Making “Read & Write” mean Read & Write in Leopard

Posted on Tuesday, March 04, 2008

I have a love/hate relationship with Leopard. I’ve really gotten used to parts of it (the new Finder, Spaces), but it absolutely drives me crazy in other ways. My MacBook has crashed more with Leopard than during the entire 1.5 years it had Tiger on it.

But anyway, today I needed to set up a shared area on my iMac which multiple people can connect to via Samba and read/write any file. Now if you go into Leopard File Sharing prefs, enable File Sharing, set your shared folder and add the users you want and set their perms to “Read & Write,” you would think that’d work, right?

Wrong. People can read/write anything they create, but anyone else can only read. And you thought “Read & Write” meant read and write.

Ok, so much for the GUI. What if you’ve got some general *nix experience and think you can just set up a group, do a simple chgrp and chmod g+sw on the folder and then set the mask value for the share in /etc/smb.conf? Nope, neither of those work. New for Leopard is a magic smb.conf unique to Leopard that you apparently can’t just edit like any other smb.conf on the planet.

After much googling, I did finally get it all to work. There’s two steps:

  1. Set some ACLs from the command line (because, you guessed it, setting them to “Read & Write” in the Finder isn’t really setting them to read and write). So after enabling samba sharing in the File Sharing Prefs and adding the folder you want to share to the list, go to the Terminal, cd into the directory your’re trying to share and run this command for each user (here “username”) you want to give access to:
chmod -R +a "username allow read,write,\ append,delete,list,search,add_file,add_subdirectory,\ delete_child,file_inherit,directory_inherit,chown,readattr,writeattr,\ readextattr,writeextattr,readsecurity,writesecurity" .

(Ignore the backslashes and line breaks, run it all together on one big line.)

That’s really not as crazy as it looks, it’s just very verbose. Basically you’re using the “+a” flag of chmod to grant username permission to do everything in that big long list that makes up most of the command. To be honest, I don’t know each and every one of those do (I just found them here), though they’re all listed in the man pages for chmod if you feel like a little light reading. It’s actually pretty legible for a man page, and it’ll also tell you how to add, delete and replace ACLs with nice examples.

Note: this actually has nothing to do with sharing over samba. If you’re on a Mac with multiple users who need to really share an area (that “/Users/Shared” folder? Same dumb read-only behavior…), you can use this approach there, too.

  1. Ok, now to get Samba to play along you just need to add one line to the [global] section of your /etc/smb.conf file:
acl check permissions = no

I found that here. Because this file is owned by root, you’ll have to edit in in Terminal, but if you followed the ACL step above already, you won’t let that stop you will you? Ok, assuming you’re an admin, do this:

$ cd /etc $ sudo cp smb.conf smb.conf.original $ sudo vi smb.conf

This will make a backup and then open the file in vim. Yes, you can use pico instead, but you should feel a little bit like a wuss for doing so. :) It’s really just a few keystrokes anyway. Type exactly what I’ve written:

  1. type /global and press return
  2. hit the "o" key (the letter, not a zero)
  3. type acl check permissions = no
  4. hit the "esc" key
  5. type :wq and press return

While you’re at it, if you like to use symbolic links in your shared folder, you have to add one more line to make them work in Leopard, too: unix extensions = no. (found that here) It goes in the [global] section too, so just follow the same instructions above and change the addition in the 3rd step.

Yeah, that was a ridiculous amount of work for a very simple problem in a “user-friendly” OS. I think I know what Apple’s official response would be: just buy Mac OS X Server!