As an old school unix geek I have to admit that I’ve been dragging my feet in my efforts to learn and really grasp the idea of Access Control Lists (ACL’s) until embarrassingly recently. As you may know, *nix OS’s of the past have had only basic levels of access control over files on a system and for a surprisingly long amount of time, these simple controls were enough to get by. You were given 3 permission scopes per file, representing the ability to assign specific permissions for the file’s owner, a single group, and everyone else. This was enough for smallish deployments and implementations but when you start having 1000′s of users, setting specific permissions per user started to get needlessly complicated.
Enter ACL’s which grant extremely granular control over every operation you can do on a file. Need a folder to propagate a single user’s permissions to all files but not folders? No problem. Need to give read only access and disallow deletes for a set of folders? No problem there as well. It’s this fine level control that makes using ACL’s important, even mandatory, in some specific cases.
Just a few days ago, encountered an program that was behaving strangely. It was crunching a large number of files and creating the correct output files but for some strange reason, it was deleting them immediately after creating them. I noticed this as I control – C’d the program and saw my file only for it to be deleted once the process resumed. If only there was a way for the OS to disallow the offending program from removing it’s output files…
This is where ACL’s come in and why they are so powerful. I was able to tell the OS to block a program from deleting anything in it’s output folder. Here’s the command I used to check the ACL’s and set them on my mac:
>chmod +a ‘alt229 deny delete’ ‘output folder’
You see, the ACL has been set. I’ll try and delete something now.
Clear old permissions first:
>chmod -R -N *
>chmod +a ‘alt229 deny delete,file_inherit,directory_inherit’ ‘output folder’
Rerun the command like this to apply it to existing folders.
>chmod -R +a ‘alt229 deny delete,file_inherit,directory_inherit’
Now, you won’t be able to delete any file that’s contained within the main folder and it’s sub folders.
There are many other special permissions available to tweak your system and help pull you out of strange binds that you may find yourself in. Here’s a list of some of the other ACL’s available in OSX that you can use to customize your environment. This is straight from the man page.
The following permissions are applicable to all filesystem objects:
Delete the item. Deletion may be granted by either this
permission on an object or the delete_child right on the
Read an objects basic attributes. This is implicitly
granted if the object can be looked up and not explicitly
Write an object’s basic attributes.
Read extended attributes.
Write extended attributes.
Read an object’s extended security information (ACL).
Write an object’s security information (ownership, mode,
Change an object’s ownership.
The following permissions are applicable to directories:
Look up files by name.
Add a file.
Add a subdirectory.
Delete a contained object. See the file delete permission
The following permissions are applicable to non-directory filesystem
read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes
into areas of the file not previously written.
Execute the file as a script or program.
ACL inheritance is controlled with the following permissions words, which
may only be applied to directories:
Inherit to files.
Inherit to directories.
This flag is only relevant to entries inherited by subdirec-
tories; it causes the directory_inherit flag to be cleared
in the entry that is inherited, preventing further nested
subdirectories from also inheriting the entry.
The entry is inherited by created items but not considered
when processing the ACL.