Write-only access that can see the files present?
In our schools, we have network shares for different classes containing "Hand In, Hand Out" folders. Students put their work in the Hand In folder, and teachers put assignments in the Hand Out folder.
The Hand In folder is one that the students have write-only access to. [Mac OS X calls such a folder a "Drop Box," as you can drag and drop files to it, but not see what is inside it.]
I looked into it, and concluded that the answer was no, but, does any combination of permissions and access control lists allow one to have a folder with write-only access in which you can see the names of the files that reside in it (but not actually open the files)? In an event where a student was unclear on whether they'd turned in an assignement, this would allow them to verify if they had or not.
One step better would be if students could see the filenames of files that they turned in, but not those of anyone else.
Update: One more real nuissance is that students may need to turn in entire folders, and not just single files. Mac OS X uses bundles -- things that look like files to a user, but are actually directories. (Applications are the best example, but Pages, Keynote, and heck, even TextEdit (when you add a graphic to your document), save bundles.) It took some extra work to make it so they could hand in folders (as you can see below).
Here is part of my existing script. Note that this does what I want except for yield any sort of listing of the files inside:
$ADMIN is a system administrator user. $STAFF is a group of teachers. $GRADE is a group represting a grade of students. The funky chmod command is what one does to set ACLs under OS X.
# Create the hand-in folder
mkdir "Hand In"
chown "$ADMIN:$GRADE" "Hand In"
chmod 4730 "Hand In"
chmod +a "$ADMIN allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" "Hand In"
chmod +a "$STAFF allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" "Hand In"
chmod +a "$GRADE allow add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,file_inherit,directory_inherit" "Hand In"
What this does then is gives the admin user and staff group full access to the files in the Hand In folder (so they can delete them, move them, etc), and it allows students to hand in files or folders (but not see them at all!).
Solution 1:
Giving read permissions on the directory (but not the files) should allow the users to see the filenames but not read the individual files. So your permissions on the directory would be 666, but on the files it would be 600 (assuming you want students to be able to read their own files, otherwise it would be 200). I don't know any way of doing it in OSX so that they can only see the files they submitted. The thing you have to be careful of (and I am a Unix admin, not an OSX admin, so I am not sure how to do it in OSX), is that you need to make sure that the directory permissions don't become the default permissions for the file in the directory.
Solution 2:
You can use ACLs to mostly achieve this:
Hand-InI'm assuming a group is being used here:
For the group student
you want the following flags enabled:
"group:student allow list,add_file,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit"
And the following flags explicitly disabled:
"group:student deny list,search,file_inherit,limit_inherit,only_inherit"
The students are not able to actually read any of the files, nor delete any. But unfortunately they can list all the files.
You can set them via the command line using chmod
or use a GUI such as Sandbox.
Usage example:
chmod -a "students allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity" /PATH/TO/HAND/IN/FOLDER
chmod -a "students deny list,search,file_inherit,limit_inherit,only_inherit" /PATH/TO/HAND/IN/FOLDER