netatalk
netatalk copied to clipboard
Netatalk
ACLs "Allow" Only take precedence over POSIX permissions for Files BUT Not Folders - ACLs "Deny" DO take precedence over POSIX permissions
According to the Netatalk documentation, when LDAP is setup and a directory user has his permissions read by the netatalk server, the Folder's or File's ACLs take precedence over POSIX/Unix permissions.
Running Netatalk under MacOS Big Sur, if a directory group or directory user encounters a file or a folder on the AFP share with an ACL with a "deny" set against that group or user, but a POSIX/Unix permission of 777, the file will be invisible to the user or group, which is the expected behavior. In this instance ACLs DO take precedence over POSIX permissions.
However, if a directory group or directory user encounters a folder on the AFP share with an ACL with an "Allow" Read/Write set for that group or user, but a POSIX/Unix permission of 770, the folder will be invisible to the user or group, which is not the expected behavior. ACLs Don't take precedence over POSIX permissions.
ACLs Precedence fails for Folders, but works partially for files: Additionally, if a directory group or directory user encounters a FOLDER on the AFP share with an ACL with an "Allow" Read/Write set for that group or user, but a POSIX/Unix permission of 774, the folder will not allow any new files to be created inside the folder, however existing files can be deleted and renamed AND new folders can be created--which is not the expected behavior. In regards to files with the ACL set for "Allow" Read/Write for that group or user and a POSIX/Unix permission of 770, the ACL take precedence and the file is readable and changeable by the network user, yet the preview for the file fails in MacOS Finder.
afpd 3.1.14 - Apple Filing Protocol (AFP) daemon of Netatalk
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Please see the file COPYING for further information and details.
afpd has been compiled with support for these features:
AFP versions: 2.2 3.0 3.1 3.2 3.3 3.4
CNID backends: dbd last tdb mysql
Zeroconf support: mDNSResponder
Admin group support: Yes Valid shell checks: Yes EA support: ad | sys ACL support: Yes LDAP support: Yes D-Bus support: Yes Spotlight support: Yes
afp.conf: /usr/local/etc/afp.conf
extmap.conf: /usr/local/etc/extmap.conf
state directory: /usr/local/var/netatalk/
afp_signature.conf: /usr/local/var/netatalk/afp_signature.conf
afp_voluuid.conf: /usr/local/var/netatalk/afp_voluuid.conf
UAM search path: /usr/local/lib/netatalk/
Server messages path: /usr/local/var/netatalk/msg/
@Hyperblue Thank you for the detailed bug report! Do you have an idea how to solve this cleanly in netatalk code? We very much welcome PRs.
