10.4: Make a better Shared folder using ACLs

Jun 14, '06 07:30:00AM

Contributed by: Anonymous

The /Users/Shared folder is setup by default with permissions such that anyone may add items to it, for the perusal of others (and only the person who added the item, or an Admin, may remove it). However, the default permissions of items created by users is 'Read & Write' for the owner, but 'Read Only' for 'Group' and 'Everyone.' This means that added items will not be writable by others, unless permissions are manually changed first, because standard permissions normally only apply to the item itself and are not inherited. This often goes against the expectations of prospective users of the Shared folder.

Access control lists (ACL) can also be used to control access to files and folders, based on who is trying to access them, and what groups they belong to. ACL rules apparently trump standard permissions, and unlike standard permissions, ACL rules can be set to be inherited, even on local volumes. These previous hints (1, 2) describe how to set up ACLs in 10.4.

The only thing this hint adds to the above is making use of the 'Everyone' group (gid=12), for which "Group membership [is] calculated by [the] system." This makes it unnecessary to create and add users to a common group, like 'Staff,' for example.

So by creating a folder, with an ACL allowing group 'Everyone' full access (access privileges for 'Everyone' seem to work for ACLs, but not for standard permissions), and including the ACL inherit attributes, any item created in that folder should be fully accessible and editable by everyone else. The caveat is that items will have to be created in the folder (including by copying them there), since existing items moved to the folder from elsewhere will not inherit the rules. The basic commands are:

  1. Enable ACLs for the boot volume:
    sudo sudo fsaclctl -p / -e
  2. Create a folder. It would probably be best not to apply the ACL to the Shared folder itself, because the existing setup probably has its uses as well:
    mkdir /Users/Shared/EveryoneWelcome
  3. Create an ACL:
    chmod +a "everyone allow list,search,add_file,\
      add_subdirectory,delete_child,file_inherit,directory_inherit" \
      /Users/Shared/EveryoneWelcome
[robg adds: I haven't tested this one.]

Comments (6)


Mac OS X Hints
http://hints.macworld.com/article.php?story=2006061222075876