missing inherited permissions on SMB share on save

J

jephthai

Group:

We are having a strange problem that has affected multiple users. We
manage our SMB network file systems with a groups-based permissions
scheme. We rely on inheritance of these permissions. When a user
opens a document on an SMB share with Word on a Mac OS X machine
(using Office 2004), all inherited permissions are removed when the
file is saved in place.

If a new file is created, the new object inherits ACEs from parent
objects just fine. Excel and PowerPoint do not exhibit this
behavior.

I have been able to reproduce this problem with several Mac OS X
clients accessing SMB shares from multiple Windows servers (some
running Win2k3 and others WinXP).

Suppose that directory A is configured with "Full Access" permissions
to groups G1 and G2, and these ACEs are configured to propagate to all
files and subfolders. A new file is created by user U1 in this
directory. Examining the ACL shows proper inherited permissions for
G1 and G2. But, if user U2 mounts the share from his Mac OS X
machine, modifies the document, and saves it in place (same filename),
the ACLs are changed. After saving, they no longer list inherited
permissions for G1 and G2, and instead show ACEs for "Administrators"
and U2. This blocks other users who *should* be able to read/write
the file from using it.

Has anyone else encountered this problem? I will be happy to fill in
details, if there are any missing, so you can understand the problem
more fully.

-Jephthai-
 
W

William Smith

Group:

We are having a strange problem that has affected multiple users. We
manage our SMB network file systems with a groups-based permissions
scheme. We rely on inheritance of these permissions. When a user
opens a document on an SMB share with Word on a Mac OS X machine
(using Office 2004), all inherited permissions are removed when the
file is saved in place.

If a new file is created, the new object inherits ACEs from parent
objects just fine. Excel and PowerPoint do not exhibit this
behavior.

I have been able to reproduce this problem with several Mac OS X
clients accessing SMB shares from multiple Windows servers (some
running Win2k3 and others WinXP).

Suppose that directory A is configured with "Full Access" permissions
to groups G1 and G2, and these ACEs are configured to propagate to all
files and subfolders. A new file is created by user U1 in this
directory. Examining the ACL shows proper inherited permissions for
G1 and G2. But, if user U2 mounts the share from his Mac OS X
machine, modifies the document, and saves it in place (same filename),
the ACLs are changed. After saving, they no longer list inherited
permissions for G1 and G2, and instead show ACEs for "Administrators"
and U2. This blocks other users who *should* be able to read/write
the file from using it.

Has anyone else encountered this problem? I will be happy to full in
details, if there are any missing, so you can understand the problem
more fully.
Click to expand...

Hi Jephthai!

The last thing you want is to set the permissions with Full Access for
anyone. That allows anyone who creates or modifies a file to then become
the owner.

I suggest doing the following:

1. On the server select the folder that will be shared.

2. Break inheritance so that its permissions become explicit and are not
inherited from any enclosing folder or disk.

3. Only one user account (I recommend the server's Administrator
account) should be set with Full Access.

4. Assign any other groups with at most "Modify" permissions. This
allows them to change the file but not overwrite permissions or
ownership. All sub-folders and files should correctly inherit the same
owner and users as the shared folder. (Be sure to check for this on the
server and not from a Mac.)

Hope this helps!

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
 
J

jephthai

Hi Jephthai!
The last thing you want is to set the permissions with Full Access for
anyone. That allows anyone who creates or modifies a file to then become
the owner.
Click to expand...

I'm aware of the issues there (and I would like to fix it as much as
anyone), but some of these things were determined on a political level
that I cannot change. It seems like there must be a way to save files
without blowing away inherited permissions. (it's *not* a security
feature, since it's also a denial of service attack)

2. Break inheritance so that its permissions become explicit and are not
inherited from any enclosing folder or disk.
Click to expand...

If I break inheritance, then that reduces the simplicity of our access
control. I could do this if we were a small environment. Instead, we
are thousands of users, and these are not small filesystems. To
maintain a filesystem where there are numerous points at which
inheritance is blocked, it will become an administration nightmare.
Is there no way to get Word to work in such an environment?

3. Only one user account (I recommend the server's Administrator
account) should be set with Full Access.

4. Assign any other groups with at most "Modify" permissions. This
allows them to change the file but not overwrite permissions or
ownership. All sub-folders and files should correctly inherit the same
owner and users as the shared folder. (Be sure to check for this on the
server and not from a Mac.)
Click to expand...

As I said before, I don't think I can change these things for
political and historical reasons. For testing, though, I will try as
you suggest. I assume that if someone has "Modify" permissions they
will not have the permissions to blow away the permissions ;-).

Unfortunately, I know of places where this could not be
enforced... but perhaps if I can demonstrate this not to cause the
problem, then we may be able to effect incremental improvement.

Ya' gotta' admit that this is a hack anyway -- i.e., chopping the
user's permissions off at the knees so Word can't screw it up. Word
shouldn't be screwing it up in the first place (and Excel and
PowerPoint don't do it, so it must be possible).

-Jephthai-
 
J

jephthai

3. Only one user account (I recommend the server's Administrator
account) should be set with Full Access.

4. Assign any other groups with at most "Modify" permissions. This
allows them to change the file but not overwrite permissions or
ownership. All sub-folders and files should correctly inherit the same
owner and users as the shared folder. (Be sure to check for this on the
server and not from a Mac.)
Click to expand...

Ok, so removing "Full Control" doesn't do it. Word creates a new file
and copies it over the old one on a "save" operation. So even if I
remove "Change Permissions" and "Take Ownership", the user becomes the
owner of the new file anyway, and can do those things without ACEs for
them.

It looks like the bottom line is that if I can't get Word to honor the
inherited permissions, then I can't get it to work, since I can't
remove the "Modify" permissions for people who need to use the files!
If no one seems to recognize this problem, I guess it's time to call
Microsoft about it and pay up...

-Jephthai-
 
W

William Smith

Ok, so removing "Full Control" doesn't do it. Word creates a new file
and copies it over the old one on a "save" operation. So even if I
remove "Change Permissions" and "Take Ownership", the user becomes the
owner of the new file anyway, and can do those things without ACEs for
them.

It looks like the bottom line is that if I can't get Word to honor the
inherited permissions, then I can't get it to work, since I can't
remove the "Modify" permissions for people who need to use the files!
If no one seems to recognize this problem, I guess it's time to call
Microsoft about it and pay up...
Click to expand...

Hi Jephthai!

This isn't a Word problem. It does not set nor control permissions.
That's all at the file serving level and controlled by the server OS. If
the server allows full access then that gives the Mac OS carte blanche
to set permissions as it wants. By default, Mac OS X thinks that any
file a user creates ought to belong to that user, which makes sense. If
two or more users are members of a group with full access then each save
will change the permissions to those of the last saving user.

I can't comment on your company policies or politics. I can only tell
you what will work. Keep in mind that breaking inheritance can be done
at any folder level, not just the top level folder. Done correctly, this
does work. We do this where I work specifically to avoid the problem
you're facing. (Remember to propagate permissions after breaking
inheritance.)

This is going completely by memory but I believe the extended
permissions that you want to disable for a group are:

Full control
Change permissions
Take ownership

Write attributes and Write extended attributes may also need to be
included but I don't think so.

Be sure that the a non-user such as the local server Administrator (not
group) account is the only owner with Full control.

Hope this helps!

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SMB://path should open share 7
Word sporadically failing to save 2
Word Freezing when Saving to a network Share 4
Weird file save/quit problem 1
Word freezes on save to network share 1
Mac problems opening excel files whenconnected to two windows shares 3
Office 2004 Problem to save on a network share 1
Office 2004 save to dialog crashes on Intel machines only 0

Top