In our schools, we have network shares for different classes containing "Hand In, Hand Out" folders. Students put their work in the Hand In folder, and teachers put assignments in the Hand Out folder.
The Hand In folder is one that the students have write-only access to. [Mac OS X calls such a folder a "Drop Box," as you can drag and drop files to it, but not see what is inside it.]
I looked into it, and concluded that the answer was no, but, does any combination of permissions and access control lists allow one to have a folder with write-only access in which you can see the names of the files that reside in it (but not actually open the files)? In an event where a student was unclear on whether they'd turned in an assignement, this would allow them to verify if they had or not.
One step better would be if students could see the filenames of files that they turned in, but not those of anyone else.
Update: One more real nuissance is that students may need to turn in entire folders, and not just single files. Mac OS X uses bundles -- things that look like files to a user, but are actually directories. (Applications are the best example, but Pages, Keynote, and heck, even TextEdit (when you add a graphic to your document), save bundles.) It took some extra work to make it so they could hand in folders (as you can see below).
Here is part of my existing script. Note that this does what I want except for yield any sort of listing of the files inside:
$ADMIN is a system administrator user. $STAFF is a group of teachers. $GRADE is a group represting a grade of students. The funky chmod command is what one does to set ACLs under OS X.
# Create the hand-in folder
mkdir "Hand In"
chown "$ADMIN:$GRADE" "Hand In"
chmod 4730 "Hand In"
chmod +a "$ADMIN allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" "Hand In"
chmod +a "$STAFF allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" "Hand In"
chmod +a "$GRADE allow add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,file_inherit,directory_inherit" "Hand In"
What this does then is gives the admin user and staff group full access to the files in the Hand In folder (so they can delete them, move them, etc), and it allows students to hand in files or folders (but not see them at all!).
Giving read permissions on the directory (but not the files) should allow the users to see the filenames but not read the individual files. So your permissions on the directory would be 666, but on the files it would be 600 (assuming you want students to be able to read their own files, otherwise it would be 200). I don't know any way of doing it in OSX so that they can only see the files they submitted. The thing you have to be careful of (and I am a Unix admin, not an OSX admin, so I am not sure how to do it in OSX), is that you need to make sure that the directory permissions don't become the default permissions for the file in the directory.
You can use ACLs to mostly achieve this:
Hand-InI'm assuming a group is being used here:
For the group
studentyou want the following flags enabled:"group:student allow list,add_file,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit"And the following flags explicitly disabled:
"group:student deny list,search,file_inherit,limit_inherit,only_inherit"The students are not able to actually read any of the files, nor delete any. But unfortunately they can list all the files.
You can set them via the command line using
chmodor use a GUI such as Sandbox.Usage example:
I'm assuming this is windows, right?
We had a lot of problems doing something like this where users would be working on the word/excel doc in the "drop off" folder and they had write (but not delete) access. The temp files would build up from Word and Excel and cause lots of headaches. This will happen every time a user goes to doubleclick one of their files to look at it (like the aforementioned, checking to see if they turned it in) and also every time they don't name it correctly and want to rename.
We eventually gave the users standard "read/write/edit/delete" access and had the folks monitoring the folders move files out when they received them. The users did lose the ability to see what they'd already turned in, but, hey, no plan is perfect.
Second time I've come across this question, and didn't see what I assumed might be a good answer for you, so lemme toss this out:
How about an ftp site, (benefit of being OS independent, can be internal, etc.) Then you could lock down each student's folders/files in exactly that method?
EDIT:
Should you consider that solution, here's two links that might help you out:
FTP mini how-to
How to limit access to a ftp site in Windows Server 2003
SECOND EDIT, (I think this might be what you're looking for)
How to set up a `blind-drop' ftp site
IMO FTP is the easiest way to accomplish what you're after but I have a few other ideas. Keep in mind this is from a nix standpoint so I'm not sure how well it will apply to OSX.
If OSX sharing allows you to set the umask for your users then you just need to give them read/write access on the folder and set the users umask so that the new files they make will only have read permissions (0770 will make it so the user and group permissions on the file are set to 0).
One way that I did it for a client is I used incron to immediately move any files places in their "Hand In" folder to another folder where the "teacher" could do what they want to with it.
Hope that helps