Understanding Access Control Lists


Access control lists (ACLs) are a new feature in Mac OS X v10.4. File-system ACLs provide a much more granular set of permissions options than the traditional UNIX permissions explained so far. In addition to more granular permissions, now you can also assign different permissions to different users or groups, where with traditional UNIX permissions, you were limited to setting permissions to only one user and one group. By default, file-system ACLs are disabled on volumes in Mac OS X. Before you can use ACLs, you must turn them on for that particular volume:

fsaclctl -p /Volumes/MyACLedDrive -e


To determine first if ACLs are already enabled on a volume, type fsaclctl -p /Volumes/ MyACLedDrive. If you're using Mac OS X Server, you can also use Workgroup Manager to turn on file-system ACLs, as seen in the following figure.

Once you've enabled ACLs for the volume, you must assign specific rights to a file. As with traditional UNIX permissions, you use the chmod command to do this, but you must add the +a argument.

Some examples include:

chmod +a "admin allow write" file1 chmod +a "guest deny read" file1 chmod +a "admin allow delete" file1


When you need to see what ACLs are attached to a given file, you use ls with the -le options:

ls -le file1 -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser 1: guest deny read 2: admin allow write,delete


Workgroup Manager also makes the task of assigning and viewing ACLs easier, as shown in the following figure.

As you can imagine, ACLs get very confusing very quickly. Again, Workgroup Manager comes to the rescue with the Effective Permissions Inspector. Just select a file or folder in Workgroup Manager, pull down the gear menu in the lower-right corner, and select Show Effective Permissions Inspector. With this tool, you can type in any user name, and it will parse through all of the ACL entriesmany of which may be overlappingand show you quickly which permissions that specific user will have on that file or folder.

Warning

File-system ACLs are very complex and you should test them very carefully to ensure that you've set up the correct set of permissions.





Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net