Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Script to list all filesystem objects with ACLs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Script to list all filesystem objects with ACLs
Authored by: guns on Aug 19, '08 10:40:12AM
The hint category is 10.5. Won't this also work on (and be good for) 10.4.x?

I think I remember that ACLs were turned off on the main volume by default.

So…if this is an issue, what exactly is the "Repair Permissions" function of the Disk Utility doing? Also, is there another tool that we can use to look at the ACL's?

"Repair permissions" is just trying to restore POSIX permissions on Apple System and Application files. Like the OP mentioned, it doesn't work all that well. For instance, /var/log/secure.log should have permssions of 0600, but on my machine they are set to 0640 for some reason, a security risk. I ran disk utility which caught this error, exited with success, and never actually fixed this mistake. Furthermore, I don't think it corrects ACL errors. As far as ACL tools, Apple's ls comes with the '-e' option, which will print all ACLs on files, and Apple's chmod lets you set, edit, and delete ACLs.

--

Great post. I know that lots of vendors are lax about POSIX permissions, but I didn't know of any that added ACLs. You didn't imply that they did necessarily, but do you know of any that do? That's pretty worrying, because clearly it's possible.

Also, you may want to set the output directory to /tmp or something else that's sure to exist, or else include a 'mkdir ~/acls'.



[ Reply to This | # ]
Script to list all filesystem objects with ACLs
Authored by: xr4ti on Aug 19, '08 11:31:08AM
A great suggestion (I must have been a little too sleepy when I finished the script).

Immediately after the "else", you can add the following line:

mkdir -p ~/acls

That will create the directory, if necessary, and be silent if it's already there.

[ Reply to This | # ]

Script to list all filesystem objects with ACLs
Authored by: xr4ti on Aug 19, '08 11:37:45AM

And, on the question about vendors:

no, I don't know of a vendor that has intentionally or mistakenly set ACLs improperly. Since I've just start tracking ACLs closely, I can't be sure that the few third-party installers I've already run have altered or added ACLs to my system. I use Tripwire religiously, and it's what caught past POSIX tampering by some major vendors.

I can only say that the current crop of 800+ ACLs on my system look like they were either done by Apple, or done by Get Info before I realized how much damage Get Info can do.



[ Reply to This | # ]