Getting your feet wet with ACL’s

December 3rd, 2012 by Erin Scott

As an old school unix geek I have to admit that I’ve been dragging my feet in my efforts to learn and really grasp the idea of Access Control Lists (ACL’s) until embarrassingly recently. As you may know, *nix OS’s of the past have had only basic levels of access control over files on a system and for a surprisingly long amount of time, these simple controls were enough to get by. You were given 3 permission scopes per file, representing the ability to assign specific permissions for the file’s owner, a single group, and everyone else. This was enough for smallish deployments and implementations but when you start having 1000′s of users, setting specific permissions per user started to get needlessly complicated.

Enter ACL’s which grant extremely granular control over every operation you can do on a file. Need a folder to propagate a single user’s permissions to all files but not folders? No problem. Need to give read only access and disallow deletes for a set of folders? No problem there as well. It’s this fine level control that makes using ACL’s important, even mandatory, in some specific cases.

Just a few days ago, encountered an program that was behaving strangely. It was crunching a large number of files and creating the correct output files but for some strange reason, it was deleting them immediately after creating them. I noticed this as I control – C’d the program and saw my file only for it to be deleted once the process resumed. If only there was a way for the OS to disallow the offending program from removing it’s output files…

This is where ACL’s come in and why they are so powerful. I was able to tell the OS to block a program from deleting anything in it’s output folder. Here’s the command I used to check the ACL’s and set them on my mac:

>ls -le

As you see there are no ACL’s set. To set the append only attribute I typed the following.

>chmod +a ‘alt229 deny delete’ ‘output folder’

You see, the ACL has been set.  I’ll try and delete something now.

What gives? Unlike Linux systems ACL inheritance isn’t enabled by default when set from the command line. We’ll need to tweak our original command to enable that.

Clear old permissions first:
>chmod -R -N *
>chmod +a ‘alt229 deny delete,file_inherit,directory_inherit’ ‘output folder’

Now permissions will inherit but only to newly created folders.  You’ll see that the extra permissions have only been set on the newly created folder named ‘subfolder3′

Rerun the command like this to apply it to existing folders.

>chmod -R +a ‘alt229 deny delete,file_inherit,directory_inherit’

Now, you won’t be able to delete any file that’s contained within the main folder and it’s sub folders.

 There are many other special permissions available to tweak your system and help pull you out of strange binds that you may find yourself in. Here’s a list of some of the other ACL’s available in OSX that you can use to customize your environment. This is straight from the man page.

 

The following permissions are applicable to all filesystem objects:

delete 

Delete the item.  Deletion may be granted by either this

permission on an object or the delete_child right on the

containing directory.

readattr

Read an objects basic attributes.  This is implicitly

granted if the object can be looked up and not explicitly

denied.

writeattr

Write an object’s basic attributes.

readextattr

Read extended attributes.

writeextattr

Write extended attributes.

readsecurity

Read an object’s extended security information (ACL).

writesecurity

Write an object’s security information (ownership, mode,

ACL).

chown

Change an object’s ownership.

 

The following permissions are applicable to directories:

list   

List entries.

search

Look up files by name.

add_file

Add a file.

add_subdirectory

Add a subdirectory.

delete_child

Delete a contained object.  See the file delete permission

above.

 

The following permissions are applicable to non-directory filesystem

objects:

read    Open for reading.

write   Open for writing.

append  Open for writing, but in a fashion that only allows writes

into areas of the file not previously written.

execute

Execute the file as a script or program.

 

ACL inheritance is controlled with the following permissions words, which

may only be applied to directories:

file_inherit

Inherit to files.

directory_inherit

Inherit to directories.

limit_inherit

This flag is only relevant to entries inherited by subdirec-

tories; it causes the directory_inherit flag to be cleared

in the entry that is inherited, preventing further nested

subdirectories from also inheriting the entry.

only_inherit

The entry is inherited by created items but not considered

when processing the ACL.

 

Comments are closed.