Starting with 10.4, Mac OS X has ACL's. The "chown" man page
tells you about their usage, but it leaves a little bit out
and isn't all that helpful.
If you landed here searching for a basic introduction to OS X permissions, I recommend
Brian Tanaka's Take Control of Permissions in Mac OS X, a $10 PDF E-book that will teach you the basics. The article
you are reading here is a bit more advanced.
You need to turn on ACL's before you can use them. To
enable the root filesystem, I'd do:
sudo fsaclctl -p / -e
The "-e" enables ACL use, "-d" disables. No reboot required,
the change is instantaneous (the man page says you do need to
reboot or remount).
Note: this command disappeared after 10.5. I assume it is no longer needed; ACL's seem to be enabled by default.
ACL's are listed by adding "-e" to a long "ls" listing:
You'll notice nothing different about the output unless
you had acl's enabled previously. However, there is a
little oddity there: if a file EVER had an ACL list, and
the ACL's were later deleted (see blow), a "+" sign will appear in
the "ls -le" listing:
That pushed are new rule in between 0 and 1, and also shows
why we'd need or want to do that: which rule matters now? We
say in 0 that an admin can delete the file, and in 1 that we
deny that ability. Which takes precedence?
The "deny" takes precedence, but would even if we reversed
the order. "Allow" rules are cumulative, so order is
unimportant, but "Deny's" short circuit and take effect the
moment they are encountered: no more rules are read.
Any NEW files or directories we create in foo will inherit
the ACL "admin allow delete". Directories in foo will
also inherit the "inherit" attribute and will pass that
on to their files and directories. We may not want that,
so we can instead say :