Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Use Access Control Lists for fine-grained control UNIX
Tiger only hintNot really so much a hint, but a heads-up about a new feature in HFS+, Access Control Lists (ACLs). One thing that HFS+ has been missing is fine-grained access control to files and folders. It was possible to work around this by making large numbers of groups and assigning people to many different groups.

In 10.4, we now have proper access lists on files and folders, meaning that we can now allow/deny access to multiple, individual users, rather than just the old Unix-style User, Group and Other.

At the moment, there is no GUI for it on OS X Client, but there is in OS X Server, via the Workgroup Manager. The chmod, chown, chgrp, etc. commands, accessed via Terminal, are the only way at the moment to configure ACLs on OS X Client. In the past, these commands have used the User, Group and Other syntax, but now they have been expanded with POSIX.2 support. You can view the ACLs on a file/folder using ls -le. Any files that have an ACL will be listed with the full ACL.

[robg adds: For a reasonably good description of working with ACLs, do man chmod, and then search on ACL a couple times until you find the ACL MANIPULATION OPTIONS section. It even gives a few examples of how to work with ACLs, and some samples of how the output looks:
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
  owner: juser
  1: admin allow write
Though I know little about them, the addition of ACLs to OS X seems to offer the ultimate in specific file-level access. Hopefully someone will wrap a nice GUI around these commands so that those of us with less expertise in the Terminal can use them easily.]
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (5 votes cast)
 
[32,740 views]  

10.4: Use Access Control Lists for fine-grained control | 21 comments | Create New Account
Click here to return to the '10.4: Use Access Control Lists for fine-grained control' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Use Access Control Lists for fine-grained control
Authored by: mike3k on May 06, '05 11:42:17AM

Before you can use ACL commands, you need to enable it on the volume with:

sudo /usr/sbin/fsaclctl -p / -e



[ Reply to This | # ]
Whooops
Authored by: Lectrick on May 06, '05 11:47:16AM

I posted within 3 minutes of you. Took me a bit longer to format it right and pull the references. ;)

---
In /dev/null, no one can hear you scream



[ Reply to This | # ]
Turning on ACL's on a volume in OS X Client
Authored by: Lectrick on May 06, '05 11:45:26AM
This command will enable ACLs on the boot volume.

% sudo /usr/sbin/fsaclctl -p / -e

(Note: This tip was taken directly from John Siracusa's excellent technical review of Tiger. The ACL section is here.)

---
In /dev/null, no one can hear you scream

[ Reply to This | # ]

10.4: Use Access Control Lists for fine-grained control
Authored by: Thom on May 06, '05 11:56:43AM

I was SO GEEKED when I learned about this feature.

You know how, when you go to college and they've got high speed internet access everywhere, it pretty much spoils you for ever using dialup again, if you can help it?

Well, at my school they also used AFS (Andrew File System, sometimes called IFS (Institutional... )) which had ACLs built in. Once I learned how to use these commands, it was a LOT easier to manage group directories in order to effectively share files with other students. In particular, organizations with lots of different subcomittees who all needed different access to files.

Setting up our file server at work with 10.4 Server is going to be so much easier now - I can think of at least ten places off the top of my head where we're had to do these nasty 'directory within a directory' sort of access control, because of the 'only one group per file' limitation that is inherent to most unices.

But man, I'm going to hate relearning the commands. Maybe I can make a set of aliases or shell scripts to map 'fs la' to 'ls -le', translate 'pts mem', etc. (Small price to pay!)



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: brianwells on May 06, '05 02:06:13PM

I tried this with an iTunes library and ran into problems.

The library is owned by my account, but I used this new feature to give my wife's account full access to it. Then I made a symlink from her Music folder so when she launches iTunes it looks to our shared library.

Unfortunately, iTunes reports that the library is read-only and quits.

Examining the permissions from the Terminal reveals that she does have full access, so it seems that iTunes is inspecting the Unix permissions and assuming that the second account does not have rights.

Anyone else have similar problems with ACLs and iTunes or perhaps another application?



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: hughescr on May 06, '05 03:57:19PM

The ACL permissions override the unix ones -- so once you've set ACLs on the files/directories, feel free to chmod o+rwx them -- then iTunes will see that the files are "world readable" if it looks only at the unix bits, but anyone who actually tried to read the file (instead of just stat-ing it) will not be able to if they're not in the ACL.



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: kaih on May 07, '05 06:14:12AM

This sounds strange to me - iTunes (or any other app for that matter) shouldn't look at unix permissions as such, it should ask the kernel "do I have access to this file?" and the kernel will consult the ACLs (if there are any) and then the unixperms and simply reply "yes" or "no"
Have you enabled ACLs on the volume, as detailed in one of the top comments? (I forgot to include this in my hint! d'oh!)

Cheers,
Kai

---
k:.



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: ashill on May 07, '05 02:37:00PM

Have you enabled ACLs on your volume, as noted in the hints below?



[ Reply to This | # ]
I get the same error.
Authored by: trentdavies on Jun 26, '05 12:17:26AM

I can second this problem. I've been experimenting with ACL's and get the read-only error accessing iTunes from a different user.

And yes, I ran sudo fsaclctl -p / -e.

This is odd... it seems to be an iTunes issue (I haven't tried iPhoto yet, though). As if iTunes is checking the unix bits itself. I've been able to "write" to the shared directory in question from the user with ACL-only access from both the CLI and TextEdit (among others), even with the unix bits set off.

(On a side note, the Finder's "Get Info" command displays the ACL settings of the object.)



[ Reply to This | # ]
However, works in Iphoto.
Authored by: trentdavies on Jun 26, '05 01:12:15AM

I just tried using ACL's with iPhoto. It (seems to) work like a charm; I'm able to access, maniputlate, and add photos as both users -- and the other sees the same result.

This must be an issue with iTunes...



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: bdog on May 06, '05 02:34:01PM

Can you open Workgroup Manager (from OS X Server) on the client to change ACLs? If nobody responds, I will, once I have the chance to test this.



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: cynikal on May 06, '05 04:06:19PM

i don't see why you couldn't, now if we could just get ahold of that :) i was actually going to post this earlier (before anyone responded to this hint).



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: Dragon76 on May 06, '05 04:41:00PM
Can you open Workgroup Manager (from OS X Server) on the client to change ACLs?

You can use the version of ServerAdmin Tools that corresponds to your client version of Mac OS X to do any of the server tasks that those tools do. Mac OS X Server doesn't really contain many more tools that aren't already included with Mac OS X. For instance, BIND is included with Mac OS X but is not set up.

In my opinion, the only thing you're really getting with Mac OS X Server is Server support.

So the answer is yes. I would suggest downloading the ServerAdmin Tools set to make things MUCH easier.

[ Reply to This | # ]

10.4: Use Access Control Lists for fine-grained control
Authored by: bdog on May 06, '05 04:58:48PM

Thanks for confirming this. No, I'm not going to download that. We have Tiger server, so I will copy it off the server (once we load a server...)



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: kitzkikz on May 06, '05 05:42:56PM

On AIX using ACL isn't supported by the standard unix commands like cpio and tar. Can anyone report what tar does with the ACL in OSX?



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: greybird on May 08, '05 02:38:09AM

If you enable acls, Tiger version of tar will keep the attributes in tar as the traditional ._filename. Also if you list files with the traditional long format "ls -al", There will be an + sign when there is ext attributes are in use.

$ ls -al
-rw-r--r-- + 1 guest guest 0 May 8 02:29 sample.txt



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: barrysharp on May 08, '05 01:09:54AM

For ACLs to be truly useful they must be recognized and correctly backed up by utilities such as Retrospect, CCC and SilverLiner. I suspect these utilities don't have this capabilty yet. Anyone know what backup utilities do? Does .Mac Backup by chance preserve/restore ACLs - I would expect it should as it's authored by Apple. However, I notice that the .Mac Backup application wasn't revised with the release of Tiger.

---
Regards... Barry Sharp



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: Dragon76 on May 09, '05 09:40:55AM
For ACLs to be truly useful they must be recognized and correctly backed up by utilities such as Retrospect, CCC and SilverLiner

The included BSD utilities in Mac OS X correctly preserve and restore ACLs. There's no guarantee that the apps you mentioned will ever support anything more. I fail to see how the usability of an already in-place and working operating system feature is dependant on flaky third-party backup solutions.

Did you just upgrade from Mac OS 9? Then I could understand your way of thinking.

[ Reply to This | # ]

10.4: Use Access Control Lists for fine-grained control
Authored by: sauron1440 on May 10, '05 03:52:53AM

The impression I gathered from the Ars dissemination was that the ACL data would be preserved by most (all?) HFS+ apps, as they use a fairly mature mechanism, the arbitrary metadata forks. I think permissions errors are going to be a little weird for most of the disk utilities, depending on how gracefully the Finder/kernel smacks them around for relying only on UNIX-style permissions. In other words, I would guess your data is safe as far as backup goes, but too much mucking with the ACLs will break most of the current generation of disk utilities.

Then again, this is all conjecture.



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: Elander on Aug 04, '05 03:23:12PM

There's a GUI for doing this now, called "Sandbox", that you can find here:
http://mikey-san.net/damage/archives/2005/07/sandboxing.html

Just click on "Hello world" at the top of the page to download. Proceed with care...

---

/elander



[ Reply to This | # ]
10.4: Use Access Control Lists for fine-grained control
Authored by: krischik on Jun 22, '12 12:26:28AM

To bad the fsaclctl command disapeared under Lionů



[ Reply to This | # ]