Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: List service ACLs on Mac OS X 10.5 Server OS X Server
Mac OS X lacks a good command line tool for following a Services Access Control List (SACL) tree of users and groups. If you don't want to, or just can't, use the GUI to list users in service ACLs of your Mac OS X server (or managed client), you need to parse the groups/nested groups/users tree one group at a time, using dscl. It's really painful. As an alternative, I've created a script to handle this for sys admins.

I won't promise you a killer command line tool with foolproof error and recursion handling, but I still believe I've designed a usable piece of shell script -- even if it looks like it's the worst code I've ever written (which is not true; I've made things way uglier). The source code is too long and messy to be just copy-pasted here; just download the getsacls.sh script (4KB) directly from my machine.

How to install getsacls.sh:
Simply copy it to your Mac OS X 10.5 server (or managed client); anywhere in your $PATH should be fine. Then chmod +x the script, so that it can be executed.

How to configure getsacls.sh:
Defaults values should be OK, but if you really want to change something, open the script in your favorite editor, and find the FEW USER TUNABLE MISCS section. Edit at your own risks.

How to use getsacls.sh:
It's simple, you just have to launch it. It will then proceed with the parsing of every SACL on your local system. You don't need to be root, or even admin. I've tested the script successfully on a client with the guest account. Do not use the sh command to launch this script; getsacls.sh uses special escape sequences and command options that sh will not recognize. Just type getsacls.sh to run it.

If you want to parse only some SACLs, you can provide each SACL name at the command line:
$ getsacls.sh com.apple.access_ssh com.apple.access_loginwindow
Still, you should only use SACL names that exist on your local system. The default output is "fancy" -- it uses bold, indentation, and a beach-ball cursor. If you want the "no fancy" mode, you can either edit the corresponding "tunable misc variable," or define FANCY=NO at launch time:
$ FANCY=NO getsacls.sh com.apple.access_ssh
This "no fancy" mode allows for later parsing.

Caveats/bugs:
  • The script will not handle circular references. If your SACL uses nested groups in a circular way (group 1 » group 2 » group 1), the script will not stop.
  • When finding two or more similar users or groups (for example, the local admin group and the open directory admin group), it will use only one of them, and that should be the local one.
  • The script uses SQLite3 as a backend, because bash is not good with arrays, and because I'm not good with Perl/Python/Ruby.
You can find more info, sample outputs, and updates in this entry on my site.

[robg adds: I haven't tested this one. I did mirror the script here, in case the original ever vanishes. However, the linked resources will have the current version, so check there first.]
    •    
  • Currently 2.31 / 5
  You rated: 2 / 5 (13 votes cast)
 
[9,512 views]  

10.5: List service ACLs on Mac OS X 10.5 Server | 9 comments | Create New Account
Click here to return to the '10.5: List service ACLs on Mac OS X 10.5 Server' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: wallybear on Jul 20, '09 02:48:10PM
The stock sleep command does not work with intervals smaller than 1 second. If you try you will see it doesn't matter if you use sleep 0.5 or 0.9 or 0.01.
A quick and dirty solution in phyton:
-------- snip ----------------------------
#!/usr/bin/python
#fsleep:  accept fraction of seconds
import time
import sys
try:
   time.sleep(float(sys.argv[1]))
except:
   print 'Error in parameter.'
   sys.exit(1)
-------- snip ----------------------------

Save the above script as fsleep and make it executable (chmod +x fsleep)
this one will work also with fractional seconds (e.g.: fsleep 0.1)

[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: wallybear on Jul 20, '09 03:34:50PM
...or, if you prefer a binary executable, save the following code as "msleep.c":
---- snip -----------------

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
  unsigned long    sleep_time;

  if (argc != 2)
  {
     printf("*** ERROR - insufficient parameters \n");
     printf("            usage: 'msleep <milliseconds>'\n");
     exit(1);
  }

// Get sleep_time from command line
  sleep_time = strtol(argv[1], NULL, 0);

// Sleep for sleep_time milliseconds
  usleep(sleep_time*1000); //usleep wants microseconds

  return(0);
}
---- snip -----------------
and compile it with the command gcc msleep.c -o msleep, it will create the msleep binary.

The sintax of msleep is: msleep <milliseconds> (e.g.: msleep 500 for a delay of 0.5 seconds)


[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: patpro on Jul 20, '09 10:37:13PM

I'm afraid you are wrong :)
You can try this:

$ time sleep 0.5

real 0m0.520s
user 0m0.001s
sys 0m0.002s

$ time sleep 0.2

real 0m0.205s
user 0m0.001s
sys 0m0.003s

$ time sleep 0.1

real 0m0.105s
user 0m0.001s
sys 0m0.004s


It looks like the 10.5 sleep command allows interval shorter than 1 second.

---
http://www.patpro.net/



[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: wallybear on Jul 21, '09 11:01:03AM

Interesting. Stats on my Mac (10.5.7) gave this:

$ time sleep 0.5
real 0m0.013s
user 0m0.001s
sys 0m0.003s

$ time sleep 0.1
real 0m0.002s
user 0m0.001s
sys 0m0.002s

$ time sleep 0.2
real 0m0.003s
user 0m0.001s
sys 0m0.002s

$ time sleep 1
real 0m1.003s
user 0m0.001s
sys 0m0.002s

As you can see, no correlation between the command and the timings (except for time sleep 1).
Any clue?



[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: wallybear on Jul 21, '09 11:10:00AM

mmmhmm... It seems I found the answer.

The sleep command follows the locale settings. If I type:

$ time sleep 0,5
real 0m0.503s
user 0m0.001s
sys 0m0.002s

$ time sleep 0,2
real 0m0.203s
user 0m0.001s
sys 0m0.002s

and so on (note the "," instead of "."), I get correct timings (my locale uses "," as decimal point).
But this makes scripts using sleep with fractional timings unreliable: they work correctly only with certain locales.

So I think it's still better to use the other solutions I pointed above, that do not depend from locales.



[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: patpro on Jul 23, '09 01:35:02PM

Hi,

You might want to test the latest update of the script. I've added a LC_NUMERIC=en_US on the sleep 0.05 line, so that the beachball cursor should run nicely on your system.

---
http://www.patpro.net/



[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: wallybear on Jul 23, '09 04:06:27PM

Yes, it works. That's a workaround, but fixes the problem and makes the script more "international".

BTW, I think that a 0.05 delay it's a little too small, the "infamous beachball" spins too fast (its almost difficult to realize it's spinning); a 0.1 delay (or, better, 0.2) is more visually appealing. Just my opinion.



[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: patpro on Jul 27, '09 08:14:39AM

well, the 0.05 delay might be too small, you are right. I've made 99% of my tests over an ssh connection, so may be the latency slowed my beachball :)
I'll change that in the next release (along with a bunch of other details, hopefully).

---
http://www.patpro.net/



[ Reply to This | # ]
10.5: List service ACLs on Mac OS X 10.5 Server
Authored by: wallybear on Jul 23, '09 04:16:05PM

It's fun noting that the python script I wrote above ignores locales (wants "." as decimal point or it will give an error) while sleep doesnt... no consistent locale behaviour in CLI.



[ Reply to This | # ]