OSX User Directory – how did some get an ACE of group:everyone deny delete

access-control-listmac-osxpermissions

I know a little about ACLs from long ago experience, but have never checked them out in OSX (currently I have 10.6.7 -standard, non-server on a stand-alone iMac). I just noticed that some non-admin user accounts I created a while ago (changer and Test) have an ACE of everyone:deny delete.

My own admin account doesn't have an ACL nor does a non-admin account that I created today.

I'm confused.

A) Doesn't that mean that no files can be deleted by anyone from those directories (changer & Test)?
B) Any idea about how they got there?

This is my /Users directory

mimac:~ frank$ ls -le /Users
total 0
drwxrwxrwt   4 root     wheel   374 Sep 25  2010 Shared
drwxr-xr-x+ 15 Test     staff   612 Dec  2 13:11 Test
 0: group:everyone deny delete
drwxr-xr-x+ 11 changer  staff   510 Apr  1 00:07 changer
 0: group:everyone deny delete
drwxr-xr-x@ 67 frank    admin  3536 Apr  4 16:06 frank
drwxr-xr-x  11 newone   staff   408 Apr  6 02:07 newone

Best Answer

As churnd notes, it's a default entity, though it's not on /Users, but on the home directories themselves, populated under /Users, intended to prevent accidental deletion.

It's there by default during creation of home dirs, because new home directories are created based on a template found in /System/Library/User Template. It's these files that have their ACLs specified in a property list.

On 10.6, in /var/db/receipts directory, the default ACLs are specified in property lists. Below is an example, where I'm using the defaults command to read the PathACLs key in one of the primary .plist files created when the OS was initially installed. 

[root@lithium5 19:13:43 /var/db/receipts]# defaults read /var/db/receipts/com.apple.pkg.Essentials PathACLs
{
    Applications = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";
    "Applications/Utilities" = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";
    Library = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";
    "System/Library/User Template/English.lproj/Desktop" = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";
    "System/Library/User Template/English.lproj/Documents" = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";
    "System/Library/User Template/English.lproj/Downloads" = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";
    "System/Library/User Template/English.lproj/Library" = "!#acl 1\\ngroup:ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C:everyone:12:deny:delete\\n";

This example snippit shows group:deny everyone delete for things like /Applications directory, but also folders in /System/Library/User Template/English — it's that folder that is the source for how new home directories appear when created using the PrefPane or createhomedir command.

Related Topic