6

In our schools, we have network shares for different classes containing "Hand In, Hand Out" folders. Students put their work in the Hand In folder, and teachers put assignments in the Hand Out folder.

The Hand In folder is one that the students have write-only access to. [Mac OS X calls such a folder a "Drop Box," as you can drag and drop files to it, but not see what is inside it.]

I looked into it, and concluded that the answer was no, but, does any combination of permissions and access control lists allow one to have a folder with write-only access in which you can see the names of the files that reside in it (but not actually open the files)? In an event where a student was unclear on whether they'd turned in an assignement, this would allow them to verify if they had or not.

One step better would be if students could see the filenames of files that they turned in, but not those of anyone else.

Update: One more real nuissance is that students may need to turn in entire folders, and not just single files. Mac OS X uses bundles -- things that look like files to a user, but are actually directories. (Applications are the best example, but Pages, Keynote, and heck, even TextEdit (when you add a graphic to your document), save bundles.) It took some extra work to make it so they could hand in folders (as you can see below).

Here is part of my existing script. Note that this does what I want except for yield any sort of listing of the files inside:

$ADMIN is a system administrator user. $STAFF is a group of teachers. $GRADE is a group represting a grade of students. The funky chmod command is what one does to set ACLs under OS X.

# Create the hand-in folder
mkdir "Hand In"
chown "$ADMIN:$GRADE" "Hand In"
chmod 4730 "Hand In"
chmod +a "$ADMIN allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" "Hand In"
chmod +a "$STAFF allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" "Hand In"
chmod +a "$GRADE allow add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,file_inherit,directory_inherit" "Hand In"

What this does then is gives the admin user and staff group full access to the files in the Hand In folder (so they can delete them, move them, etc), and it allows students to hand in files or folders (but not see them at all!).

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61
  • To clarify, this is using Mac OS X? – Richard Slater Jun 15 '09 at 15:10
  • Yes, the specific question involves permissions on OS X Server 10.5. I have edited the question to add a 'macosx' tag to it. I'd forgotten that permissions now applied to windows, and thought that there is an outside chance that posix permissions can get me what I want. – Clinton Blackmore Jun 15 '09 at 16:00

5 Answers5

4

Giving read permissions on the directory (but not the files) should allow the users to see the filenames but not read the individual files. So your permissions on the directory would be 666, but on the files it would be 600 (assuming you want students to be able to read their own files, otherwise it would be 200). I don't know any way of doing it in OSX so that they can only see the files they submitted. The thing you have to be careful of (and I am a Unix admin, not an OSX admin, so I am not sure how to do it in OSX), is that you need to make sure that the directory permissions don't become the default permissions for the file in the directory.

Catherine MacInnes
  • 1,958
  • 11
  • 15
  • Thank you. I'll have to do some testing. Mac OS X 10.5 is unix, and standard posix permissions work. I think the ACL setup is unique to the Mac, but probably not dissimilar to that used on other systems. – Clinton Blackmore Jun 15 '09 at 16:02
  • 1
    FWIW, ACLs are not unique to Mac OS X - but their specific implementation is. It's very similar to that seen on other *NIX systems but you use different tools. – Chealion Jun 15 '09 at 17:08
  • I know that you can apply the Posix permissions to OSX, what I don't know what Apple has added on top of those Posix permissions, and how messing around with the permissions using chmod affects those add-ons. – Catherine MacInnes Jun 15 '09 at 17:22
1

You can use ACLs to mostly achieve this:

Hand-In

I'm assuming a group is being used here:

For the group student you want the following flags enabled:

"group:student allow list,add_file,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit"

And the following flags explicitly disabled:

"group:student deny list,search,file_inherit,limit_inherit,only_inherit"

The students are not able to actually read any of the files, nor delete any. But unfortunately they can list all the files.

You can set them via the command line using chmod or use a GUI such as Sandbox.

Usage example:

chmod -a "students allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity" /PATH/TO/HAND/IN/FOLDER
chmod -a "students deny list,search,file_inherit,limit_inherit,only_inherit" /PATH/TO/HAND/IN/FOLDER
Chealion
  • 5,713
  • 27
  • 29
  • That is very much in line with what I'd had in mind. It would be a plus if they could only list their files. Thanks for the link to Sandbox; I'd never heard of it. – Clinton Blackmore Jun 15 '09 at 18:13
0

I'm assuming this is windows, right?

We had a lot of problems doing something like this where users would be working on the word/excel doc in the "drop off" folder and they had write (but not delete) access. The temp files would build up from Word and Excel and cause lots of headaches. This will happen every time a user goes to doubleclick one of their files to look at it (like the aforementioned, checking to see if they turned it in) and also every time they don't name it correctly and want to rename.

We eventually gave the users standard "read/write/edit/delete" access and had the folks monitoring the folders move files out when they received them. The users did lose the ability to see what they'd already turned in, but, hey, no plan is perfect.

hellimat
  • 129
  • 2
0

Second time I've come across this question, and didn't see what I assumed might be a good answer for you, so lemme toss this out:

How about an ftp site, (benefit of being OS independent, can be internal, etc.) Then you could lock down each student's folders/files in exactly that method?

EDIT:

Should you consider that solution, here's two links that might help you out:

FTP mini how-to
How to limit access to a ftp site in Windows Server 2003

SECOND EDIT, (I think this might be what you're looking for)

How to set up a `blind-drop' ftp site

Greg Meehan
  • 1,166
  • 1
  • 9
  • 16
  • If I used FTP, they could have write-only access and see the file names? If so, am I still using the permissions on the underlying filesystem, or is it something I set up within the FTP server's configuration? – Clinton Blackmore Jun 15 '09 at 17:30
  • Clinton; I'm not exactly sure if you could set it up like that, because I've not ever set it up like that myself, however you CAN do a lot of interesting stuff with file/directory permissions on an FTP server. I believe that if you have WRITE access, you will by default be able to SEE the files, but I could be wrong. Re: your question about filesystem perms; via filesystem.. – Greg Meehan Jun 15 '09 at 17:34
  • If I'm reading it correctly, the blind-drop appears to be what I have now -- you can put files on the server but not list what is there. – Clinton Blackmore Jun 15 '09 at 18:11
  • Ahhhh... re-reading, ok. Well, I think that your answer does lay within setting up an ftp site, but again, never done it exactly like you're describing. – Greg Meehan Jun 15 '09 at 18:23
  • If I'm relying on the underlying OS/filesystem for permissions, I don't see an advantage to using FTP [internally, on homogeneous systems]. Is there something FTP will do for me that AFP (Apple Filing Protocol, the default Mac system to accessing files over the network) wont, or do more easily? – Clinton Blackmore Jun 15 '09 at 18:44
  • Well, surely. FTP offers you a configurable, (i.e. `more options') front-end, along with it being OS independent, (just in case you should happen to see Win32 on your network.) – Greg Meehan Jun 15 '09 at 19:16
0

IMO FTP is the easiest way to accomplish what you're after but I have a few other ideas. Keep in mind this is from a nix standpoint so I'm not sure how well it will apply to OSX.

If OSX sharing allows you to set the umask for your users then you just need to give them read/write access on the folder and set the users umask so that the new files they make will only have read permissions (0770 will make it so the user and group permissions on the file are set to 0).

One way that I did it for a client is I used incron to immediately move any files places in their "Hand In" folder to another folder where the "teacher" could do what they want to with it.

Hope that helps

  • I just looked up incron -- it triggers a script based on filesystem events. The Mac equivalent would be to use a launchd script or Folder Actions. – Clinton Blackmore Jun 15 '09 at 17:41