OS X ACL usage

Starting with 10.4, Mac OS X has ACL's. The "chown" man page tells you about their usage, but it leaves a little bit out and isn't all that helpful.

You need to turn on ACL's before you can use them. To enable the root filesystem, I'd do:

sudo fsaclctl -p / -e

The "-e" enables ACL use, "-d" disables. No reboot required, the change is instantaneous (the man page says you do need to reboot or remount).

ACL's are listed by adding "-e" to a long "ls" listing:

ls -le

You'll notice nothing different about the output unless you had acl's enabled previously. However, there is a little oddity there: if a file EVER had an ACL list, and the ACL's were later deleted (see blow), a "+" sign will appear in the "ls -le" listing:

$ ls -le
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo

Turning off with fsaclctl does not delete ACL's; it just makes them temporarily invisible and ineffective:

$ sudo fsaclctl -p / -d
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- 1 apl apl 900 Feb 28 07:34 s
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat
$ sudo fsaclctl -p / -e
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- + 1 apl apl 900 Feb 28 07:34 s
  0: group:admin allow write
  1: user:tony inherited allow write
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat

In the above listing, "s" has two ACL's, and "foo" has none (but "foo" had one or more ACL's sometime in the past).

You apply ACL's using extended chmod commands:

$ chmod +a "tony allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: user:tony allow delete

The format is always user or group, allow or deny, attribute. By default, rules stack as you apply them:

$ chmod +a "admin allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: group:admin allow delete
  1: user:tony allow delete

Notice that the new rule became rule #0? You can control the positioning:

$ chmod +a# 1 "admin deny delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: group:admin allow delete
  1: group:admin deny delete
  2: user:tony allow delete

That pushed are new rule in between 0 and 1, and also shows why we'd need or want to do that: which rule matters now? We say in 0 that an admin can delete the file, and in 1 that we deny that ability. Which takes precedence?

The "deny" takes precedence, but would even if we reversed the order. "Allow" rules are cumulative, so order is unimportant, but "Deny's" short circuit and take effect the moment they are encountered: no more rules are read.

Deleting ACL's is easy:

$ chmod -a# 2 foo
$ chmod -a# 1 foo
$ chmod -a# 0 foo

Because the rules would "move up" as they are deleted, you could accomplish the same thing with:

$ chmod -a# 0 foo
$ chmod -a# 0 foo
$ chmod -a# 0 foo

Inheritance ACL's can be added to directories:

$ chmod +a "admin allow delete,file_inherit,directory_inherit" foo

Any NEW files or directories we create in foo will inherit the ACL "admin allow delete". Directories in foo will also inherit the "inherit" attribute and will pass that on to their files and directories. We may not want that, so we can instead say :

$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit" foo

That applies the "admin allow delete" to files and directories created in "foo", but doesn't keep passing that on down. There's one more inheritance that is useful:

$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit,only_inherit" foo

The "only_inherit" avoids applying the ACL to "foo" itself.

Read the "chown" man page for the list of attributes that can be allowed or denied with ACL's.

Comments /MacOSX/acl.html


Tue Apr 1 15:14:05 2008: Subject:   Mike


Ah! Thank you; I've been tearing my hair out as to why a collection of NFS mount points were mounting and showing correct disk usage info, but couldn't be seen by the users who were supposed to see it. I wasn't aware of having to enable ACLs on the client root FS, and now I am.

Thanks again.

Fri Apr 18 10:41:21 2008: Subject: ACls "@"   pmstar


Hello,

I am having trouble with ACLs...I had issues when I was no longer able to rename or move some of my files (in the Documents Folder)...I did solve this, but now I have another problem. A file of my desktop, for some reason, cannot be copied to an external disk. when a perform a ls -ale o the desktop, the file has the same permissions (and no ACLs) of the other files on the desktop (which I can copy), with the only difference that it lacks a "@" at the end of the permissions string.

"-rw-r--r--@" instead of "-rw-r--r-- "

What does the @ stand for and how do I add it?

Many thanks!




Fri Apr 18 11:01:21 2008: Subject:   TonyLawrence


The "@" at the end means it has extended attributes. See "man ls"

See "chflags" and "SetFile" (setfile is in Developer tools) also.

But I'm not sure what's stopping you from copying..

Fri Apr 18 11:22:48 2008: Subject:   TonyLawrence


Actually, after looking at the man pages and playing a bit, I think the "ls" man page is wrong..

I don't know what the "@" means. I have some files that show that, but I don't know why they are different than ones that do not..

ls -@l

(you have to put the l after the @)

shows stuff like this:

drwxrwxrwx 16 apl apl 544 May 17 2007 Adsense
-rw-r--r-- 1 apl apl 8634 Oct 14 2007 Brewster Line.pdf.zip
drwx------+ 39 apl apl 1326 Apr 17 10:58 Desktop
drwx------+ 15 apl apl 510 Apr 7 17:19 Documents
drwx------@ 57 apl apl 1938 Apr 14 13:58 Downloads
com.apple.FinderInfo 32
-rwxr-xr-x@ 1 apl apl 275 Apr 18 07:15 F
com.apple.quarantine 42
-rw-r--r-- 1 apl apl 1067520 Jan 24 10:53 Fprice.xls
drwx------+ 49 apl apl 1666 Mar 21 09:00 Library
drwx------+ 4 apl apl 136 Mar 21 10:19 Movies
drwx------+ 6 apl apl 204 Dec 14 2006 Music
-rwxr-xr-x@ 1 apl apl 275 Jan 2 2007 PageRank
com.apple.quarantine 42

I'm not sure what that means.. has to do with "xattr" but I haven't investigated that..


Fri Apr 18 11:27:23 2008: Subject:   TonyLawrence


Ahh: see this for xattr.

http://arstechnica.com/reviews/os/macosx-10-4.ars/7

I knew you could do that but didn't realize Apple was actually using it for anything - apparently they are.

Fri Apr 18 11:35:08 2008: Subject:   TonyLawrence


So..

Obviously com.apple.quarantine is for downloaded files - the thing that makes the message pop up when you first try to execute something downloaded.

I don't yet know what com.apple.FinderInfo means.. arstechnica says

"(Interestingly, type and creator codes are already (redundantly?) stored this way in Tiger. Assigning them to a file results in a new extended attribute key, com.apple.FinderInfo, with a value that is the concatenation of the type and creator codes. This is done transparently whenever a type or creator code is assigned to a file.)"

but I'm still unclear WHY some of my files have this.

But your un-copyable file has NO "@", right? So it's nothing to do with this..

Fri Apr 18 12:46:00 2008: Subject:   TonyLawrence


Actually, we should start with basics:

Exactly what message do you get when you try to copy?

---

Need eyes on the ground at your customer's site?
Installation and light training Boston and New England
Reliable and experienced, punctual and professional.

---

Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Phone and Email Support at Monthly rates

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here