macOS High Sierra and Later: File Sharing Setup
Originally posted Jan 22, 2021
Updated July 7, 2024
Since macOS High Sierra (10.13), Apple has significantly degraded basic file-sharing behavior. When you create a shared folder, inheritance permissions are not propagated to child folders. As a result, users frequently lose access to subfolders created by other users.
To work around this, you must manually create the primary Access Control Entries (ACEs) and explicitly propagate ACLs across your shares.
Step 1: Define the Shares
I previously placed everything into a single shared folder and restricted access using ACEs. While workable, this approach became increasingly difficult to manage when clients requested unusual or granular permission setups.
The better practice is to create separate shares for each major section of the file structure (for example: Accounting, Clients, HR, Freelancers). Although this results in more shares appearing on users’ desktops, it is far easier to manage when access requirements change.
For this example, we’ll create two shares:
- Executive
- Clients
Step 2: Create the Shared Folders
All shared folders should live inside a single parent directory. This simplifies backups to local or cloud storage.
Share
├── Clients
└── Executive
Step 3: Create Users and Groups
Create a user account for each person who needs access to the file server. These should be Sharing Only Users; there is no need to create home folders.
Next, create groups to manage access efficiently. Groups are created in:
System Preferences → Users & Groups
Add all users first, as group membership is managed via checkboxes.
For this example, create two groups:
- Clients
- Executives
Step 4: Create the Shares in System Preferences
- Open System Preferences → Sharing
- Remove any default shares
- Drag the
ClientsandExecutivefolders into the Shared Folders list
For each share:
- Select the folder
- Add a custom ACE
- Choose the group associated with the share
- Set permissions to Read & Write
- Do not propagate permissions yet
Step 5: Fix the Broken ACLs
The ACEs created by macOS are incomplete. They lack the file_inherit and directory_inherit flags required for permissions to propagate to newly created subfolders.
Shell Note
In macOS Big Sur (11.0), the default shell (zsh) did not reliably handle chmod ACL syntax. Switching back to /bin/bash resolved this issue.
Inspect Current ACLs
ls -le
Example output:
drwxr-xr-x+ 4 server staff 128 Jan 21 18:53 Executive
0: group:Executives allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
drwxr-xr-x+ 4 server staff 128 Jan 21 18:53 Clients
0: group:Clients allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
The problem is that ACE 0 does not include inheritance attributes.
Replace the ACE with a Correct One
chmod =a# 0 "group:Clients allow readsecurity,readattr,readextattr,list,search,read,execute,writeattr,writeextattr,delete,add_file,add_subdirectory,delete_child,write,append,file_inherit,directory_inherit" Path_to_the_Share
Tip: You can drag the shared folder directly into the Terminal window to auto-fill Path_to_the_Share.
Step 6: Add Deny Permissions
Even if users are not members of a group, they may still be able to see other shares. To prevent this, add explicit deny ACEs.
In this example, members of the Clients group should not see the Executive share.
chmod +a# 1 "group:Clients deny list,search" Path_to_the_Share
Step 7: Propagate Permissions
After changes, ls -le should look similar to this:
drwxr-xr-x+ 4 server staff 128 Jan 21 18:53 Clients
0: group:Clients allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-xr-x+ 4 server staff 128 Jan 21 18:53 Executive
0: group:Executives allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
1: group:Clients deny list,search
Return to System Preferences → Sharing, control-click each shared folder, and select Apply permissions to enclosed items.
Addendum — July 7, 2024 (macOS Sonoma 14)
In macOS Sonoma 14, denying access via groups does not appear to work reliably. I found that I had to:
- Apply deny ACEs to individual users, not groups
- Ensure the deny ACE appears at the top of the ACL list
Further testing is required, but so far this behavior is inconsistent and frustrating.