.cnet.com/8301-13727_7-10329971-263.html)



"Use Disk Utility to Fix System Permissions Disk Utility can access the global permissions database which stores all the default permissions for Apple-provided system files. If users have manually copied files within their System folder (such as kernel extensions), Disk Utility's "Permissions Repair" routine can easily restore the proper permissions on these files. It is recommended to first try the permissions repair when booted into Safe Mode, but alternatively users can boot from their installation DVD and run it from there."
0
 
LVL 12

Expert Comment

by:nxnw
ID: 34255360
Disk Utility's Permissions Repair will not fix home folder permissions.

However:
Mac OS X v10.5 or later: While started from the Leopard Install DVD, a user's home directory permissions can be reset using the "Reset Password" utility.
http://support.apple.com/kb/ht1452

If that does not work on network home folders (probably doesn't), the permissions and acls are the same as local home folders:
drwx------+  3 username  staff  102  2 Dec 03:06 Desktop/
 0: group:everyone deny delete
drwx------+  4 username  staff  136  2 Dec 03:06 Documents/
 0: group:everyone deny delete
drwx------+  4 username  staff  136  2 Dec 03:06 Downloads/
 0: group:everyone deny delete
drwx------+ 22 username  staff  748  2 Dec 03:06 Library/
 0: group:everyone deny delete
drwx------+  3 username  staff  102  2 Dec 03:06 Movies/
 0: group:everyone deny delete
drwx------+  3 username  staff  102  2 Dec 03:06 Music/
 0: group:everyone deny delete
drwx------+  4 username  staff  136  2 Dec 03:06 Pictures/
 0: group:everyone deny delete
drwxr-xr-x+  5 username  staff  170  2 Dec 03:06 Public/
 0: group:everyone deny delete
drwxr-xr-x+  5 username  staff  170  2 Dec 03:06 Sites/
 0: group:everyone deny delete

Open in new window

The subfolders in sites and public are a bit different, too.
0
 

Expert Comment

by:ukprotect
ID: 34292232
It is almost impossible to reconstruct the permissions again. I have had similar problems with the propergate button. The easiest thing you can do is copy the users home folder to the desktop. Delete that user using WorkGroup Manager, and recreate it again. Copy back the contents of the Documents, Movies, Picture and Music.
0
 
LVL 12

Expert Comment

by:nxnw
ID: 34294666
"The easiest thing you can do is copy the users home folder to the desktop. Delete that user using WorkGroup Manager, and recreate it again. Copy back the contents of the Documents, Movies, Picture and Music."

This does not seem like a good idea. It will blow away all of the important things contained in the user's  library, like preferences and email. Indeed, lots of people have nothing of consequence in the Documents, Movies, Picture and Music folders, but have critically important data in the directories that would be lost.

Propagating permissions works fine from the command line.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Expert Comment

by:ukprotect
ID: 34296176
If you follow the procedure I have shown you, it would be easy to copy back the users documents, including their preferences and email. The alternative would be to go to each and every folder and change the permissions, which is hundreds of files. The result still wouldn't be the same as the original.
0
 
LVL 12

Expert Comment

by:nxnw
ID: 34296686
As I understand it, your advice is:
1. copy a user's home folder to the desktop of the logged in user ( i.e., a different user);
2. create a new user with a new network home folder;
3. copy back the contents of the various folders into the newly created folder set - for example, the contents of the original library folder, into the newly created library folder;

Re: #1. You can't do this without changing the privileges for most of the contents of the home folder. Otherwise, you are interrupted by "you don't have permission to copy that file", which you ignore at your peril;
Re: #3. Copying a file with incorrect privileges back to the new folder will only change the owner. Any other incorrect privileges (rwx) will remain incorrect.

Without any copying (or potentially imperfect attempts to copy), ownership can be corrected on the full home directory with this command:

sudo chown  -R username home directory path
0
 

Expert Comment

by:ukprotect
ID: 34298293
Let me try explain it better.
'User A's' permission are all wrong. i will log in to the server as an administrator.
Locate the location of the home folders. Mine is located on Drive 2 of my Mac mini.
Copy 'User A's' home folder to the desktop.
This home folder will contain the user's Documents, Music, Pictures, Preferences etc.
I then open workgroup manager and delete 'User A'. You may also need to manually delete the 'User A's' home folder from the network location. (Mine is on drive 2, you now still have a copy of 'User A's' home folder on the desktop).
In work group manager create a new user called 'User A'
by default the Administrator cannot view the contents of home folders, so suppose the old home folder (located on the desktop) contains pictures, documents, prefereneces, Click on the new home folder and press command-i and add the current Administrator to have read and write permissions to User A's new home folder. To access the Music, pictures, Library foders repeat the command-i to add the Administrator with read write previleges to these folders.
Copy the contents of Picture folder from the home folder on the desktop to the home folder on the network drive. do the same for the other folders.
0
 
LVL 12

Accepted Solution

by:
nxnw earned 500 total points
ID: 34298434
I understood it fine. The problems with it are outlined above.
0
 
LVL 3

Author Comment

by:lloydforth1
ID: 34299113
nxnw is right that will only change the owner, nested files will still have the incorrect permissions. The problem is i have propogated incorrect permissions through the whole structure.

I managed to find a compromise that seems to be working it's just i have no idea if the current permissions are the correct "default" ones.

My big problem was that other users could afp to the mac homes and see contents of the other users homes (not exactly ideal) this was fixed immediately by removing everyone read write access from the top level folder.


0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Syslogd is a utility that traps and logs messages sent by running processes. It is configured with the syslog.conf file, which consists of lines containing a pair of fields: "the selector field which specifies the types of messages and priorities to…
Does your iMac really need a hardware upgrade? Will upgrading RAM speed-up your computer? If yes, then how can you proceed? Upgrading RAM in your iMac is not as simple as it may seem. This article will help you in getting and installing right RA…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now