How to chmod ACLs to groups with spaces in the name on Mac OS X

access-control-listchmodmac-osx

I'm trying to add an ACL for the group "Domain Users", but since it has spaces in the group name it isn't parsed correctly by chmod:

$ chmod -R +a 'DOMAIN\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit' shared
Unable to translate 'DOMAIN\Domain' to a UID/GID

How do I escape the space? I've tried all the obvious approaches with single quotes, double quotes, and backslash.

Best Answer

Since Apple's source for chmod is available, there's a hint in the parser:

if (strchr(pebuf, ':')) /* User/Group names can have spaces */

And indeed, if you read the man page it says:

If the user or group name contains spaces you can use ':' as the delimiter between name and permission.

Thus the solution is:

$ chmod +a 'DOMAIN\Domain Users:allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit' shared

Related Solutions

Numeric UIDs/GIDs in ACLs on OS X server (10.6)

The documentation states that "the computer generates" these UID's so I suppose there's no documented algorithm to translate between the two. You can, however, list user ids and generated uids and create a look-up-table to facilitate this translation.

To find the hex-string (among other things)for a user use this command: dscl /Search -read /Users/oliver GeneratedUID UniqueID 'dsAttrTypeNative:givenName'

To list all generated UID's:

  dscl  /Search -list  /Users GeneratedUID

To list all unique id's ("normal" uids)

  dscl  /Search -list  /Users UniqueID

Hope these help (maybe not you anymore, but this comes up in Google so someone else might still find this usefull).

How to copy ACLs on Mac OS X

ls -e Print the Access Control List (ACL) associated with the file, if present, in long (-l) output.

this gives a result such as...

drwxr-xr-x@ 19 localadmin   646B Aug  4 00:21  APPBUNDLE
0: user:localadmin allow add_file,add_subdirectory,writeattr,writeextattr,writesecurity
                   ⬆    ⇧                      ⇶                                     ⬆

Personally, I have "exports" in my ~/.bash_profile

export FILE_ALL="read,write,append,execute,delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"
export DIR_ALL="list,search,add_file,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"

that make such a chmod possible...

sudo chmod +a "allow localadmin $DIR_ALL" /APPBUNDLE

From the chmod man page, there is this bit of info... that hints that it may indeed be possible to do something like you describe..

"ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions. In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specqify the type of name."

chmod -E Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If the information parses correctly, the existing information is replaced.

Also, I'll give a shout out to BatchMod, an oldie, but a goodie for ACL's, as well as TinkerToolSystem.

Best Answer

Related Solutions

Numeric UIDs/GIDs in ACLs on OS X server (10.6)

How to copy ACLs on Mac OS X

Related Topic