OS X ACL usage

Starting with 10.4, Mac OS X has ACL's. The "chown" man page tells you about their usage, but it leaves a little bit out and isn't all that helpful.

If you landed here searching for a basic introduction to OS X permissions, I recommend Brian Tanaka's Take Control of Permissions in Mac OS X, a $10 PDF E-book that will teach you the basics. The article you are reading here is a bit more advanced.

You need to turn on ACL's before you can use them. To enable the root filesystem, I'd do:

sudo fsaclctl -p / -e

The "-e" enables ACL use, "-d" disables. No reboot required, the change is instantaneous (the man page says you do need to reboot or remount).

Note: this command disappeared after 10.5. I assume it is no longer needed; ACL's seem to be enabled by default.

ACL's are listed by adding "-e" to a long "ls" listing:

ls -le

You'll notice nothing different about the output unless you had acl's enabled previously. However, there is a little oddity there: if a file EVER had an ACL list, and the ACL's were later deleted (see blow), a "+" sign will appear in the "ls -le" listing:

$ ls -le
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo

Turning off with fsaclctl does not delete ACL's; it just makes them temporarily invisible and ineffective:

$ sudo fsaclctl -p / -d
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- 1 apl apl 900 Feb 28 07:34 s
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat
$ sudo fsaclctl -p / -e
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- + 1 apl apl 900 Feb 28 07:34 s
  0: group:admin allow write
  1: user:tony inherited allow write
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat

In the above listing, "s" has two ACL's, and "foo" has none (but "foo" had one or more ACL's sometime in the past).

You apply ACL's using extended chmod commands:

$ chmod +a "tony allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: user:tony allow delete

The format is always user or group, allow or deny, attribute. By default, rules stack as you apply them:

$ chmod +a "admin allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: group:admin allow delete
  1: user:tony allow delete

Notice that the new rule became rule #0? You can control the positioning:

$ chmod +a# 1 "admin deny delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
  0: group:admin allow delete
  1: group:admin deny delete
  2: user:tony allow delete

That pushed are new rule in between 0 and 1, and also shows why we'd need or want to do that: which rule matters now? We say in 0 that an admin can delete the file, and in 1 that we deny that ability. Which takes precedence?

The "deny" takes precedence, but would even if we reversed the order. "Allow" rules are cumulative, so order is unimportant, but "Deny's" short circuit and take effect the moment they are encountered: no more rules are read.

Deleting ACL's is easy:

$ chmod -a# 2 foo
$ chmod -a# 1 foo
$ chmod -a# 0 foo

Because the rules would "move up" as they are deleted, you could accomplish the same thing with:

$ chmod -a# 0 foo
$ chmod -a# 0 foo
$ chmod -a# 0 foo

Inheritance ACL's can be added to directories:

$ chmod +a "admin allow delete,file_inherit,directory_inherit" foo

Any NEW files or directories we create in foo will inherit the ACL "admin allow delete". Directories in foo will also inherit the "inherit" attribute and will pass that on to their files and directories. We may not want that, so we can instead say :

$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit" foo

That applies the "admin allow delete" to files and directories created in "foo", but doesn't keep passing that on down. There's one more inheritance that is useful:

$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit,only_inherit" foo

The "only_inherit" avoids applying the ACL to "foo" itself.

Read the "chown" man page for the list of attributes that can be allowed or denied with ACL's.

Got something to add? Send me email.


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Tue Apr 1 15:14:05 2008: 3929   Mike

Ah! Thank you; I've been tearing my hair out as to why a collection of NFS mount points were mounting and showing correct disk usage info, but couldn't be seen by the users who were supposed to see it. I wasn't aware of having to enable ACLs on the client root FS, and now I am.

Thanks again.

Fri Apr 18 10:41:21 2008: 4060   pmstar


I am having trouble with ACLs...I had issues when I was no longer able to rename or move some of my files (in the Documents Folder)...I did solve this, but now I have another problem. A file of my desktop, for some reason, cannot be copied to an external disk. when a perform a ls -ale o the desktop, the file has the same permissions (and no ACLs) of the other files on the desktop (which I can copy), with the only difference that it lacks a "@" at the end of the permissions string.

"-rw-r--r--@" instead of "-rw-r--r-- "

What does the @ stand for and how do I add it?

Many thanks!

Fri Apr 18 11:01:21 2008: 4061   TonyLawrence

The "@" at the end means it has extended attributes. See "man ls"

See "chflags" and "SetFile" (setfile is in Developer tools) also.

But I'm not sure what's stopping you from copying..

Fri Apr 18 11:22:47 2008: 4062   TonyLawrence

Actually, after looking at the man pages and playing a bit, I think the "ls" man page is wrong..

I don't know what the "@" means. I have some files that show that, but I don't know why they are different than ones that do not..

ls [email protected]

(you have to put the l after the @)

shows stuff like this:

drwxrwxrwx 16 apl apl 544 May 17 2007 Adsense
-rw-r--r-- 1 apl apl 8634 Oct 14 2007 Brewster Line.pdf.zip
drwx------+ 39 apl apl 1326 Apr 17 10:58 Desktop
drwx------+ 15 apl apl 510 Apr 7 17:19 Documents
drwx------@ 57 apl apl 1938 Apr 14 13:58 Downloads
com.apple.FinderInfo 32
-rwxr-xr-x@ 1 apl apl 275 Apr 18 07:15 F
com.apple.quarantine 42
-rw-r--r-- 1 apl apl 1067520 Jan 24 10:53 Fprice.xls
drwx------+ 49 apl apl 1666 Mar 21 09:00 Library
drwx------+ 4 apl apl 136 Mar 21 10:19 Movies
drwx------+ 6 apl apl 204 Dec 14 2006 Music
-rwxr-xr-x@ 1 apl apl 275 Jan 2 2007 PageRank
com.apple.quarantine 42

I'm not sure what that means.. has to do with "xattr" but I haven't investigated that..

Fri Apr 18 11:27:23 2008: 4063   TonyLawrence

Ahh: see this for xattr.


I knew you could do that but didn't realize Apple was actually using it for anything - apparently they are.

Fri Apr 18 11:35:08 2008: 4064   TonyLawrence


Obviously com.apple.quarantine is for downloaded files - the thing that makes the message pop up when you first try to execute something downloaded.

I don't yet know what com.apple.FinderInfo means.. arstechnica says

"(Interestingly, type and creator codes are already (redundantly?) stored this way in Tiger. Assigning them to a file results in a new extended attribute key, com.apple.FinderInfo, with a value that is the concatenation of the type and creator codes. This is done transparently whenever a type or creator code is assigned to a file.)"

but I'm still unclear WHY some of my files have this.

But your un-copyable file has NO "@", right? So it's nothing to do with this..

Fri Apr 18 12:46:00 2008: 4065   TonyLawrence

Actually, we should start with basics:

Exactly what message do you get when you try to copy?

Tue Jan 27 20:14:08 2009: 5251   SamiGuirguis

chmod -N filename

removes all access lists with one shot.

Tue Jan 27 20:19:10 2009: 5252   TonyLawrence

If I ever knew that, I had forgotten it - thanks!

Mon Mar 16 18:49:59 2009: 5719   billyverde

I get the following error when I try to add an ACL:

"chmod: Unable to translate group:<group_name> to a UID/GID: Invalid argument"

Happens with all groups I've tried - not a matter of a simple typo in the <group_name>. I've verified that they're all valid group names, ACL is enabled, and I have root access. Anybody know what's up with that?

Mon Mar 16 19:11:14 2009: 5720   TonyLawrence

You did "sudo fsaclctl -p / -e ", right?

You are doing something like

chmod +a "admin allow delete" foo ??

I can only get that error if I use a non-existent group or user.. $ chmod +a "nosuchgroup allow delete" foo chmod: Unable to translate 'nosuchgroup' to a UID/GID

Mon Mar 16 21:14:44 2009: 5721   billyverde

Gah... never mind. Syntax error on my part. I'll go sit in a corner now.

Mon Mar 16 21:18:45 2009: 5722   billyverde

PS. Thanks for the help!

Mon Mar 16 21:29:48 2009: 5723   TonyLawrence

Just curious - what were you typing?

Thu Sep 3 21:02:21 2009: 6846   Roy

in the second sentence you mention that the "chown" man page discusses acl usage - I believe that it is actually in the "chmod" man page...

also looking forward to reading this page carefully, as I've a similar issue to Mike in the first comment, which is that ACLs from my server over NFS mounts are not propagated. Hopefully will learn enough here to remedy.

cheers - Roy

Thu Sep 3 21:05:33 2009: 6847   TonyLawrence

Yes, chmod not chown.

Sun Mar 14 14:50:35 2010: 8215   Bryan


I have two questions.

I need to be able to take ownership of files and directories on my Mac OS X 10.6. I had copied files from an NTFS A.D. domain ACL controled CIFS\SMB share. Inside OS X I can not take onwership of these CIFS directories, nor add users to it using the GUI/right click/get info/permissions/change them /then apply doe not work. I also tried running

>sudo chown -R Bryan /Users/bryan/Documents/

which gives me a operation not permitted error even in bash$

1. I need to strip all CIFS based ACL's
2. Then remove all NFS ACL's, turn them all off or reset them to everyone read write which is perfable.

Is there a single command to do this locally? Also I need to run this command on an NFS mount point on a NAS qtree directory within a volume top down, doing the same thing, removing all CIFS ACL's from the top most directory down to the last file.

Any help would be appreciated!


Sun Mar 14 15:00:53 2010: 8216   TonyLawrence


An NFS mount is its own file system - it has its own semantics and you can't change the underlying system semantics there (nor do you necessarily even have the same access).

On the local files, I'm not sure how you got them over here with ACL's - I suspect there is something more basic here. What does "ls -le" show you?

Sun Mar 14 19:47:59 2010: 8217   Bryan


This is one dir I just created locally:
drwxr-xr-x ���2 bryan �staff �����68 Mar 14 10:25 logos-test

Here is the a dir I do not have change access to (even though it shows I do).
drwx------ ��11 bryan �staff ����374 Mar 17 �2008 Logos

Last login: Sun Mar 14 10:29:15 on ttys000
Bryans-MacBook-Pro:~ bryan$ cd /Users/bryan/Documents
Bryans-MacBook-Pro:NetApp bryan$ ls -le
total 736
drwx------ ���7 bryan �staff ����238 Jul �7 �2008 401k
drwxr-xr-x ���4 bryan �staff ����136 Mar 14 �2009 Benifits
drwx------ ���4 bryan �staff ����136 Mar 17 �2008 Beta programs
drwxr-xr-x ���4 bryan �staff ����136 Feb 23 11:04 Blogs
drwx------ ���5 bryan �staff ����170 Mar 17 �2008 ClearSpace
drwx------ ���8 bryan �staff ����272 Apr 16 �2008 Clients
drwx------ ���6 bryan �staff ����204 Nov �6 15:37 Connected Backups
drwxr-xr-x ���4 bryan �staff ����136 Nov 25 �2008 Design Guidelines
drwx------ ���5 bryan �staff ����170 Mar 17 �2008 Discounts
drwx------ �127 bryan �staff ���4318 Nov �5 10:43 Documentation
drwx------ ���3 bryan �staff ����102 Mar 17 �2008 Education
drwx------ ��28 bryan �staff ����952 Mar �4 13:26 Expense Reports
drwx------ ��11 bryan �staff ����374 Mar 17 �2008 GoodLink
drwx------ ���3 bryan �staff ����102 Mar 17 �2008 HR - Compensation
drwx------ ���9 bryan �staff ����306 Jun �4 �2008 HR - Health Insurance
drwx------ ���9 bryan �staff ����306 Mar 17 �2008 HR - Insurance & Investment
drwx------ ���8 bryan �staff ����272 Mar 17 �2008 HR - New Hire
drwx------ ���3 bryan �staff ����102 Jun 26 �2008 Hardware Universe
drwx------ ���3 bryan �staff ����102 Mar 17 �2008 HelpDesk
drwx------ ���9 bryan �staff ����306 Aug �2 �2008 IM Lists PS SE
-rw-r--r--@ ��1 bryan �staff ������0 Jun �8 �2009 Icon?
drwxr-xr-x ���4 bryan �staff ����136 Dec 23 10:47 Ideas Patent
drwx------ ���9 bryan �staff ����306 Mar 17 �2008 Information
drwx------ ���4 bryan �staff ����136 May 27 �2008 Interviews
drwx------ ��10 bryan �staff ����340 Apr 22 �2008 Licenses
drwx------ ��11 bryan �staff ����374 Mar 17 �2008 Logos
drwx------ ���7 bryan �staff ����238 Mar 17 �2008 MAN Pages
drwx------ ��21 bryan �staff ����714 Mar 17 �2008 Meetings
drwx------ ���4 bryan �staff ����136 May 30 �2008 Microsoft Hotfix
drwx------ ���7 bryan �staff ����238 Mar 17 �2008 My Drawings
drwx------ ���7 bryan �staff ����238 Mar 17 �2008 My Pictures
drwxr-xr-x ���6 bryan �staff ����204 Nov 18 �2008 NEO Training
drwx------ ���5 bryan �staff ����170 Sep 17 �2008 Users Group
drwx------ ���3 bryan �staff ����102 Mar 17 �2008 OS & Firmware
drwx------ ���8 bryan �staff ����272 Oct 26 09:43 Orders
drwxr-xr-x@ ��8 bryan �staff ����272 Aug �2 �2009 Partner Enablement
drwx------@ �25 bryan �staff ����850 May 19 �2009 Portfolio Areas
drwx------ ��22 bryan �staff ����748 Nov �6 15:38 Practice Areas
drwx------ ���4 bryan �staff ����136 Nov 18 �2008 Pricing
drwx------ ���6 bryan �staff ����204 Sep �4 �2008 Projects
drwx------ ���6 bryan �staff ����204 Aug �7 �2008 Publications
drwx------ ���6 bryan �staff ����204 Jul �9 �2008 Quotes - SOW - TnM
drwx------ ���7 bryan �staff ����238 Mar 17 �2008 Reports
drwx------ ���7 bryan �staff ����238 Dec 11 09:48 Reviews
drwx------ ���3 bryan �staff ����102 Mar 17 �2008 Sales Orders
drwx------ ��11 bryan �staff ����374 Jan 11 15:55 Stock & Grants
drwx------ ���7 bryan �staff ����238 Mar 17 �2008 Tech OnTap
drwx------ ��10 bryan �staff ����340 Jul 24 �2008 Templates
drwx------ ���3 bryan �staff ����102 Jun �8 �2009 Tools & Applications
drwx------ ��12 bryan �staff ����408 Nov 25 �2008 Training
drwx------ ���6 bryan �staff ����204 Sep �1 �2008 Travel
drwx------ ���2 bryan �staff �����68 Mar 17 �2008 Web.Dev
drwx------ ���3 bryan �staff ����102 Mar 17 �2008 WebEx
-rw-r--r--@ ��1 bryan �staff �343429 Apr �2 �2009 cell march.pdf
drwx------ ��42 bryan �staff ���1428 Mar 27 �2009 kb
drwxr-xr-x ���2 bryan �staff �����68 Mar 14 10:25 logos-test
drwx------ ��49 bryan �staff ���1666 Jul 20 �2008 ~ Notes From Outlook.07.20.08 ~
Bryans-MacBook-Pro: bryan$

Sun Mar 14 19:59:20 2010: 8218   TonyLawrence


I really have no idea what you are trying to tell us.

In one place you say you are trying to chown Documents (why, I have no idea) and then it's something about Logos which is in Documents.


ls -lde Documents
drwx------+ 131 apl apl 4454 Mar 5 21:50 Documents
0: group:everyone deny delete

"apl" is me. I can

sudo chown linda Documents
$ ls -lde Documents
drwx------+ 131 linda apl 4454 Mar 5 21:50 Documents
0: group:everyone deny delete

If you can't do -R, it's because you don't have perms on something IN Documents. Find out what it is and use -e if necessary for acl's.

Wed Jun 9 14:50:02 2010: 8675   LK


I'm running into an interesting problem that I have not yet seen an answer to any where on the web despite several hours of searching.

I'm trying to set up ACE for a folder, let's call it "copywriting", to create folders and files by default as read/write for owner, read/write for group, read for everyone. The problem is that the group name has a space in it ("creative services") and I can't find the correct syntax for making that work.

I was using the command line:

chmod +a "creative services allow list,add_file,search,delete,add_subdirectory,delete_child,file_inherit,directory_inherit,read,write,delete,append,execute" /Volumes/Shared/copywriting

to do this but I always get the "unable to translate creative to a uid/gid" error. I've tried a series of different inputs including slashes (\) and quotations (") but I can't find anything that works.

Do you have any advice for me?

Wed Jun 9 16:02:13 2010: 8676   TonyLawrence


Spaces in a group name are a bad idea.

Did you try

'creative services'

in single quotes within the double quotes?

Wed Jun 9 20:32:44 2010: 8677   LK


I completely agree that spaces in user/group names are a bad idea and I would never set them up that way. This is a problem that I've inherited, however, and short of re-doing the entire groups structure (which would be a massive pain with around 75 different groups), I'm not sure what to do about it.

Yes, I tried both "creative services" and 'creative services' within the original quotes without any luck. Also tried creative\ services with quotes and without both ways. No luck with any of them.

Wed Jun 9 21:37:04 2010: 8678   TonyLawrence


I have no more ideas, sorry. If you do solve it, let us know.

Wed Nov 3 17:29:08 2010: 9095   Marcin


If you have space in user or group you have to use : (colon) as a delimiter between name and permission. That's it.

Tue May 10 16:34:32 2011: 9490   chris


what might be the cause of this error?

chmod: The specified file 'Forms' does not have an ACL in canonical order, please specify a position with +a#


Tue May 10 16:43:45 2011: 9491   TonyLawrence


It means the ACL's aren't ordered as they should be. You can still get it in there:

From "man chmod"

The +ai# mode may be used to insert inherited entries at a specific location. Note that these modes allow non-canonical ACL ordering to be constructed.

Thu Aug 11 06:11:17 2011: 9688   AndyCanfield


I would emphasize two points:

1) The entire access list entry has to be in quotes; e.g. 'chmod +a "fred allow delete" FileX'. If you leave out the quotes you get weird error messages.

2) The syntax "user:fred" is accepted; e.g. 'chmod +a "user:fred allow delete" FileX". I don't know if "group:staff" is accepted, but probably is.

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Linux source code is freely and easily available to all of us. Understanding it is much harder. (Tony Lawrence)

The man who receives five thousand dollars a year wants six thousand dollars a year, and the man who owns eight or nine hundred thousand dollars will want a hundred thousand dollars more to make it a million, while the man who has his millions will want everything he can lay his hands on and then raise his voice against the poor devil who wants ten cents more a day. (Samuel Gompers)

This post tagged: