This is a short follow-up of an earlier post where I explained how one can set ACLs on FreeBSD. Today now I’ll do the same on another BSD variant, namely Mac OS X, and guess what, the guys from Cupertino implemented ACL management in a completely different manner.
The first thing to notice is that starting with Mac OS X 10.6 (Snow Leopard) ACLs are always enabled and cannot be disabled as in earlier versions. All ACL commands are baked into the
chmod command and parsed from a string you give it with the ‘+a’ option. The basic syntax here is
$ chmod (+|-|=)a#? '<user> (allow|deny) <list-of-permissions>'
Since there is no
setfacl on Mac OS X, there is no
getfacl either, so ACLs are instead queried by the special option
$ ls -le . [...] -rw-r--r--+ 1 john users 175 5 Jun 00:23 foo 0: user:dave allow write
Permissions include the usual
add_subdirectory as well as more exotic ones like
chown. (Read up
chmod‘s man page what these are for.)
There are, however, two more important ones to notice, namely
directory_inherit. These two let you spread your permissions nicely to sub objects and thus let you for example set up a directory, in which a pool of users is allowed to access, modify and delete each other’s files:
$ chmod +a 'john allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' /data $ chmod +a 'dave allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' /data
The above example gives
dave inherited read, write and delete permissions to all file objects underneath
Since ACLs are executed in order, they can also be set in an ordered manner.
chmod has the
+a# option for that, where
# is the position into which the ACL should be added. Similarily, existing ACLs can be edited with
=a#, where again
# marks the position of the ACL to edit, and deleted with
Finally, if one wants to get rid of all ACLs of a specific node,
chmod -N <path> will do the job.
Thats it, have fun playing with ACLs on Mac OS X!