Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Make a better Shared folder using ACLs Desktop
The /Users/Shared folder is setup by default with permissions such that anyone may add items to it, for the perusal of others (and only the person who added the item, or an Admin, may remove it). However, the default permissions of items created by users is 'Read & Write' for the owner, but 'Read Only' for 'Group' and 'Everyone.' This means that added items will not be writable by others, unless permissions are manually changed first, because standard permissions normally only apply to the item itself and are not inherited. This often goes against the expectations of prospective users of the Shared folder.

Access control lists (ACL) can also be used to control access to files and folders, based on who is trying to access them, and what groups they belong to. ACL rules apparently trump standard permissions, and unlike standard permissions, ACL rules can be set to be inherited, even on local volumes. These previous hints (1, 2) describe how to set up ACLs in 10.4.

The only thing this hint adds to the above is making use of the 'Everyone' group (gid=12), for which "Group membership [is] calculated by [the] system." This makes it unnecessary to create and add users to a common group, like 'Staff,' for example.

So by creating a folder, with an ACL allowing group 'Everyone' full access (access privileges for 'Everyone' seem to work for ACLs, but not for standard permissions), and including the ACL inherit attributes, any item created in that folder should be fully accessible and editable by everyone else. The caveat is that items will have to be created in the folder (including by copying them there), since existing items moved to the folder from elsewhere will not inherit the rules. The basic commands are:
  1. Enable ACLs for the boot volume:
    sudo sudo fsaclctl -p / -e
  2. Create a folder. It would probably be best not to apply the ACL to the Shared folder itself, because the existing setup probably has its uses as well:
    mkdir /Users/Shared/EveryoneWelcome
  3. Create an ACL:
    chmod +a "everyone allow list,search,add_file,\
      add_subdirectory,delete_child,file_inherit,directory_inherit" \
      /Users/Shared/EveryoneWelcome
[robg adds: I haven't tested this one.]
    •    
  • Currently 2.80 / 5
  You rated: 4 / 5 (5 votes cast)
 
[27,939 views]  

10.4: Make a better Shared folder using ACLs | 6 comments | Create New Account
Click here to return to the '10.4: Make a better Shared folder using ACLs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
What does Everyone include?
Authored by: germ on Jun 14, '06 11:35:09AM

I am worried that remote users, www, and others may be given access to the Shared folder. I do NOT want that.

Where is some documentation on which users, exactly, are includeed in "everyone"?

Thanks.



[ Reply to This | # ]
What does Everyone include?
Authored by: kamath on Jun 14, '06 01:26:30PM

'everyone' means "all accounts".

ACL's are pretty cool, however, and they let you do things like "allow everyone to do this, but don't allow 'www' to do this'.

I'd post specifics on how to do this, but I'm not at my mac. I do it on Solaris machines, however, so I assume it can be done. I just don't know the details. . .



[ Reply to This | # ]
10.4: Make a better Shared folder using ACLs
Authored by: mtbgtr on Jun 17, '06 09:38:50AM

Thanks but I followed the script exactly and still cant get this ACL method to work. I was really hoping this would work. I personally think Apple is wrong that items in a shared folder cant be shared without manually changing the permissions each time you add an item or subfolder.



[ Reply to This | # ]
10.4: Make a better Shared folder using ACLs
Authored by: dmcheng on May 15, '07 09:03:28AM

Doesn't work for me either - newly created subfolders or files doe not inherit the everyone group permissions.



[ Reply to This | # ]
10.4: Make a better Shared folder using ACLs
Authored by: Derekasaurus Rex on Feb 03, '08 10:08:46PM
I used this hint as a template and got it work in 10.4.11. First I created a new folder, /Users/Shared/Everyone, that I want to be truly shared — i.e., everyone can add, edit, and delete regardless of owner or underlying file permissions.

mkdir /Users/Shared/Everyone

Then I enabled ACLs for just that folder:

sudo fsaclctl -p /Users/Shared/Everyone -e

And finally I gave each user the permissions I wanted (basically all of them):

chmod +a "SomeUser allow list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Users/Shared/Everyone

That is, instead of using "everyone" as the original poster did, which is a group that doesn't exist on my system, I simply replaced SomeUser in the line above with a real user. I then repeated the command for all the users I wanted to grant access to /Users/Shared/Everyone. Mind you I only had a handful of users and I don't add new ones often, so I recognize that a group might make more sense for some.

The final thing to remember is that files have to be created in (or copied to) /Users/Shared/Everyone in order to be sharable. If you simply move a file there, the file will not inherit the ACLs and will not be sharable according to the rule that was added.

I also hope that I have kept security holes to a minimum by only enabling ACLs for one folder and only giving individual users acccess by name.

[ Reply to This | # ]
10.4: Make a better Shared folder using ACLs
Authored by: Derekasaurus Rex on Feb 03, '08 10:50:21PM
It seems that ACLs are enabled on a per-volume, not per-folder basis. So even though I ran the fsaclctl -e command specifically on /Users/Shared/Everyone, it seems to have enabled ACLs for the entire volume:

$ fsaclctl -p /
Access control lists are supported on /.


This doesn't really change anything, but I thought I'd mention it nonetheless.

[ Reply to This | # ]