TweetFollow Us on Twitter

Access Control Lists

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Programming

Patch Panel

by John C. Welch

Access Control Lists

A look at one of the features in Tiger that's going to change how Mac Networks are run

Welcome

With all the hype that Tiger is getting for such "ooh..aah" features like multipoint iChat, Dashboard, etc, I thought today we should take a look at one new feature of Tiger that, while not as obvious as such GUI-goodness, will have a near - instant and far - reaching effect on all who use the new version of OS X: The implementation of Access Control Lists, aka, ACLs in Tiger.

Access Con-who Huh?

ACLs are a new way of controlling, well, access to objects such as files and folders on a computer. Mac users currently don't have a traditional ACL implementation that ships with the OS. The closest thing we have now, is the login controls. That's a list of users who can log in to a Mac or Macs, and controls what they can do on a given Mac. So, in a sense, that's an ACL. It's a login ACL.

Unix Permission Basics

However, what most people use ACLs with are file system objects. Note: ACLs are by no means restricted to the file system. They can exist at any level where you have things you wish to control access to. But for this article, we're going to limit our discussion to the file system.

With current versions of Mac OS X and Mac OS X Server, you have traditional three-level Unix permissions. With any object on the file system, there are three levels of access:

  • Owner, the user that owns the object

  • Group, the group that has explicit access to the object. The Owner does not have to be in the Group

  • Everyone else, or every user who's not the Owner, or in the Group, or every group who is not the Group.

There's a fourth access here: root. Root's the super user, it has full access to everything so there's no need to explicitly include root. The Owner is always a user; it can never be a group. (This is a step backwards in some ways from the older AppleShare permissions, which did allow for group ownership of a file.) The Group, (obviously) must always be a group, not a user. Everyone else is just that.

Within this access structure, there are three things you can do to an object:

  • Read, that is, use the contents of the object in a non-modifying manner, i.e. viewing and printing

  • Write, which lets you modify the object and/or its contents, so you can erase the contents of the object, delete the object, etc.

  • Execute, which is what allows you to run a program, list the contents of a directory.

Everything you do with a File System (FS) object in Mac OS X is based on those nine bullets. It's fairly simple, although there are things that will catch you off guard. For example, if you own a file, but that file is in a directory that you don't have write access for, you can erase the contents of that file, but you can't delete the file itself.

Sometimes simple is bad

Now, for a long time, this was all you needed. Access was simple, and could be simply controlled. But in a modern computing environment, these simple permissions fall down. For example, you can have a situation with different groups needing different access to a single directory and its files. The obvious solution is to put each group's files in a different directory, but then you could have some files needing to be seen by both groups. You can put people into different groups, but then you have to create another group with more restrictive permissions. In a large company, you can easily hit the Mac OS X limit of 16 groups per user in this kind of situation.

For example: You have an accounting group with its own directory on a server.

  • The head of accounting needs unrestricted access to every object in that directory, and unrestricted control over the directory.

  • The accounting managers need to be able to modify the contents of a directory, but not change permissions

  • The IS group needs full control

  • The accountants need to be able to modify files, add files, but not delete

  • Non - accounting department heads need to be able to read and list specific files, but not modify them in any way

  • Everyone else has no access at all to the directory

Now, you could make the head accountant the owner, he's set. IS can always use root (if all of them have that) or sudo to bypass permissions. You can set everyone to 000. So far we have rwx???---, because we haven't decided groups. Here's where Unix permissions fail. We have three groups now that we have to deal with:

  • Accountants

  • Accounting managers

  • Department heads

We could make the group set for accounting managers, and now the directory is rwxrwx---, and put all three groups into a new group. Wait. We don't want department heads to have write/delete. Okay, put them into everyone. Wait, we don't want everyone to see inside the directory. The problem is, you have two groups that need rwx, and one that needs r-x. But within the first two groups, you don't want one to be able to delete files. Okay, set the sticky bit. but now, the group that DOES have to be able to delete can't, because the sticky bit means that only the head of accounting can delete files. So now he's doing the job of the accounting managers. Unix permissions are too simplistic to handle this, and this is not a terribly complex situation. If you are talking about a very large company, this scenario can get much worse.

Sometimes, complex is good

However, a decent set of ACLs can make this really simple. For our example, since we don't know how Apple is implementing ACLs in Tiger, and even if we did, we couldn't talk about it, we'll use the ACL implementation from the OpenAFS project, (http://www.openafs.org/). AFS is the acronym for the Andrew File System, an open - source distributed file system that can run on Mac OS X along with almost every other modern OS. While AFS can easily emulate Unix file permissions, it has a much richer native set of permissions:

  • r read the contents of files in the directory

  • l list the names of files in the directory

  • i insert files into the directory

  • d delete files from the directory

  • w write (or modify) files into the directory

  • k lock (or modify the write-mode bit) of files in the directory

  • a administer or change the acl of the directory

Note how the permissions, while more complex than standard Unix permissions, give you finer control. For example, adding a file to a directory is not the same as having write access to a directory. Deleting is its own permission, as is administering the ACLs of a directory. This is not the richest model of ACLs in use by any means. Both Novell and Windows have far richer ACL models, but this one is good as an example, and runs on many more environments than Novell or Windows do.

So let's revisit our accounting example, but with our new ACL goodness at our disposal:

  • The head accountant is the owner still, and as such, he gets: rlidwka He can do anything, including modify the rights of others needing access. Cool.

  • The IS group gets: rlidwka. Cool, they have the access they need.

  • The accounting managers get: rlidwk. They can modify files as needed, but they can't change anyone's permissions in the directory. Cool.

  • The accountants get: rliw. They can do their work, and add new files as needed, but they cannot delete files, lock files, or change permissions. Cool

  • The department heads get: rl. They can see and view the files, but not modify them or the directory.

No one else has any rights; the directory is a black box to them. IS has the access it needs without needing sudo, or root access. If we had very strict security needs, (Sarb-Ox or HIPAA anyone?), we could set it up so that IS could manage ACLs for a directory full of files they could see, but not read. You could even set it up so they could run a directory they couldn't read at all. (Yes, obviously if they can manage ACLs, there's a fast bypass of ACL limitations, but the point is, you have more flexibility with ACLs.)

Another advantage that ACLs give us is individual user permissions outside of groups. So you can have multiple users with different access to a file system object. So you can easily assign new groups or new users permissions without having to modify the user and group organization of your network setup. You do have to be more careful with ACLs than Unix permissions, because if you aren't, it's really easy to give someone, or a group a lot more access than you thought you were.

We also don't know how various commands are going to be changed, or what new ones will be introduced to deal with the new permissions structures. But in the end, we're going to get a lot more benefit from ACLs than pain.

Conclusion

This is a bit of a quickie look at ACLs, but it should give you an idea of the kind of power that ACLs give you. Since ACLs are going to be implemented throughout Mac OS X, they should also finally give you the same permissions in the Finder as you have at the command line, unlike the current situation. With the way modern networking environments are becoming more complex, even k-12, Mac OS X needed a more flexible permissions structure, and ACLs are the best way to get there.

Bibliography and References

http://web.mit.edu/answers/unix/unix_chmod.html

http://www.apple.com/macosx/tiger/unix.html


John Welch <jwelch@provar.com> is an IT Staff Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt, (http://www.tackyshirt.com/. He has over fifteen years of experience at making Macs work with other computer systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Yasu 4.0.0 β - System maintenance app; p...
Yasu was created with System Administrators who service large groups of workstations in mind, Yasu (Yet Another System Utility) was made to do a specific group of maintenance tasks quickly within a... Read more
Skype 7.37.0.178 - Voice-over-internet p...
Skype allows you to talk to friends, family and co-workers across the Internet without the inconvenience of long distance telephone charges. Using peer-to-peer data transmission technology, Skype... Read more
EtreCheck 3.0.5 - For troubleshooting yo...
EtreCheck is an app that displays the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to... Read more
Amadeus Pro 2.3.1 - Multitrack sound rec...
Amadeus Pro lets you use your Mac computer for any audio-related task, such as live audio recording, digitizing tapes and records, converting between a variety of sound formats, etc. Thanks to its... Read more
NeoFinder 6.9.3 - Catalog your external...
NeoFinder (formerly CDFinder) rapidly organizes your data, either on external or internal disks, or any other volumes. It catalogs all your data, so you stay in control of your data archive or disk... Read more
WhatsApp 0.2.1880 - Desktop client for W...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
Hazel 4.0.6 - Create rules for organizin...
Hazel is your personal housekeeper, organizing and cleaning folders based on rules you define. Hazel can also manage your trash and uninstall your applications. Organize your files using a familiar... Read more
Apple iBooks Author 2.5 - Create and pub...
Apple iBooks Author helps you create and publish amazing Multi-Touch books for iPad. Now anyone can create stunning iBooks textbooks, cookbooks, history books, picture books, and more for iPad. All... Read more
MYStuff Pro 2.0.26 - $39.99
MYStuff Pro is the most flexible way to create detail-rich inventories for your home or small business. Add items to MYStuff by dragging and dropping existing information, uploading new images, or... Read more
MarsEdit 3.7.8 - Quick and convenient bl...
MarsEdit is a blog editor for OS X that makes editing your blog like writing email, with spell-checking, drafts, multiple windows, and even AppleScript support. It works with with most blog services... Read more

How to get past Vulture Island's tr...
Vulture Island is a colorful and quirky mish-mash of platforming and puzzles. It’s creative and fresh, but sometimes the game can throw a curveball at you, leaving you stuck as to how you should progress. These tips will help you explore smoothly... | Read more »
The new Clash of Kings is just for Weste...
If you’ve played the original Clash of Kings, you’ll probably recognise the city building, alliance forging and strategic battles in Clash of Kings: The West. What sets this version apart is that it’s tailor made for a Western audience and the... | Read more »
Frost - Survival card game (Games)
Frost - Survival card game 1.12.1 Device: iOS Universal Category: Games Price: $3.99, Version: 1.12.1 (iTunes) Description: *Warning: the game will work on iPhone 5C and above and iPad Pro / 4. Other devices are not supported* | Read more »
How to build and care for your team in D...
Before you hit the trail and become a dog sledding legend, there’s actually a fair bit of prep work to be done. In Dog Sled Saga, you’re not only racing, you’re also building and caring for a team of furry friends. There’s a lot to consider—... | Read more »
How to win every race in Dog Sled Saga
If I had to guess, I’d say Dog Sled Saga is the most adorable racing game on the App Store right now. It’s a dog sled racing sim full of adorable, loyal puppies. Just look at those fluffy little tails wagging. Behind that cute, pixelated facade is... | Read more »
Let the war games commence in Gunship Ba...
Buzz Lightyear famously said, “This isn’t flying, this is falling – with style!” In the case of Gunship Battle: Second War, though, this really is flying - with style! The flight simulator app from Joycity puts you in control of 20 faithfully... | Read more »
How to get a high score in Fired Up
Fired Up is Noodlecake Games’ high score chasing, firefighting adventure. You take control of a wayward firefighter who propels himself up the side of a highrise with blasts of water. Sound silly? It is. It’s also pretty difficult. You can’t... | Read more »
NBA 2K17 (Games)
NBA 2K17 1.0 Device: iOS iPhone Category: Games Price: $7.99, Version: 1.0 (iTunes) Description: Following the record-breaking launch of NBA 2K16, the NBA 2K franchise continues to stake its claim as the most authentic sports video... | Read more »
Dog Sled Saga (Games)
Dog Sled Saga 1.0.1 Device: iOS Universal Category: Games Price: $3.99, Version: 1.0.1 (iTunes) Description: A game by Dan + Lisa As a rookie musher, foster a dogsledding team whose skills will grow if they're treated right. Week by... | Read more »
60 Seconds! Atomic Adventure (Games)
60 Seconds! Atomic Adventure 1.2 Device: iOS Universal Category: Games Price: $2.99, Version: 1.2 (iTunes) Description: 60 Seconds! is a dark comedy atomic adventure of scavenge and survival. Collect supplies and rescue your family... | Read more »

Price Scanner via MacPrices.net

21-inch iMacs on sale for up to $120 off MSRP
B&H Photo has 21″ iMacs on sale for up to $120 off MSRP including free shipping plus NY sales tax only: - 21″ 3.1GHz iMac 4K: $1379 $120 off MSRP - 21″ 2.8GHz iMac: $1199.99 $100 off MSRP - 21″ 1... Read more
13-inch 2.7GHz/256GB Retina MacBook Pro on sa...
Amazon.com has the 13″ 2.7GHz/256GB Retina Apple MacBook Pro on sale for $151 off MSRP including free shipping: - 13″ 2.7GHz/256GB Retina MacBook Pro (sku MF840LL/A): $1348 $151 off MSRP Read more
Apple TVs on sale for up to $50 off MSRP
Best Buy has 32GB and 64GB Apple TVs on sale for $40-$50 off MSRP on their online store. Choose free shipping or free local store pickup (if available). Sale prices for online orders only, in-store... Read more
Apple refurbished 13-inch Retina MacBook Pros...
Apple has Certified Refurbished 13″ Retina MacBook Pros available for up to $270 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 13″ 2.7GHz... Read more
Duplicate Sweeper Free On Mac App Store For O...
To celebrate the launch of Apple’s latest macOS Sierra, Stafford, United Kingdom based Wide Angle Software has announced that its duplicate file finder software, Duplicate Sweeper, is now available... Read more
13-inch Retina MacBook Pros on sale for up to...
B&H Photo has 13″ Retina Apple MacBook Pros on sale for up to $150 off MSRP. Shipping is free, and B&H charges NY tax only: - 13″ 2.7GHz/128GB Retina MacBook Pro: $1174.99 $125 off MSRP - 13... Read more
Evidence Surfaces Pointing To New A10X Chip F...
Citing a job description for a Project Lead position at Apple’s Austin, Texas engineering labs, Motley Fool’s Ashraf Eassa deduces that development is progressing well on Apple’s next-generation in-... Read more
Check Print’R for macOS Allows Anyone to Easi...
Delaware-based Match Software has announced the release and immediate availability of Check Print’R 3.21, an important update to their easy-to-use check printing application for macOS. Check Print’R... Read more
Apple refurbished 11-inch MacBook Airs availa...
Apple has Certified Refurbished 11″ MacBook Airs (the latest models), available for up to $170 off the cost of new models. An Apple one-year warranty is included with each MacBook, and shipping is... Read more
Apple refurbished 15-inch Retina MacBook Pros...
Apple has Certified Refurbished 2015 15″ Retina MacBook Pros available for up to $380 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 15″ 2... Read more

Jobs Board

Sr. *Apple* Mac Engineer - Net2Source Inc....
…staffing, training and technology. We have following position open with our client. Sr. Apple Mac Engineer6+ Months CTH Start date : 19th Sept Travelling Job If Read more
*Apple* Retail - Multiple Positions-Norfolk,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
Restaurant Manager (Neighborhood Captain) - A...
…in every aspect of daily operation. WHY YOU'LL LIKE IT: You'll be the Big Apple . You'll solve problems. You'll get to show your ability to handle the stress and Read more
Lead *Apple* Solutions Consultant - Apple (...
# Lead Apple Solutions Consultant Job Number: 51829230 Detroit, Michigan, United States Posted: Sep. 19, 2016 Weekly Hours: 40.00 **Job Summary** The Lead ASC is an Read more
US- *Apple* Store Leader Program - Apple (Un...
…Summary Learn and grow as you explore the art of leadership at the Apple Store. You'll master our retail business inside and out through training, hands-on Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.