Catch-all ACL attributes via CLI for Mac OS X

access-control-listmac-osxpermissionsterminaluser-management

It's nice and all that one can "go crazy" adding and subtracting ACL's from files/folders till the cows come home… but when doing it from the command line, say for example..

$ chmod +a# 1 "admin deny delete" foo 
$ ls -lde foo 
 drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo 
 0: group:admin allow delete 
 1: group:admin deny delete 
 2: user:tony allow delete

Is there an "easier" syntax that allows for "ALL" type scenarios? Since there are a total of 2^13 * 12 = 98,304 different access rights you can define it would be great if you could for example state…

$ chmod +a "staff allow all" foo

But as far as I can tell, it ain't possible. Any extended-attribute gurus out there know of any tricks?

Best Answer

I'm not sure if this helps, but since you can have more than one permission per ACL, you could use a couple of environment variables (e.g. in your .profile) to make it easier. Assuming your default shell is bash:

export FILE_ALL="read,write,append,execute,delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"
export DIR_ALL="list,search,add_file,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"

Then when you need to grant permissions:

$ chmod +a "group:admin allow $FILE_ALL" foo

Related Solutions

Bash – propagate removal of an ACL entry for just one user in Mac OS

It's a bit long, but you can do something like this:

find . -exec chmod -a "johndoe allow delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,read,write,append,execute,list,search,add_file,add_subdirectory,delete_child" {} \;

You'd also have to run the same command with "deny" to remove any prohibitive rules for the user.

Many thanks to Jesse Rusak on StackOverflow - this was cribbed from his answer.

Linux – Special OS X like ACL Permission for Linux

The corresponding linux commands are :

ls : Any line with a + after permissions has ACLs on it ( rwxrwxrwx+ ).
setfacl : Add / Modify ACLs on the file
getfacl : Read ACLs on the file

Now, I don't know OSx all that well, but when I read those ACLs I see something different. To me, "group: everyone deny delete" would be a rule that states that members of the "everyone" group are denied the ability to delete files.

On linux, however, there is no such thing as "deny delete". The ability to delete is granted by the ability to write. Therefore, if you want to deny delete you also have to deny write which may not be exactly what you're looking for. Then again, you have to figure that it makes sense ... If I can write to a file, technically there is nothing preventing me from zeroing out the file's contents.

But with such a broad rule that seems to act as a catch all you don't really need ACLs at all. Just set the "other" permissions to r-- ( 0600 ) and users that are neither the owner, nor part of the owning group will be unable to write or execute the file. In your example that would mean anyone that is neither the user cb0 nor part of the group staff.

That being said, if you are interested in more indept information on ACLs and their respective commands, I would suggest you take a moment to carefully read through the POSIX Access Controls document : http://www.suse.de/~agruen/acl/linux-acls/online/

Best Answer

Related Solutions

Bash – propagate removal of an ACL entry for just one user in Mac OS

Linux – Special OS X like ACL Permission for Linux

Related Topic