I believe the way to resolve this is to set up ACL inheritance permissions on the parent folder. More about this here.
Firstly enable ACL permissions for SMB shares with the following command.
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES
Then set up inheritance permissions on the parent holder with the following command. This should recursively go through your share and apply the relevant permissions.
sudo chmod -R +a "group:REPLACE_WITH_YOURGROUP_NAME:allow readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" REPLACE_WITH_PATH_TO_PARENT_SHARED_FOLDER
To be safe I'd recommend creating a test share to try the chmod command before applying it to your company's share. Then once you are sure you get the right results apply it to the live/production share.
Answer from Alistair McMillan on Stack Exchangemacos - How to automatically apply permissions to files added to a shared folder - Ask Different
Issues with File Sharing permissions. Looking for clues.
macos - OSX - File Sharing - Permission problems - Ask Different
How to force specific permissions on a shared folder on macOS | MacRumors Forums
Videos
Hi all,
Not exactly sure if this is the right place to ask this question so if it's incorrect, please point me in the right direction.
At work, we use a Mac mini, connected to a Pegasus raid array to store files for regular use. We're a design agency with multiple users and everyone needs to be able to create, edit and move files around the server share freely. Previously, this hasn't been an issue. We recently lost our Mac mini through hardware failure and have had to replace it. Setup seemed to go well, our users were able to access everything easily.
After 2 days of operation, we discovered that the user-level permissions were a little out of whack. If a user created a file or folder on the server share, like normal, the permissions would be Read & Write for them, and Read-Only for all other users. Manually changing the folder settings was easy enough, but cumbersome and time consuming. Network devices, such as scanners which were previously able to save documents to the server, were creating files that has no permissions at all. Administrator level accounts had to open and resave the file, the manually change the permissions. This creates a huge amount of unnecessary file handling and work should a user forget to manually change the permissions of a file or folder.
The previous system administrator must have figured a work around or changed some settings, but did not leave notes and no solutions have been recorded. We've attempted changing individual umask settings, but that appears to have no effect. Today we attempted to edit the launchd-user.conf and change the default permission settings of new files and folders, again it didn't appear to have any effect. In the end, we completely reinstalled MacOS to see if it was an installation or system error. It wasn't, the issue remains.
Any ideas? I'm really pulling my hair out over this one.
You can't do this with traditional POSIX-style permissions, but you can with inheritable access control entries. To allow read+write access for the entire "staff" group to everything in /Users/Shared/reallyshared, you'd use:
sudo chmod -R +a "staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Users/Shared/reallyshared
The file_inherit,directory_inherit part means that this access control entry will automatically be added to new files & folders created inside this folder, but it doesn't automatically apply to items already there (that's why I added the -R flag to chmod -- that applies it to everything currently within the folder), and it won't be applied to items created somewhere else and then moved into this folder (I don't know of a way around this, sorry).
Another approach is to use Terminal (a.k.a shell or command prompt) to create/edit (must be performed as super-user, see sudo) the file:
/etc/launchd-user.conf
adding the line:
umask 000
save and reboot. New files/folders (including files changed by save as) will allow everyone read/write.
This works by changing the default file creation permissions for programs, whereas the ACL approach works in terms of access rules bound to particular files and folders.
Without this tweak, files are created allowing user: read-write, group & other: read-only.
If you are sharing between multiple computers, you need to do this for all computers that will use the share.
If you have existing files and folder in the shared area, you need to make them all readable/writable by everyone using:
sudo chmod -R og+w <shared-folder-name>
The command reads in English as change mode, recursive through all sub folders and files, other & group permissions add write access, starting at folder with .
This approach is mentioned in forums to work with at least as early as 10.6 and still works on 10.7.
Other factors still affect access to content. For example, permissions set in the Sharing control panel, home folder permissions/ACLs, and when using Terminal any umask in effect for the shell.
Look up umask and Posix file permissions for details on these Unix concepts. In the write ups, the word directory is Unix parlance synonymous with folder. You will also encounter the terms UID and GID: user and group IDs, which define the Posix ownership of running programs (processes). Note that UIDs and GIDs are numbers which may be the same or different for a given user name across different computers. These numbers are assigned to names in the order accounts are created on a given computer, typically starting with ID 501. Home networks lack a mechanism to harmonize these assignments across computers. Therefore on network shares a file may appear to belong to different users because the user ID to user name binding is determined from the perspective of computer is accessing the file. So shares really always allows everyone to access files to various degrees of everyone. In other words, the Posix "other" permission is an indefinite limit on access ranging from allowing a quite predictable but apparently uncertain degree of access depending on the user IDs assigned on different computers. This leads to apparently absurd variations in experiences, where on some networks, for example a setup with only one user account ever created on each Mac, will be able to share without any permissions tweaks because all accounts will have the same UID (501, no matter what the accounts are named) whereas another network using multiple user accounts per Mac will see problems right away. So some groups will never struggle with this, whereas some others may see problems that develop over time, or problems which appear/disappear spontaneously, depending on when/how additional user accounts are created/used with the shared folder.
It's a mystery why Apple has left such a festering usability defect in the configuration of such an otherwise easy to enable file sharing capability.
On external disks, this problem is addressed with the "Ignore permissions on this volume" option. There may be a similar feature for apple file sharing, but where is it.
If you roll you own Samba service config there are other mechanisms for handling these problems, but Samba is not at all easy to use.