ACL: Access Control Lists

From OS X Scientific Computing

Jump to: navigation, search

Contents

Access Control Lists

OS X 10.4 and above enables ACLs, or Access Control Lists.

What is ACL?

It allows complete fine-tuning of file permissions.

Let's say you want to share an iPhoto library with your spouse, so that either of you can load in photos, edit them, and do as you please as if it were your own private iPhoto library, while keeping the rest of the family out. ACL makes this very simple and straightforward.

The other nice part is that new files inherit the ACL permissions from the parent directory. So if my wife loads in new photos, I can distort or delete those that accentuate how fat I look.

Of course, the applications for several people working on a common data set should be obvious too.

Where can I learn more?

Ars Technica has a nice write-up on ACL

How do I activate ACL?

For 10.6, it is on by default.

You don't need to do anything, and /usr/sbin/fsaclctl does not exist.

For 10.4 and 10.5, just issue the command

sudo /usr/sbin/fsaclctl -p / -e

to activate ACL for the root volume, /.

Here is what the rest of the command means:

usage:  fsaclctl -p path | -a  [-e enable] [-d disable] [-v]
                -p              path to filesystem mount point
                -a              operate on all relevant volumes
                -e              enable access control lists on this filesystem
                -d              disable access control lists on this filesystem
                -v              print version 

How do I set ACL permissions with chmod?

Using our iPhoto example, I copied (crucially, did not move) mine to /Users/Shared/iPhoto_Shared_Library and then issued the commands

sudo chmod -R +a \
"my_username allow list,add_file,search,delete,add_subdirectory,delete_child,chown,file_inherit,directory_inherit" \
/Users/Shared/iPhoto_Shared_Library
sudo chmod -R +a \
"spouse_username allow list,add_file,search,delete,add_subdirectory,delete_child,chown,file_inherit,directory_inherit"   \
/Users/Shared/iPhoto_Shared_Library

These are one-line commands. I escaped the returns to fit it within the wiki page. It is better not to in real life.


For more general examples,

RTFM

Here is the relevant skinny from the chmod man page:

ACL MANIPULATION OPTIONS
     ACLs are manipulated using extensions to the symbolic mode grammar.  Each
     file has one ACL, containing an ordered list of entries.  Each entry
     refers to a user or group, and grants or denies a set of permissions.  In
     cases where a user and a group exist with the same name, the user/group
     name can be prefixed with "user:" or "group:" in order to specify the
     type of name.

     The following permissions are applicable to all filesystem objects:
           delete  Delete the item.  Deletion may be granted by either this
                   permission on an object or the delete_child right on the
                   containing directory.
           readattr
                   Read an objects basic attributes.  This is implicitly
                   granted if the object can be looked up and not explicitly
                   denied.
           writeattr
                   Write an object's basic attributes.
           readextattr
                   Read extended attributes.
           writeextattr
                   Write extended attributes.
           readsecurity
                   Read an object's extended security information (ACL).
           writesecurity
                   Write an object's security information (ownership, mode,
                   ACL).
           chown   Change an object's ownership.

     The following permissions are applicable to directories:
           list    List entries.
           search  Look up files by name.
           add_file
                   Add a file.
           add_subdirectory
                   Add a subdirectory.
           delete_child
                   Delete a contained object.  See the file delete permission
                   above.

     The following permissions are applicable to non-directory filesystem
     objects:
           read    Open for reading.
           write   Open for writing.
           append  Open for writing, but in a fashion that only allows writes
                   into areas of the file not previously written.
           execute
                   Execute the file as a script or program.

     ACL inheritance is controlled with the following permissions words, which
     may only be applied to directories:
           file_inherit
                   Inherit to files.
           directory_inherit
                   Inherit to directories.
           limit_inherit
                   This flag is only relevant to entries inherited by subdi-
                   rectories; it causes the directory_inherit flag to be
                   cleared in the entry that is inherited, preventing further
                   nested subdirectories from also inheriting the entry.
           only_inherit
                   The entry is inherited by created items but not considered
                   when processing the ACL.

     The ACL manipulation options are as follows:

     +a      The +a mode parses a new ACL entry from the next argument on the
             commandline and inserts it into the canonical location in the
             ACL. If the supplied entry refers to an identity already listed,
             the two entries are combined.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
              # chmod +a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write
              # chmod +a "guest deny read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write
              # chmod +a "admin allow delete" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete

             The +a mode strives to maintain correct canonical form for the
             ACL.
                              local deny
                              local allow
                              inherited deny
                              inherited allow

             By default, chmod adds entries to the top of the local deny and
             local allow lists. Inherited entries are added by using the +ai
             mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
                3: juser inherited deny delete
                4: admin inherited allow delete
                5: backup inherited deny read
                6: admin inherited allow write-security
              # chmod +ai "others allow read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
                3: juser inherited deny delete
                4: others inherited allow read
                5: admin inherited allow delete
                6: backup inherited deny read
                7: admin inherited allow write-security

     +a#     When a specific ordering is required, the exact location at which
             an entry will be inserted is specified with the +a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write
              # chmod +a# 2 "others deny read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: others deny read
                3: admin allow write

             The +ai# mode may be used to insert inherited entries at a spe-
             cific location. Note that these modes allow non-canonical ACL
             ordering to be constructed.

     -a      The -a mode is used to delete ACL entries. All entries exactly
             matching the supplied entry will be deleted. If the entry lists a
             subset of rights granted by an entry, only the rights listed are
             removed. Entries may also be deleted by index using the -a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
              # chmod -a# 1 file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write,delete
              # chmod -a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow delete

             Inheritance is not considered when processing the -a mode; rights
             and entries will be removed regardless of their inherited state.

     =a#     Individual entries are rewritten using the =a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow delete
              # chmod =a# 1 "admin allow write,chown"
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write,chown

             This mode may not be used to add new entries.

     -E      Reads the ACL information from stdin, as a sequential list of
             ACEs, separated by newlines.  If the information parses cor-
             rectly, the existing information is replaced.

     -C      Returns false if any of the named files have ACLs in non-canoni-
             cal order.

     -i      Removes the 'inherited' bit from all entries in the named file(s)
             ACLs.

     -I      Removes all inherited entries from the named file(s) ACL(s).

     -N      Removes the ACL from the named file(s).




Personal tools