How to properly setup group file permissions in MacOSX

I have a couple of users, one was created via OSX GUI, one is nobody for nginx and php-fpm.

All commands below are executed as root.

I created new group for my project:

dscl . -create /groups/mygroup gid 404 # used some random id here, is it ok?

added users to group:

dseditgroup -o edit -a myuser -t user mygroup
dseditgroup -o edit -a nobody -t user mygroup

id says that users are indeed in that group now.

ls -la returns among other things:

drwxr-xr-x  27 myuser   mygroup      918 Dec  4 00:00 myproject

but

sudo -u nobody stat /Users/myuser/Documents/www/myproject

returns

stat: Permission denied

What is wrong?

coviex

Posted 2014-12-10T16:13:11.743

Reputation: 103

Answers

In order to stat /Users/myuser/Documents/www/myproject, the nobody user, needs to be able to traverse each of the directories on the way to it, which means that it needs "search" (aka "execute", for historical reasons) access to each of those directories. Normally, only myuser has any permissions at all to /Users/myuser/Documents, so unless you changed this only myuser can do anything within that folder.

If you need the nobody account to be able to reach this folder, I'd recommend using access control lists to add the required permissions:

chmod +a "group:mygroup allow search" /Users/myuser/Documents /Users/myuser/Documents/www

BTW, OS X already has a "nobody" user account as part of the standard collection of system users and groups; I'd recommend against modifying it to avoid breaking any system functions (/security systems) that depend on it having certain properties. If you need an account with nonstandard permissions/group membership/etc, create a different account and use that.

Gordon Davisson

Posted 2014-12-10T16:13:11.743

Reputation: 28 538