10.4: Use Access Control Lists for fine-grained control

May 06, '05 10:49:00AM

Contributed by: kaih

Tiger only hintNot really so much a hint, but a heads-up about a new feature in HFS+, Access Control Lists (ACLs). One thing that HFS+ has been missing is fine-grained access control to files and folders. It was possible to work around this by making large numbers of groups and assigning people to many different groups.

In 10.4, we now have proper access lists on files and folders, meaning that we can now allow/deny access to multiple, individual users, rather than just the old Unix-style User, Group and Other.

At the moment, there is no GUI for it on OS X Client, but there is in OS X Server, via the Workgroup Manager. The chmod, chown, chgrp, etc. commands, accessed via Terminal, are the only way at the moment to configure ACLs on OS X Client. In the past, these commands have used the User, Group and Other syntax, but now they have been expanded with POSIX.2 support. You can view the ACLs on a file/folder using ls -le. Any files that have an ACL will be listed with the full ACL.

[robg adds: For a reasonably good description of working with ACLs, do man chmod, and then search on ACL a couple times until you find the ACL MANIPULATION OPTIONS section. It even gives a few examples of how to work with ACLs, and some samples of how the output looks:

# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
  owner: juser
  1: admin allow write
Though I know little about them, the addition of ACLs to OS X seems to offer the ultimate in specific file-level access. Hopefully someone will wrap a nice GUI around these commands so that those of us with less expertise in the Terminal can use them easily.]

Comments (21)

Mac OS X Hints