ACLs on Mac OS X

This is a short follow-up of an earlier post where I explained how one can set ACLs on FreeBSD. Today now I’ll do the same on another BSD variant, namely Mac OS X, and guess what, the guys from Cupertino implemented ACL management in a completely different manner.

The first thing to notice is that starting with Mac OS X 10.6 (Snow Leopard) ACLs are always enabled and cannot be disabled as in earlier versions. All ACL commands are baked into the `chmod` command and parsed from a string you give it with the ‘+a’ option. The basic syntax here is

$ chmod (+|-|=)a#? ‘ (allow|deny)

Since there is no `setfacl` on Mac OS X, there is no `getfacl` either, so ACLs are instead queried by the special option `-e` of `ls`:

$ ls -le .
-rw-r–r–+ 1 john users 175 5 Jun 00:23 foo
0: user:dave allow write

Permissions include the usual `read`, `write`, `delete`, `add_file`, and `add_subdirectory` as well as more exotic ones like `{read,write}extattr`, `{read,write}writesecurity` and `chown`. (Read up `chmod`’s man page what these are for.)

There are, however, two more important ones to notice, namely `file_inherit` and `directory_inherit`. These two let you spread your permissions nicely to sub objects and thus let you for example set up a directory, in which a pool of users is allowed to access, modify and delete each other’s files:

$ chmod +a ‘john allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit’ /data
$ chmod +a ‘dave allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit’ /data

The above example gives `john` and `dave` inherited read, write and delete permissions to all file objects underneath `/data`.

Since ACLs are executed in order, they can also be set in an ordered manner. `chmod` has the `+a#` option for that, where `#` is the position into which the ACL should be added. Similarily, existing ACLs can be edited with `=a#`, where again `#` marks the position of the ACL to edit, and deleted with `-a#`.

Finally, if one wants to get rid of all ACLs of a specific node, `chmod -N ` will do the job.

Thats it, have fun playing with ACLs on Mac OS X!

4 thoughts on “ACLs on Mac OS X”

  1. This is great, except for part where it uses a format which is incompatible with BSD/ZFS (the only other thing in the world that uses NFSv4 ACL’s, as the above).

    In BSD, you can assign eg. owner@:permissions as an ACL entry, but MacOSX will interpret this as group:”owner”, and not “the owner of the file”, and so grant no permissions and everything will fail.

    Likewise if you add user:jim:permissions as an ACL entry in BSD, in MacOSX it doesn’t know who user:jim is – because Mac uses UUIDs (DF07-9BCD00F-FFFF—blah blah blah) instead of UID’s (‘501’) in the ACL. And so, in BSD, when it sees a MacOSX ACL entry for users jim, it will see an entry for UID “DF07-9BCD00F-FFFF–” etc, which it interprets as an integer UID, and so will put ‘32768’ (max integer value), and everything will fail.


Comments are closed.