Sunday, January 17, 2010

Is there a club for people who hate OS X permissions?

I'm looking for a club made up of people who hate Apple's brain-dead OS X permissions/security scheme.

In the latest installment of OS X misery consider a file on a shared 10.5 drive. Whenever I edit the file from a 10.6 machine it's saved in such a way that my wife loses edit permissions -- even though both she and I have read/write permissions on the parent folder.

OS X needs to abandon its broken unix-style permissions and imitate Windows 7/Vista/XP/2000/NT. (The admin/user issues with Vista to NT weren't related to the permissions model - but that's another post.)

Grrrr. I wish the OS X customer base were way more demanding. Insufficiently demanding customers are one of the three banes of modern commerce (Two others: lock-in and fraud/deception).

See also:
Update 1/18/10: No sooner do I write this rant that I have to figure out how to fix a novel permissions hassle related to moving a VMWare Package between users. This stuff is seriously evil.

Update 1/19/09: See comments. Inspired by Andrew W, I dredged up a memory of John Sicracus's famous 10.4 review telling us that Apple was going to fix their broken permissions model years ago! Today in their OS X server marketing you can read (emphases mine) ...
Mac OS X Server supports both traditional UNIX file permissions and access control lists, giving administrators an unprecedented level of control over file and folder permissions. With access control lists, any file object can be assigned multiple users and groups, including groups within groups. Each file object can also be assigned to allow and deny permissions, as well as assign a granular set of permissions for administrative control, read, write, and delete operations. Mac OS X Server supports a file permission inheritance model, ensuring that user permissions are inherited when files are moved to the server and rewritten when files are copied to the server.
ACLs have been used in the Windows world since NT inherited them from OpenVMS. This is one of several areas in which Windows has been far ahead of OS X.

The problem, of course, is that Apple has not provided an equivalent of Tiger's Workgroup Manager GUI in 10.6 standard to work with ACls, and they presumably break a lot of current software. Apple gave up on the 10.6 migration to ACLs, perhaps because of the Intel migration and the introduction of the iPhone OS.

Sandbox provided an ACL control GUI for 10.4 10.5 users, but it's not been updated for 10.6. Apple does allow us to download their Server Admin Tools which can reputedly edit ACLs on non-servers. (It only installs on OS X server.)

See also:
I'll have to continue this one in my tech blog. (BTW, Bing did better than Google at finding these references.)


Update 3/11/2010b: I try to write to a network share. I run into the 10.6 MobileMe cannot log in as other user bug. Then nothing seems to happen. I have to kill the Finder. On the other machine I discover over 45,000 0 byte files have been written. Permissions bug. I despair.

--
My Google Reader Shared items (feed)

5 comments:

Andrew W said...

OS X supports Access Control Lists (just like many Unix distros). With ACLs you can configure shared folders the way you want them: new files "inherit" a specific set of permissions.

John Gordon said...

The Wikipedia entry for Tiger (10.4!) mentions the new feature of Access Control Lists [1]. The current web page for OS X Server (10.6) mentions [2]:

"Mac OS X Server supports both traditional UNIX file permissions and access control lists, giving administrators an unprecedented level of control over file and folder permissions. With access control lists, any file object can be assigned multiple users and groups, including groups within groups. Each file object can also be assigned to allow and deny permissions, as well as assign a granular set of permissions for administrative control, read, write, and delete operations. Mac OS X Server supports a file permission inheritance model, ensuring that user permissions are inherited when files are moved to the server and rewritten when files are copied to the server."

The problem is, this has never been extended into the base OS in a way we can use it. These problems were supposed to have been fixed years ago ...












[1] http://en.wikipedia.org/wiki/Mac_OS_X_Tiger
[2]

Andrew W said...

Your use case of a shared folder for file sharing should work fine w/ the ACL support built into the base OS X.

I wouldn't necessarily go about migrating all of your iPhoto library to the shared folder w/out some more validation, but there shouldn't be any problem with simple file sharing.

I agree OS X is fraught w/limitations that are just taken for granted vis-a-vis Windows - esp. w/rt "enterprise" features.

Anonymous said...

FRUSTRATED!!!!

Set up a share on a Firewire attached drive on OSX Snow Kitty (desktop, not client) - used permissions to grant access to a couple of users and no access to everyone. Guess what?

Anyone can read the share!! This is just so broken.

Anonymous said...

I HATE FILE PERMISSIONS! This new scheme has cost me tons of money and hours, having to go in and change every single file for all of my client websites!!!

HOURS AND HOURS!!!!

HORRIBlE!!!!