{"id":1206,"date":"2025-03-03T15:05:30","date_gmt":"2025-03-03T20:05:30","guid":{"rendered":"https:\/\/dillernet.com\/apple\/?p=1206"},"modified":"2025-03-03T22:19:11","modified_gmt":"2025-03-04T03:19:11","slug":"getting-serious-about-permissions","status":"publish","type":"post","link":"https:\/\/dillernet.com\/apple\/2025\/03\/03\/getting-serious-about-permissions\/","title":{"rendered":"Getting Serious about Permissions"},"content":{"rendered":"

I had lots of fun last year for MARCHintosh and made available a basic AFP share via my raspberry pi and just pretty much dumped all my stuff there. I was never really happy with it that way and so I am in the process of organizing it and cleaning it up for better sharing – but I also realized it’s just not the best idea to expose all that on a open, Guest enabled share. Putting some basic permissions on the folders and files to ensure no funny business made more sense the more time I’ve invested in them.<\/p>\n

With that in mind, I decided to Get Serious about Permissions.<\/p>\n

This guide will take you thru some steps to do the same. My assumptions here are: using Netatalk 2.x (the OG, with afp compiled into the kernel) on a linux-based system – in my case a Pi. This however will work with any Netatalk version I’m pretty sure- the point is using linux based file permissions, nothing inside netatalk save from basic options for the Volumes. I also hope you have another Classic Mac (physical or emulation) locally on your network to test the mounting of the volumes via the Chooser, as well as a modern Macintosh you will mount via TCP\/IP. The system I’m lucky enough to work with are:<\/p>\n

    \n
  1. Quadra 800 acting as the AIR<\/li>\n
  2. RasperryPi 4 as the AFP server (it’s a RASCSI not doing any scsi work)<\/li>\n
  3. Quadra 605 – my classic Mac, for running and playing with things<\/li>\n
  4. Mini – my modern Mac, for getting it done.<\/li>\n<\/ol>\n

    The kernel info for my afp server<\/em><\/p>\n


    \npi@rascsi1:\/etc\/netatalk $ uname -a
    \nLinux rascsi1 5.15.56-v7l-netatalk+ #2 SMP Sun Aug 21 19:46:43 BST 2022 armv7l GNU\/Linux
    \n<\/code><\/p>\n

    Securing MARCHintosh Shares with Proper UNIX Permissions<\/h2>\n

    When setting up file shares on an AFP (Apple Filing Protocol) server, securing permissions properly is crucial to maintaining data integrity and preventing accidental or malicious file modifications. In this guide, we\u2019ll walk through configuring read-only, write-only, and immutable permissions to ensure users can safely interact with shared folders while preventing unintended deletions or unauthorized modifications.<\/p>\n

    We\u2019ll focus on two common scenarios:<\/p>\n

    A Public Share<\/h3>\n
      \n
    • Drop Folder \u2013 where users can upload files, see other uploaded files but cannot delete or modify existing ones.<\/li>\n
    • Read-Only Folder \u2013 where users can view and copy files and archives but cannot edit, delete, or add new files.<\/li>\n<\/ul>\n

      A Private Share<\/h3>\n
        \n
      • Normal files, but only accessible via the Chooser as a specific user on the pi.<\/li>\n
      • Guest access will never even see this share in the Chooser.<\/li>\n<\/ul>\n

        By leveraging chmod, chown, and special attributes like the sticky bit (1777) and immutable flag (chattr +i), we can enforce strict access control while keeping the AFP share functional and easy to use. This approach ensures a secure and controlled file-sharing environment, protecting valuable data from accidental loss while allowing the intended level of access for users.<\/p>\n

        Using Netatalk on Linux and Managing File Ownership<\/h2>\n

        Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing macOS clients to connect seamlessly to Linux-based file shares. When running Netatalk on Linux, the AFP daemon (afpd) typically runs as root, but the actual files and folders are owned by a designated user\u2014often a standard system user like pi in a Raspberry Pi setup. This distinction is crucial because while afpd needs elevated permissions to manage network shares, file access should be strictly controlled at the filesystem level to prevent unwanted modifications.<\/p>\n

        By properly setting ownership (chown) and permissions (chmod), we ensure that users can interact with shared directories without risking file deletions or unauthorized modifications. In a well-secured AFP setup, files are owned by a specific user (pi in our case), and folder permissions are configured to allow writing, reading, or restricted access as needed. Combining these settings with Netatalk\u2019s built-in options ensures a balance between usability and security, preventing accidental data loss.<\/p>\n

        Controlling and Configuring afpd<\/h3>\n

        First we should make sure we can stop and start the service, and watch what is going on with logs. Raspian on the Pi uses systemd and so we need some basic commands to control the service as well as output logs to see any issues.<\/p>\n

        $ sudo systemctl stop afpd.service<\/code>
        \n$ sudo systemctl start afpd.service<\/code>
        \n$ sudo systemctl restart afpd.service<\/code><\/p>\n

        $ sudo journalctl -fu afpd --no-pager<\/code><\/p>\n

        \n

        Some typical output of afp
        \n<\/em>
        \n
        \nMar 03 18:04:20 rascsi1 afpd[26205]: session from 548.50:237 on 918.122:156
        \nMar 03 18:04:20 rascsi1 afpd[26205]: login noauth
        \nMar 03 18:04:20 rascsi1 afpd[26205]: AFPVersion 2.0 Login by nobody
        \nMar 03 18:04:21 rascsi1 afpd[26205]: 0.03KB read, 0.02KB written
        \nMar 03 18:04:21 rascsi1 afpd[26205]: done
        \n<\/code><\/p>\n<\/p>\n

        Now that we can control the service and see what is going on- we need to define the volumes. I’m going to assume that you know how to install and setup netatalk 2.x and have a afp server startup on your EtherTalk network and you can see it with your Macs (via Chooser). I will focus on the volumes presented once a user has connected to your server – and setting the permissions for them in Linux so that your visitors can properly use the resources you are sharing on GlobalTalk for MARCHintosh or beyond.<\/p>\n

        Volume Setup and Lockdown<\/h2>\n

        The config file that controls this is usually in \/etc\/netatalk and it’s called AppleVolumes.default.<\/p>\n


        \n$ cd \/etc\/netatalk
        \n$ cat AppleVolumes.default
        \n<\/code><\/p>\n

        At the bottom of the file we want to define two Volumes (shares) one for GlobalTalk Guest access and one to hold our other files where we want to be able to manipulate them for local projects.<\/p>\n

        \/home\/pi\/afpshare\/Privates "Private" options:authonly,upriv,usedots allow:dillera<\/code><\/p>\n

        \/home\/pi\/afpshare\/Publics "Public" options:nofileid<\/code><\/p>\n

        dillera<\/strong> above is a linux user called ‘dillera’ that I created on the pi using adduser command. I use this user to ssh and become the pi user if I need to manage the server. I want to be able to authenticate to the afp server, via the Chooser, using this user – and the password I set for it. Beware that the Chooser sends this password in the clear, so either do this locally or if you are working with others and auth’ing across GlobalTalk make sure you have credentials that are not used for anything else in your projects.\n<\/p>\n

        Once you have edited this file make sure you restart afpd using systemd commands and watch the logs to ensure it has started up correctly.<\/p>\n

        $ sudo systemctl restart afpd.service<\/code><\/p>\n

        Lockdown Public Dropbox<\/h4>\n

        Now we have our two shares defined, lets lock them down.<\/p>\n

        sudo chown -R pi:pi \/home\/pi\/afpshare\/Publics\/Dropbox<\/code>
        \nsudo chmod 1777 \/home\/pi\/afpshare\/Publics\/Dropbox<\/code><\/p>\n

        Explanation of chmod 1777:
        \n \u2022 1- Sticky bit (1XXX): Prevents users from deleting files they don\u2019t own.
        \n \u2022 7- Owner (pi): Full control (rwx).
        \n \u2022 7- Group (pi): Full control (rwx).
        \n \u2022 7- Others (anyone): Read and write, but not delete (rwt).<\/p>\n

        Lockdown Public Folder for Shared Files<\/h4>\n

        For the Shared folder on the public volume we will restrict it the pi user account. <\/p>\n

        sudo chown -R pi:pi \/home\/pi\/afpshare\/Publics\/MARCHintosh<\/code><\/p>\n

        Then find all the directories (folders) changing their permissions properly. Find the files and do the same for them. The permissions are different in order to allow people to open the directories while browsing. <\/p>\n

        \nsudo find \/home\/pi\/afpshare\/Publics\/MARCHintosh -type d -exec chmod 755 {} +<\/code>
        \nsudo find \/home\/pi\/afpshare\/Publics\/MARCHintosh -type f -exec chmod 644 {} +<\/code>\n<\/p>\n

          \n
        • Directories = 755 (Read, Execute for everyone; Write only for owner)<\/li>\n
        • Files = 644 (Read for everyone; Write only for owner)<\/li>\n<\/ul>\n

          Lockdown Private Volume<\/h4>\n

          We won’t lock this down beyond ensuring all the files and folders are properly owned by the pi user. Since these files are for our use and we’ve connected as a registered user they should all be set read and writable. I’ll be moving a bunch more from here over to the public share as I finish organizing them.<\/p>\n

          Putting it into Action<\/h2>\n

          Let’s look at this in action….<\/p>\n

          One thing you can do is set your username and password on your client Macintosh, this will save you time when you mount your Private share as your user.<\/p>\n

          \"01<\/p>\n

          Selecting the Appleshare Server<\/h4>\n<\/p>\n

          \"02<\/p>\n

          Connecting as Guest<\/h4>\n<\/p>\n

          \"03<\/p>\n

          Only the Public Share is Visible<\/h4>\n<\/p>\n

          \"04<\/p>\n

          No deletion of other files<\/h4>\n<\/p>\n

          \"05<\/p>\n

          Your files can be deleted<\/h4>\n<\/p>\n

          \"06<\/p>\n

          Read Only Folders<\/h4>\n<\/p>\n

          \"07<\/p>\n

          Connecting as a Registered User<\/h4>\n<\/p>\n

          \"08<\/p>\n

          Both shares are Visible as Registered User<\/h4>\n<\/p>\n

          \"10<\/p>\n

          Normal File access to the shares as Registered User<\/h4>\n<\/p>\n

          \"11<\/p>\n

          With this information you should be able to safely share data on GlobalTalk without worrying that you will wake up with it all gone due to bad actors.<\/p>\n","protected":false},"excerpt":{"rendered":"

          I had lots of fun last year for MARCHintosh and made available a basic AFP share via my raspberry pi and just pretty much dumped all my stuff there. I was never really happy with it that way and so I am in the process of organizing it and cleaning it up for better sharing […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[35,134],"tags":[],"class_list":["post-1206","post","type-post","status-publish","format-standard","hentry","category-apple","category-marchintosh"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3PE01-js","jetpack-related-posts":[{"id":939,"url":"https:\/\/dillernet.com\/apple\/2024\/03\/04\/appletalk-2024-marchintosh-project\/","url_meta":{"origin":1206,"position":0},"title":"AppleTalk 2024 MARCHintosh Project","author":"dillera","date":"March 4, 2024","format":false,"excerpt":"Update 3 (March 8): The Quadra800 as AIR is totally stable, I'm enjoying all the fun things on other sites (using a SE\/30 as workstation) and playing with getting screenshots converted back and forth. My ImageWriter Network card should be arriving to day and so I will have print sharing\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/dillernet.com\/apple\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/air_setup_2024_v2b.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1219,"url":"https:\/\/dillernet.com\/apple\/2025\/03\/03\/my-image-workflow\/","url_meta":{"origin":1206,"position":1},"title":"My Mac Image Workflow","author":"dillera","date":"March 3, 2025","format":false,"excerpt":"Ever since last MARCHintosh I wanted to figure out an easy way to get quality images of the things I was seeing on my classic Macs- a SE\/30 and Quadra605 and the Quadra800 server than ran the BBS and AppleInternetRouting software. Taking the screen shots was easy- every Mac since\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/dillernet.com\/apple\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2025\/03\/screenshot-107.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2025\/03\/screenshot-107.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2025\/03\/screenshot-107.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":1055,"url":"https:\/\/dillernet.com\/apple\/2024\/11\/14\/mactcp-done-right\/","url_meta":{"origin":1206,"position":2},"title":"MacTCP Done Right","author":"dillera","date":"November 14, 2024","format":false,"excerpt":"After many months of dancing with MacTCP again (first round was decades ago of course) I decided to do it Right and get to the latest most patchiest version to see if it would help with some issues I\u2019m having. What issues do I have with MacTCP in 2024? And\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/dillernet.com\/apple\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/11\/macPlus-tcpip.jpeg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/11\/macPlus-tcpip.jpeg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/11\/macPlus-tcpip.jpeg?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":982,"url":"https:\/\/dillernet.com\/apple\/2024\/03\/15\/apple-ip-gatekeeping-in-2024\/","url_meta":{"origin":1206,"position":3},"title":"Apple IP Gatekeeping in 2024","author":"dillera","date":"March 15, 2024","format":false,"excerpt":"Feb 2025 - it's a year later and i'll update things here with any new information that comes out. There is a big new Guide from Steve to also help. Original Post To continue on from the last post, which discussed AppleTalk, Ethertalk, and how routing between different Apple Internet\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/dillernet.com\/apple\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/MARCHintoshLogo-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/MARCHintoshLogo-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/MARCHintoshLogo-1.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":963,"url":"https:\/\/dillernet.com\/apple\/2024\/03\/13\/apple-internet-routing-in-2024\/","url_meta":{"origin":1206,"position":4},"title":"Apple Internet Routing in 2024","author":"dillera","date":"March 13, 2024","format":false,"excerpt":"Being an AppleTalk Network Admin is hard work in 2024. This hopefully helps level some of the rough edges that are out there. I'll be updating it with more info and corrections as time permits. The guide that started it is here: https:\/\/biosrhythm.com\/?p=2767 My download with all the software, tested\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/dillernet.com\/apple\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/MARCHintoshLogo.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/MARCHintoshLogo.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/dillernet.com\/apple\/wp-content\/uploads\/2024\/03\/MARCHintoshLogo.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":96,"url":"https:\/\/dillernet.com\/apple\/2006\/01\/11\/770-previous-post-redux\/","url_meta":{"origin":1206,"position":5},"title":"770 Previous Post Redux","author":"admin","date":"January 11, 2006","format":false,"excerpt":"Some important updates on my past 770 posts. Swap If you are using .51 firmware and want to use swap, use 24 megs or less. I had problems using 128, then 64, then 32 megs. Finally Andy Flegg was able to tip me off that there is an issue with\u2026","rel":"","context":"In "Nokia 770"","block_context":{"text":"Nokia 770","link":"https:\/\/dillernet.com\/apple\/category\/nokia-770\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/posts\/1206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/comments?post=1206"}],"version-history":[{"count":10,"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/posts\/1206\/revisions"}],"predecessor-version":[{"id":1216,"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/posts\/1206\/revisions\/1216"}],"wp:attachment":[{"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/media?parent=1206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/categories?post=1206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dillernet.com\/apple\/wp-json\/wp\/v2\/tags?post=1206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}