APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
->
-> OS X ACL usage


OS X ACL usage



Starting with 10.4, Mac OS X has ACL's. The "chown" man page tells you about their usage, but it leaves a little bit out and isn't all that helpful.

If you landed here searching for a basic introduction to OS X permissions, I recommend Brian Tanaka's Take Control of Permissions in Mac OS X, a $10 PDF E-book that will teach you the basics. The article you are reading here is a bit more advanced.

You need to turn on ACL's before you can use them. To enable the root filesystem, I'd do:

sudo fsaclctl -p / -e

The "-e" enables ACL use, "-d" disables. No reboot required, the change is instantaneous (the man page says you do need to reboot or remount).

Note: this command disappeared after 10.5. I assume it is no longer needed; ACL's seem to be enabled by default.

ACL's are listed by adding "-e" to a long "ls" listing:

ls -le

(Article continues after the break)




You'll notice nothing different about the output unless you had acl's enabled previously. However, there is a little oddity there: if a file EVER had an ACL list, and the ACL's were later deleted (see blow), a "+" sign will appear in the "ls -le" listing:

$ ls -le
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo

Turning off with fsaclctl does not delete ACL's; it just makes them temporarily invisible and ineffective:


$ sudo fsaclctl -p / -d
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- 1 apl apl 900 Feb 28 07:34 s
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat
$ sudo fsaclctl -p / -e
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- + 1 apl apl 900 Feb 28 07:34 s
  0: group:admin allow write
  1: user:tony inherited allow write
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat

In the above listing, "s" has two ACL's, and "foo" has none (but "foo" had one or more ACL's sometime in the past).

You apply ACL's using extended chmod commands:

$ chmod +a "tony allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: user:tony allow delete

The format is always user or group, allow or deny, attribute. By default, rules stack as you apply them:

$ chmod +a "admin allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: group:admin allow delete
  1: user:tony allow delete

Notice that the new rule became rule #0? You can control the positioning:


$ chmod +a# 1 "admin deny delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: group:admin allow delete
  1: group:admin deny delete
  2: user:tony allow delete

That pushed are new rule in between 0 and 1, and also shows why we'd need or want to do that: which rule matters now? We say in 0 that an admin can delete the file, and in 1 that we deny that ability. Which takes precedence?

The "deny" takes precedence, but would even if we reversed the order. "Allow" rules are cumulative, so order is unimportant, but "Deny's" short circuit and take effect the moment they are encountered: no more rules are read.

Deleting ACL's is easy:

$ chmod -a# 2 foo
$ chmod -a# 1 foo
$ chmod -a# 0 foo

Because the rules would "move up" as they are deleted, you could accomplish the same thing with:

$ chmod -a# 0 foo
$ chmod -a# 0 foo
$ chmod -a# 0 foo

Inheritance ACL's can be added to directories:

$ chmod +a "admin allow delete,file_inherit,directory_inherit" foo

Any NEW files or directories we create in foo will inherit the ACL "admin allow delete". Directories in foo will also inherit the "inherit" attribute and will pass that on to their files and directories. We may not want that, so we can instead say :

$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit" foo

That applies the "admin allow delete" to files and directories created in "foo", but doesn't keep passing that on down. There's one more inheritance that is useful:

$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit,only_inherit" foo

The "only_inherit" avoids applying the ACL to "foo" itself.

Read the "chown" man page for the list of attributes that can be allowed or denied with ACL's.




If this page was useful to you, please help others find it:  





28 comments




More Articles by - Find me on Google+



Click here to add your comments
- no registration needed!




Tue Apr 1 15:14:05 2008: 3929   Mike


Ah! Thank you; I've been tearing my hair out as to why a collection of NFS mount points were mounting and showing correct disk usage info, but couldn't be seen by the users who were supposed to see it. I wasn't aware of having to enable ACLs on the client root FS, and now I am.

Thanks again.



Fri Apr 18 10:41:21 2008: 4060   pmstar


Hello,

I am having trouble with ACLs...I had issues when I was no longer able to rename or move some of my files (in the Documents Folder)...I did solve this, but now I have another problem. A file of my desktop, for some reason, cannot be copied to an external disk. when a perform a ls -ale o the desktop, the file has the same permissions (and no ACLs) of the other files on the desktop (which I can copy), with the only difference that it lacks a "@" at the end of the permissions string.

"-rw-r--r--@" instead of "-rw-r--r-- "

What does the @ stand for and how do I add it?

Many thanks!








Fri Apr 18 11:01:21 2008: 4061   TonyLawrence

gravatar
The "@" at the end means it has extended attributes. See "man ls"

See "chflags" and "SetFile" (setfile is in Developer tools) also.

But I'm not sure what's stopping you from copying..



Fri Apr 18 11:22:47 2008: 4062   TonyLawrence

gravatar
Actually, after looking at the man pages and playing a bit, I think the "ls" man page is wrong..

I don't know what the "@" means. I have some files that show that, but I don't know why they are different than ones that do not..

ls -@l

(you have to put the l after the @)

shows stuff like this:

drwxrwxrwx 16 apl apl 544 May 17 2007 Adsense
-rw-r--r-- 1 apl apl 8634 Oct 14 2007 Brewster Line.pdf.zip
drwx------+ 39 apl apl 1326 Apr 17 10:58 Desktop
drwx------+ 15 apl apl 510 Apr 7 17:19 Documents
drwx------@ 57 apl apl 1938 Apr 14 13:58 Downloads
com.apple.FinderInfo 32
-rwxr-xr-x@ 1 apl apl 275 Apr 18 07:15 F
com.apple.quarantine 42
-rw-r--r-- 1 apl apl 1067520 Jan 24 10:53 Fprice.xls
drwx------+ 49 apl apl 1666 Mar 21 09:00 Library
drwx------+ 4 apl apl 136 Mar 21 10:19 Movies
drwx------+ 6 apl apl 204 Dec 14 2006 Music
-rwxr-xr-x@ 1 apl apl 275 Jan 2 2007 PageRank
com.apple.quarantine 42

I'm not sure what that means.. has to do with "xattr" but I haven't investigated that..






Fri Apr 18 11:27:23 2008: 4063   TonyLawrence

gravatar
Ahh: see this for xattr.

http://arstechnica.com/reviews/os/macosx-10-4.ars/7

I knew you could do that but didn't realize Apple was actually using it for anything - apparently they are.



Fri Apr 18 11:35:08 2008: 4064   TonyLawrence

gravatar
So..

Obviously com.apple.quarantine is for downloaded files - the thing that makes the message pop up when you first try to execute something downloaded.

I don't yet know what com.apple.FinderInfo means.. arstechnica says

"(Interestingly, type and creator codes are already (redundantly?) stored this way in Tiger. Assigning them to a file results in a new extended attribute key, com.apple.FinderInfo, with a value that is the concatenation of the type and creator codes. This is done transparently whenever a type or creator code is assigned to a file.)"

but I'm still unclear WHY some of my files have this.

But your un-copyable file has NO "@", right? So it's nothing to do with this..



Fri Apr 18 12:46:00 2008: 4065   TonyLawrence

gravatar
Actually, we should start with basics:

Exactly what message do you get when you try to copy?



Tue Jan 27 20:14:08 2009: 5251   SamiGuirguis

gravatar
chmod -N filename

removes all access lists with one shot.



Tue Jan 27 20:19:10 2009: 5252   TonyLawrence

gravatar
If I ever knew that, I had forgotten it - thanks!



Mon Mar 16 18:49:59 2009: 5719   billyverde

gravatar
I get the following error when I try to add an ACL:

"chmod: Unable to translate group:<group_name> to a UID/GID: Invalid argument"

Happens with all groups I've tried - not a matter of a simple typo in the <group_name>. I've verified that they're all valid group names, ACL is enabled, and I have root access. Anybody know what's up with that?



Mon Mar 16 19:11:14 2009: 5720   TonyLawrence

gravatar
You did "sudo fsaclctl -p / -e ", right?

You are doing something like

chmod +a "admin allow delete" foo ??



I can only get that error if I use a non-existent group or user.. $ chmod +a "nosuchgroup allow delete" foo chmod: Unable to translate 'nosuchgroup' to a UID/GID







Mon Mar 16 21:14:44 2009: 5721   billyverde

gravatar
Gah... never mind. Syntax error on my part. I'll go sit in a corner now.



Mon Mar 16 21:18:45 2009: 5722   billyverde

gravatar
PS. Thanks for the help!



Mon Mar 16 21:29:48 2009: 5723   TonyLawrence

gravatar
Just curious - what were you typing?



Thu Sep 3 21:02:21 2009: 6846   Roy

gravatar
in the second sentence you mention that the "chown" man page discusses acl usage - I believe that it is actually in the "chmod" man page...

also looking forward to reading this page carefully, as I've a similar issue to Mike in the first comment, which is that ACLs from my server over NFS mounts are not propagated. Hopefully will learn enough here to remedy.

cheers - Roy



Thu Sep 3 21:05:33 2009: 6847   TonyLawrence

gravatar
Yes, chmod not chown.







Sun Mar 14 14:50:35 2010: 8215   Bryan

gravatar


I have two questions.

I need to be able to take ownership of files and directories on my Mac OS X 10.6. I had copied files from an NTFS A.D. domain ACL controled CIFS\SMB share. Inside OS X I can not take onwership of these CIFS directories, nor add users to it using the GUI/right click/get info/permissions/change them /then apply doe not work. I also tried running

>sudo chown -R Bryan /Users/bryan/Documents/

which gives me a operation not permitted error even in bash$

1. I need to strip all CIFS based ACL's
2. Then remove all NFS ACL's, turn them all off or reset them to everyone read write which is perfable.

Is there a single command to do this locally? Also I need to run this command on an NFS mount point on a NAS qtree directory within a volume top down, doing the same thing, removing all CIFS ACL's from the top most directory down to the last file.

Any help would be appreciated!

Bryan



Sun Mar 14 15:00:53 2010: 8216   TonyLawrence

gravatar


An NFS mount is its own file system - it has its own semantics and you can't change the underlying system semantics there (nor do you necessarily even have the same access).

On the local files, I'm not sure how you got them over here with ACL's - I suspect there is something more basic here. What does "ls -le" show you?









Sun Mar 14 19:47:59 2010: 8217   Bryan

gravatar


This is one dir I just created locally:
drwxr-xr-x    2 bryan  staff      68 Mar 14 10:25 logos-test

Here is the a dir I do not have change access to (even though it shows I do).
drwx------   11 bryan  staff     374 Mar 17  2008 Logos


Last login: Sun Mar 14 10:29:15 on ttys000
Bryans-MacBook-Pro:~ bryan$ cd /Users/bryan/Documents
Bryans-MacBook-Pro:NetApp bryan$ ls -le
total 736
drwx------    7 bryan  staff     238 Jul  7  2008 401k
drwxr-xr-x    4 bryan  staff     136 Mar 14  2009 Benifits
drwx------    4 bryan  staff     136 Mar 17  2008 Beta programs
drwxr-xr-x    4 bryan  staff     136 Feb 23 11:04 Blogs
drwx------    5 bryan  staff     170 Mar 17  2008 ClearSpace
drwx------    8 bryan  staff     272 Apr 16  2008 Clients
drwx------    6 bryan  staff     204 Nov  6 15:37 Connected Backups
drwxr-xr-x    4 bryan  staff     136 Nov 25  2008 Design Guidelines
drwx------    5 bryan  staff     170 Mar 17  2008 Discounts
drwx------  127 bryan  staff    4318 Nov  5 10:43 Documentation
drwx------    3 bryan  staff     102 Mar 17  2008 Education
drwx------   28 bryan  staff     952 Mar  4 13:26 Expense Reports
drwx------   11 bryan  staff     374 Mar 17  2008 GoodLink
drwx------    3 bryan  staff     102 Mar 17  2008 HR - Compensation
drwx------    9 bryan  staff     306 Jun  4  2008 HR - Health Insurance
drwx------    9 bryan  staff     306 Mar 17  2008 HR - Insurance & Investment
drwx------    8 bryan  staff     272 Mar 17  2008 HR - New Hire
drwx------    3 bryan  staff     102 Jun 26  2008 Hardware Universe
drwx------    3 bryan  staff     102 Mar 17  2008 HelpDesk
drwx------    9 bryan  staff     306 Aug  2  2008 IM Lists PS SE
-rw-r--r--@   1 bryan  staff       0 Jun  8  2009 Icon?
drwxr-xr-x    4 bryan  staff     136 Dec 23 10:47 Ideas Patent
drwx------    9 bryan  staff     306 Mar 17  2008 Information
drwx------    4 bryan  staff     136 May 27  2008 Interviews
drwx------   10 bryan  staff     340 Apr 22  2008 Licenses
drwx------   11 bryan  staff     374 Mar 17  2008 Logos
drwx------    7 bryan  staff     238 Mar 17  2008 MAN Pages
drwx------   21 bryan  staff     714 Mar 17  2008 Meetings
drwx------    4 bryan  staff     136 May 30  2008 Microsoft Hotfix
drwx------    7 bryan  staff     238 Mar 17  2008 My Drawings
drwx------    7 bryan  staff     238 Mar 17  2008 My Pictures
drwxr-xr-x    6 bryan  staff     204 Nov 18  2008 NEO Training
drwx------    5 bryan  staff     170 Sep 17  2008 Users Group
drwx------    3 bryan  staff     102 Mar 17  2008 OS & Firmware
drwx------    8 bryan  staff     272 Oct 26 09:43 Orders
drwxr-xr-x@   8 bryan  staff     272 Aug  2  2009 Partner Enablement
drwx------@  25 bryan  staff     850 May 19  2009 Portfolio Areas
drwx------   22 bryan  staff     748 Nov  6 15:38 Practice Areas
drwx------    4 bryan  staff     136 Nov 18  2008 Pricing
drwx------    6 bryan  staff     204 Sep  4  2008 Projects
drwx------    6 bryan  staff     204 Aug  7  2008 Publications
drwx------    6 bryan  staff     204 Jul  9  2008 Quotes - SOW - TnM
drwx------    7 bryan  staff     238 Mar 17  2008 Reports
drwx------    7 bryan  staff     238 Dec 11 09:48 Reviews
drwx------    3 bryan  staff     102 Mar 17  2008 Sales Orders
drwx------   11 bryan  staff     374 Jan 11 15:55 Stock & Grants
drwx------    7 bryan  staff     238 Mar 17  2008 Tech OnTap
drwx------   10 bryan  staff     340 Jul 24  2008 Templates
drwx------    3 bryan  staff     102 Jun  8  2009 Tools & Applications
drwx------   12 bryan  staff     408 Nov 25  2008 Training
drwx------    6 bryan  staff     204 Sep  1  2008 Travel
drwx------    2 bryan  staff      68 Mar 17  2008 Web.Dev
drwx------    3 bryan  staff     102 Mar 17  2008 WebEx
-rw-r--r--@   1 bryan  staff  343429 Apr  2  2009 cell march.pdf
drwx------   42 bryan  staff    1428 Mar 27  2009 kb
drwxr-xr-x    2 bryan  staff      68 Mar 14 10:25 logos-test
drwx------   49 bryan  staff    1666 Jul 20  2008 ~ Notes From Outlook.07.20.08 ~
Bryans-MacBook-Pro: bryan$



Sun Mar 14 19:59:20 2010: 8218   TonyLawrence

gravatar


I really have no idea what you are trying to tell us.

In one place you say you are trying to chown Documents (why, I have no idea) and then it's something about Logos which is in Documents.

Look:

ls -lde Documents
drwx------+ 131 apl apl 4454 Mar 5 21:50 Documents
0: group:everyone deny delete

"apl" is me. I can

sudo chown linda Documents
$ ls -lde Documents
drwx------+ 131 linda apl 4454 Mar 5 21:50 Documents
0: group:everyone deny delete

If you can't do -R, it's because you don't have perms on something IN Documents. Find out what it is and use -e if necessary for acl's.







Wed Jun 9 14:50:02 2010: 8675   LK

gravatar


I'm running into an interesting problem that I have not yet seen an answer to any where on the web despite several hours of searching.

I'm trying to set up ACE for a folder, let's call it "copywriting", to create folders and files by default as read/write for owner, read/write for group, read for everyone. The problem is that the group name has a space in it ("creative services") and I can't find the correct syntax for making that work.

I was using the command line:

chmod +a "creative services allow list,add_file,search,delete,add_subdirectory,delete_child,file_inherit,directory_inherit,read,write,delete,append,execute" /Volumes/Shared/copywriting

to do this but I always get the "unable to translate creative to a uid/gid" error. I've tried a series of different inputs including slashes (\) and quotations (") but I can't find anything that works.

Do you have any advice for me?



Wed Jun 9 16:02:13 2010: 8676   TonyLawrence

gravatar


Spaces in a group name are a bad idea.

Did you try

'creative services'

in single quotes within the double quotes?







Wed Jun 9 20:32:44 2010: 8677   LK

gravatar


I completely agree that spaces in user/group names are a bad idea and I would never set them up that way. This is a problem that I've inherited, however, and short of re-doing the entire groups structure (which would be a massive pain with around 75 different groups), I'm not sure what to do about it.

Yes, I tried both "creative services" and 'creative services' within the original quotes without any luck. Also tried creative\ services with quotes and without both ways. No luck with any of them.



Wed Jun 9 21:37:04 2010: 8678   TonyLawrence

gravatar


I have no more ideas, sorry. If you do solve it, let us know.



Wed Nov 3 17:29:08 2010: 9095   Marcin

gravatar


If you have space in user or group you have to use : (colon) as a delimiter between name and permission. That's it.



Tue May 10 16:34:32 2011: 9490   chris

gravatar


what might be the cause of this error?

chmod: The specified file 'Forms' does not have an ACL in canonical order, please specify a position with +a#

thanks!



Tue May 10 16:43:45 2011: 9491   TonyLawrence

gravatar


It means the ACL's aren't ordered as they should be. You can still get it in there:

From "man chmod"

The +ai# mode may be used to insert inherited entries at a specific location. Note that these modes allow non-canonical ACL ordering to be constructed.






Thu Aug 11 06:11:17 2011: 9688   AndyCanfield

gravatar


I would emphasize two points:

1) The entire access list entry has to be in quotes; e.g. 'chmod +a "fred allow delete" FileX'. If you leave out the quotes you get weird error messages.

2) The syntax "user:fred" is accepted; e.g. 'chmod +a "user:fred allow delete" FileX". I don't know if "group:staff" is accepted, but probably is.




Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments


If you want a picture to show with your comment, go get a Gravatar

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

pavatar.jpg

This post tagged:

       - MacOSX
       - Popular
       - Security



















My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide



Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals



Click and enter your name and phone number to call me about Kerio® products right now (Flash required)