Question about file/folder permissions

Discussion in 'macOS' started by Phoenix, May 8, 2016.

  1. Phoenix

    Phoenix MDL Expert

    May 30, 2014
    1,039
    437
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Phoenix

    Phoenix MDL Expert

    May 30, 2014
    1,039
    437
    60
    Additionally, if I set the owner of the entire D: drive to EVERYONE, is that ok? or will that cause issues for shared folders as they would all have write access if the local owner is set to everyone?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. T-S

    T-S MDL Guru

    Dec 14, 2012
    3,988
    1,305
    120
    They are two independent security levels, just like a gate then a door to enter to your home.

    If you want free access you need to open both the doors
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,539
    60
    Looks more like a workaround than a fix to me. You should only grant full access permissions to users/groups that specifically need it, definitely not to "everyone". If syncing is failing due to ACLs my guess would be that iTunes uses a service running under a different account than your own for syncing. If that is the case (procmon will help), granting the user account that the service is running under full access (instead of "everyone") should suffice.

    The default settings are that truly anonymous share access (i.e. a session without any credentials at all) is restricted to specific shares, and that "everyone" does not apply to this sort of anonymous access. So, unless you messed with those settings, accessing the share will still require credentials that are authenticated only based on your local user database (unless you're domain-joined).
    Therefore, anyone who is able to authenticate and access the share would be granted "full access" if you have the "everone" ACE. You can use the "effective access" tab in the advanced security options for a file system object to determine which permissions apply to a specific user or group.

    It would not be okay, because the owner of an object is always able to change its permissions. Pretty sure you're not going to want "everyone" to be able to do that.