General Error, Permissions Denied, No Access; these are a few of the many permission related error messages you’ll see when dealing with data and storage. More particularly with Unix based Filesystem, permission issues tend to be a nightmare and can easily ruin your project schedule. In order to help troubleshoot permission related issue, it is important to understand Filesystem and operating system behaviors.
Permissions are based on the type of Filesystem the files are stored on. Windows Filesystem and its operating system tend to handle permissions more lightly. However, Unix based Filesystem and Unix-like operating system such as OSX are tricky and more strict in implementation. Unix based Filesystem uses a POSIX-compliant permission method often called POSIX or “Traditional Unix Permissions”. This method manages permissions within 3 distinct classes – Owner, Group and Others.
Default POSIX permissions has a umask of 022 which means Owner has Read and Write access, Group has Read only, Others has Read only. Unix Filesystem by default carries this access instead of a “free for all” permission. The reason behind this umask 022 is that a Unix Filesystem can easily be wiped out with a single command given the write privileges. So in order to avoid “OTHERS” to execute a delete script on someone else’s data, read-only access is set by default.
In a shared environment running OSX and Xsan (StorNext Filesystem) with multiple user accounts, having write access on another user’s files can be very hard. Below are some tips to get around your permission issues with OSX:
- Use 501 accounts – the very first account OSX creates is a 501 user (ID). If all machines on the network uses the same 501 user ID, every user is the owner. Problem with this method is that some applications hate this and can open up another level of issues.
- Change default umask to 000 (RW for owner, group, everyone). This method should be the last resort and before implementing this, make sure users are flagged with the risks involved.
- Implement Access Control List – on OSX, this is a more sophisticated way to manage permissions on a shared storage like an Xsan. However this requires additional services (Active Directory or Open Directory), a server attached to the shared storage and a lot of tuning up.
Another thing that can cause permission issues is the source of the file. Files coming from a different Filesystem (Windows or a Camera) do not have the POSIX permission scheme and when brought into a Unix Filesystem will automatically set Everyone to NO ACCESS. Finding a workflow to fix that file’s permission before bringing it into your shared storage is a more logical way to avoid further permission issues.