{"id":1040,"date":"2011-06-04T23:55:37","date_gmt":"2011-06-04T22:55:37","guid":{"rendered":"http:\/\/www.thomaskeller.biz\/blog\/?p=1040"},"modified":"2011-06-05T00:12:04","modified_gmt":"2011-06-04T23:12:04","slug":"acls-on-mac-os-x","status":"publish","type":"post","link":"https:\/\/www.thomaskeller.biz\/blog\/2011\/06\/04\/acls-on-mac-os-x\/","title":{"rendered":"ACLs on Mac OS X"},"content":{"rendered":"<p>This is a short follow-up of <a title=\"ACLs on a jailed ZFS volume with FreeBSD\" href=\"http:\/\/www.thomaskeller.biz\/blog\/2010\/08\/30\/acls-on-a-jailed-zfs-volume-with-freebsd\/\">an earlier post<\/a> where I explained how one can set ACLs on FreeBSD. Today now I&#8217;ll do the same on another BSD variant, namely Mac OS X, and guess what, the guys from Cupertino implemented ACL management in a completely different manner.<\/p>\n<p>The first thing to notice is that starting with Mac OS X 10.6 (Snow Leopard) ACLs are always enabled and cannot be disabled as in earlier versions. All ACL commands are baked into the `chmod` command and parsed from a string you give it with the &#8216;+a&#8217; option. The basic syntax here is<\/p>\n<p>    $ chmod (+|-|=)a#? &#8216;<user> (allow|deny) <list-of-permissions>&#8216;<\/p>\n<p>Since there is no `setfacl` on Mac OS X, there is no `getfacl` either, so ACLs are instead queried by the special option `-e` of `ls`:<\/p>\n<p>    $ ls -le .<br \/>\n    [&#8230;]<br \/>\n    -rw-r&#8211;r&#8211;+ 1 john users  175  5 Jun 00:23 foo<br \/>\n    0: user:dave allow write<\/p>\n<p>Permissions include the usual `read`, `write`, `delete`, `add_file`, and `add_subdirectory` as well as more exotic ones like `{read,write}extattr`, `{read,write}writesecurity` and `chown`. (Read up `chmod`&#8217;s man page what these are for.)<\/p>\n<p>There are, however, two more important ones to notice, namely `file_inherit` and `directory_inherit`. These two let you spread your permissions nicely to sub objects and thus let you for example set up a directory, in which a pool of users is allowed to access, modify and delete each other&#8217;s files:<\/p>\n<p>    $ chmod +a &#8216;john allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit&#8217; \/data<br \/>\n    $ chmod +a &#8216;dave allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit&#8217; \/data<\/p>\n<p>The above example gives `john` and `dave` inherited read, write and delete permissions to all file objects underneath `\/data`.<\/p>\n<p>Since ACLs are executed in order, they can also be set in an ordered manner. `chmod` has the `+a#` option for that, where `#` is the position into which the ACL should be added. Similarily, existing ACLs can be edited with `=a#`, where again `#` marks the position of the ACL to edit, and deleted with `-a#`.<\/p>\n<p>Finally, if one wants to get rid of all ACLs of a specific node,  `chmod -N <path>` will do the job.<\/p>\n<p>Thats it, have fun playing with ACLs on Mac OS X!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a short follow-up of an earlier post where I explained how one can set ACLs on FreeBSD. Today now I&#8217;ll do the same on another BSD variant, namely Mac OS X, and guess what, the guys from Cupertino implemented ACL management in a completely different manner. The first thing to notice is that &hellip; <a href=\"https:\/\/www.thomaskeller.biz\/blog\/2011\/06\/04\/acls-on-mac-os-x\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">ACLs on Mac OS X<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-1040","post","type-post","status-publish","format-standard","hentry","category-tips"],"_links":{"self":[{"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/posts\/1040","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/comments?post=1040"}],"version-history":[{"count":9,"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/posts\/1040\/revisions"}],"predecessor-version":[{"id":1050,"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/posts\/1040\/revisions\/1050"}],"wp:attachment":[{"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/media?parent=1040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/categories?post=1040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thomaskeller.biz\/blog\/wp-json\/wp\/v2\/tags?post=1040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}