TweetFollow Us on Twitter

Access Control Lists

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Programming

Patch Panel

by John C. Welch

Access Control Lists

A look at one of the features in Tiger that's going to change how Mac Networks are run

Welcome

With all the hype that Tiger is getting for such "ooh..aah" features like multipoint iChat, Dashboard, etc, I thought today we should take a look at one new feature of Tiger that, while not as obvious as such GUI-goodness, will have a near - instant and far - reaching effect on all who use the new version of OS X: The implementation of Access Control Lists, aka, ACLs in Tiger.

Access Con-who Huh?

ACLs are a new way of controlling, well, access to objects such as files and folders on a computer. Mac users currently don't have a traditional ACL implementation that ships with the OS. The closest thing we have now, is the login controls. That's a list of users who can log in to a Mac or Macs, and controls what they can do on a given Mac. So, in a sense, that's an ACL. It's a login ACL.

Unix Permission Basics

However, what most people use ACLs with are file system objects. Note: ACLs are by no means restricted to the file system. They can exist at any level where you have things you wish to control access to. But for this article, we're going to limit our discussion to the file system.

With current versions of Mac OS X and Mac OS X Server, you have traditional three-level Unix permissions. With any object on the file system, there are three levels of access:

  • Owner, the user that owns the object

  • Group, the group that has explicit access to the object. The Owner does not have to be in the Group

  • Everyone else, or every user who's not the Owner, or in the Group, or every group who is not the Group.

There's a fourth access here: root. Root's the super user, it has full access to everything so there's no need to explicitly include root. The Owner is always a user; it can never be a group. (This is a step backwards in some ways from the older AppleShare permissions, which did allow for group ownership of a file.) The Group, (obviously) must always be a group, not a user. Everyone else is just that.

Within this access structure, there are three things you can do to an object:

  • Read, that is, use the contents of the object in a non-modifying manner, i.e. viewing and printing

  • Write, which lets you modify the object and/or its contents, so you can erase the contents of the object, delete the object, etc.

  • Execute, which is what allows you to run a program, list the contents of a directory.

Everything you do with a File System (FS) object in Mac OS X is based on those nine bullets. It's fairly simple, although there are things that will catch you off guard. For example, if you own a file, but that file is in a directory that you don't have write access for, you can erase the contents of that file, but you can't delete the file itself.

Sometimes simple is bad

Now, for a long time, this was all you needed. Access was simple, and could be simply controlled. But in a modern computing environment, these simple permissions fall down. For example, you can have a situation with different groups needing different access to a single directory and its files. The obvious solution is to put each group's files in a different directory, but then you could have some files needing to be seen by both groups. You can put people into different groups, but then you have to create another group with more restrictive permissions. In a large company, you can easily hit the Mac OS X limit of 16 groups per user in this kind of situation.

For example: You have an accounting group with its own directory on a server.

  • The head of accounting needs unrestricted access to every object in that directory, and unrestricted control over the directory.

  • The accounting managers need to be able to modify the contents of a directory, but not change permissions

  • The IS group needs full control

  • The accountants need to be able to modify files, add files, but not delete

  • Non - accounting department heads need to be able to read and list specific files, but not modify them in any way

  • Everyone else has no access at all to the directory

Now, you could make the head accountant the owner, he's set. IS can always use root (if all of them have that) or sudo to bypass permissions. You can set everyone to 000. So far we have rwx???---, because we haven't decided groups. Here's where Unix permissions fail. We have three groups now that we have to deal with:

  • Accountants

  • Accounting managers

  • Department heads

We could make the group set for accounting managers, and now the directory is rwxrwx---, and put all three groups into a new group. Wait. We don't want department heads to have write/delete. Okay, put them into everyone. Wait, we don't want everyone to see inside the directory. The problem is, you have two groups that need rwx, and one that needs r-x. But within the first two groups, you don't want one to be able to delete files. Okay, set the sticky bit. but now, the group that DOES have to be able to delete can't, because the sticky bit means that only the head of accounting can delete files. So now he's doing the job of the accounting managers. Unix permissions are too simplistic to handle this, and this is not a terribly complex situation. If you are talking about a very large company, this scenario can get much worse.

Sometimes, complex is good

However, a decent set of ACLs can make this really simple. For our example, since we don't know how Apple is implementing ACLs in Tiger, and even if we did, we couldn't talk about it, we'll use the ACL implementation from the OpenAFS project, (http://www.openafs.org/). AFS is the acronym for the Andrew File System, an open - source distributed file system that can run on Mac OS X along with almost every other modern OS. While AFS can easily emulate Unix file permissions, it has a much richer native set of permissions:

  • r read the contents of files in the directory

  • l list the names of files in the directory

  • i insert files into the directory

  • d delete files from the directory

  • w write (or modify) files into the directory

  • k lock (or modify the write-mode bit) of files in the directory

  • a administer or change the acl of the directory

Note how the permissions, while more complex than standard Unix permissions, give you finer control. For example, adding a file to a directory is not the same as having write access to a directory. Deleting is its own permission, as is administering the ACLs of a directory. This is not the richest model of ACLs in use by any means. Both Novell and Windows have far richer ACL models, but this one is good as an example, and runs on many more environments than Novell or Windows do.

So let's revisit our accounting example, but with our new ACL goodness at our disposal:

  • The head accountant is the owner still, and as such, he gets: rlidwka He can do anything, including modify the rights of others needing access. Cool.

  • The IS group gets: rlidwka. Cool, they have the access they need.

  • The accounting managers get: rlidwk. They can modify files as needed, but they can't change anyone's permissions in the directory. Cool.

  • The accountants get: rliw. They can do their work, and add new files as needed, but they cannot delete files, lock files, or change permissions. Cool

  • The department heads get: rl. They can see and view the files, but not modify them or the directory.

No one else has any rights; the directory is a black box to them. IS has the access it needs without needing sudo, or root access. If we had very strict security needs, (Sarb-Ox or HIPAA anyone?), we could set it up so that IS could manage ACLs for a directory full of files they could see, but not read. You could even set it up so they could run a directory they couldn't read at all. (Yes, obviously if they can manage ACLs, there's a fast bypass of ACL limitations, but the point is, you have more flexibility with ACLs.)

Another advantage that ACLs give us is individual user permissions outside of groups. So you can have multiple users with different access to a file system object. So you can easily assign new groups or new users permissions without having to modify the user and group organization of your network setup. You do have to be more careful with ACLs than Unix permissions, because if you aren't, it's really easy to give someone, or a group a lot more access than you thought you were.

We also don't know how various commands are going to be changed, or what new ones will be introduced to deal with the new permissions structures. But in the end, we're going to get a lot more benefit from ACLs than pain.

Conclusion

This is a bit of a quickie look at ACLs, but it should give you an idea of the kind of power that ACLs give you. Since ACLs are going to be implemented throughout Mac OS X, they should also finally give you the same permissions in the Finder as you have at the command line, unlike the current situation. With the way modern networking environments are becoming more complex, even k-12, Mac OS X needed a more flexible permissions structure, and ACLs are the best way to get there.

Bibliography and References

http://web.mit.edu/answers/unix/unix_chmod.html

http://www.apple.com/macosx/tiger/unix.html


John Welch <jwelch@provar.com> is an IT Staff Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt, (http://www.tackyshirt.com/. He has over fifteen years of experience at making Macs work with other computer systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Vivaldi 1.0.118.19 - Lightweight browser...
Vivaldi browser. In 1994, two programmers started working on a web browser. Our idea was to make a really fast browser, capable of running on limited hardware, keeping in mind that users are... Read more
Stacks 2.6.11 - New way to create pages...
Stacks is a new way to create pages in RapidWeaver. It's a plugin designed to combine drag-and-drop simplicity with the power of fluid layout. Features: Fluid Layout: Stacks lets you build pages... Read more
xScope 4.1.3 - Onscreen graphic measurem...
xScope is powerful set of tools that are ideal for measuring, inspecting, and testing on-screen graphics and layouts. Its tools float above your desktop windows and can be accessed via a toolbar,... Read more
Cyberduck 4.7 - FTP and SFTP browser. (F...
Cyberduck is a robust FTP/FTP-TLS/SFTP browser for the Mac whose lack of visual clutter and cleverly intuitive features make it easy to use. Support for external editors and system technologies such... Read more
Labels & Addresses 1.7 - Powerful la...
Labels & Addresses is a home and office tool for printing all sorts of labels, envelopes, inventory labels, and price tags. Merge-printing capability makes the program a great tool for holiday... Read more
teleport 1.2.1 - Use one mouse/keyboard...
teleport is a simple utility to let you use one single mouse and keyboard to control several of your Macs. Simply reach the edge of your screen, and your mouse teleports to your other Mac! The... Read more
Apple iMovie 10.0.8 - Edit personal vide...
With an all-new design, Apple iMovie lets you enjoy your videos like never before. Browse your clips more easily, instantly share your favorite moments, and create beautiful HD movies and Hollywood-... Read more
Box Sync 4.0.6233 - Online synchronizati...
Box Sync gives you a hard-drive in the Cloud for online storage. Note: You must first sign up to use Box. What if the files you need are on your laptop -- but you're on the road with your iPhone? No... Read more
Fantastical 2.0.3 - Create calendar even...
Fantastical 2 is the Mac calendar you'll actually enjoy using. Creating an event with Fantastical is quick, easy, and fun: Open Fantastical with a single click or keystroke Type in your event... Read more
The Hit List 1.1.14 - Advanced reminder...
The Hit List manages the daily chaos of your modern life. It's easy to learn - it's as easy as making lists. And it's powerful enough to let you plan, then forget, then act when the time is right.... Read more

SoundHound + LiveLyrics is Making its De...
SoundHound Inc. has announced that SoundHound + LiveLyrics, will be one of the first third-party apps to hit the Apple Watch. With  SoundHound you'll be able to tap on your watch and have the app recognize the music you are listening to, then have... | Read more »
Adobe Joins the Apple Watch Lineup With...
A whole tidal wave of apps are headed for the Apple Watch, and Adobe has joined in with 3 new ways to enhance your creativity and collaborate with others. The watch apps pair with iPad/iPhone apps to give you total control over your Adobe projects... | Read more »
Z Steel Soldiers, Sequel to Kavcom'...
Kavcom has released Z Steel Soldiers, which continues the story of the comedic RTS originally created by the Bitmap Brothers. [Read more] | Read more »
Seene Lets You Create 3D Images With You...
Seene, by Obvious Engineering, is a 3D capture app that's meant to allow you to create visually stunning 3D images with a tap of your finger, and then share them as a 3D photo, video or gif. [Read more] | Read more »
Lost Within - Tips, Tricks, and Strategi...
Have you just downloaded Lost Within and are you in need of a guiding hand? While it’s not the toughest of games out there you might still want some helpful tips to get you started. [Read more] | Read more »
Entertain Your Pet With Your Watch With...
The Petcube Camera is a device that lets you use live video to check in on your pet, talk to them, and play with them using a laser pointer - all while you're away. And the Petcube app is coming to the Apple Watch, so you'll be able to hang out with... | Read more »
Now You Can Manage Your Line2 Calls With...
You'll be able to get your Line2 cloud phone service on the Apple Watch very soon. The watch app can send and receive messages using hands-free voice dictation, or by selecting from a list of provided responses. [Read more] | Read more »
R.B.I. Baseball 15 (Games)
R.B.I. Baseball 15 1.01 Device: iOS Universal Category: Games Price: $4.99, Version: 1.01 (iTunes) Description: The legendary Major League Baseball franchise returns to the diamond. Make History. ** ALL iPOD Touch, the iPad 2 and the... | Read more »
Here's How You Can Tell if an App W...
The Apple Watch is pretty much here, and that means a whole lot of compatible apps and games are going to be updated or released onto the App Store. That's okay though, beacause Apple has quietly updated their app description pages to make things... | Read more »
Forgotten Memories : Alternate Realities...
Forgotten Memories : Alternate Realities 1.0.1 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.1 (iTunes) Description: + REDUCED PRICE ONLY THE LAUNCHING WEEK + "The most exciting horror game of 2015." - AppSpy... | Read more »

Price Scanner via MacPrices.net

Heal to Launch First One-Touch House Call Doc...
Santa Monica, California based Heal, a pioneer in on-demand personal health care services — will offer the first one-touch, on-demand house call doctor app for the Apple Watch. Heal’s Watch app,... Read more
Mac Notebooks: Avoiding MagSafe Power Adapter...
Apple Support says proper usage, care, and maintenance of Your Mac notebook’s MagSafe power adapter can substantially increase the the adapter’s service life. Of course, MagSafe itself is an Apple... Read more
12″ Retina MacBook In Shootout With Air And P...
BareFeats’ rob-ART morgan has posted another comparison of the 12″ MacBook with other Mac laptops, noting that the general goodness of all Mac laptops can make which one to purchase a tough decision... Read more
FileMaker Go for iPad and iPhone: Over 1.5 Mi...
FileMaker has announced that its FileMaker Go for iPad and iPhone app has surpassed 1.5 million downloads from the iTunes App Store. The milestone confirms the continued popularity of the FileMaker... Read more
Sale! 13-inch 2.7GHz Retina MacBook Pro for $...
 Best Buy has the new 2015 13″ 2.7GHz/128GB Retina MacBook Pro on sale for $1099 – $200 off MSRP. Choose free shipping or free local store pickup (if available). Price for online orders only, in-... Read more
Minimalist MacBook Confirms Death of Steve Jo...
ReadWrite’s Adriana Lee has posted a eulogy for the “Digital Hub” concept Steve Jobs first proposed back in 2001, declaring the new 12-inch MacBook with its single, over-subscribed USB-C port to be... Read more
13-inch 2.7GHz Retina MacBook Pro for $1234 w...
Adorama has the 13″ 2.7GHz/128GB Retina MacBook Pro in stock for $1234.99 ($65 off MSRP) including free shipping plus a free LG external DVD/CD optical drive. Adorama charges sales tax in NY & NJ... Read more
13-inch 2.5GHz MacBook Pro available for $999...
 Adorama has the 13-inch 2.5GHz MacBook Pro on sale for $999 including free shipping plus NY & NJ sales tax only. Their price is $100 off MSRP. Read more
Save up to $600 with Apple refurbished Mac Pr...
The Apple Store is offering Apple Certified Refurbished Mac Pros for up to $600 off the cost of new models. An Apple one-year warranty is included with each Mac Pro, and shipping is free. The... Read more
Updated MacBook Price Trackers
We’ve updated our MacBook Price Trackers with the latest information on prices, bundles, and availability on 12″ MacBooks, MacBook Airs, and MacBook Pros from Apple’s authorized internet/catalog... Read more

Jobs Board

*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Watch SW Application Project Manager...
**Job Summary** The Apple Watch software team is looking for an Application Engineering Project Manager to work on new projects for Apple . The successful candidate Read more
Map Services Frameworks Manager - *Apple* M...
Job Description: Apple 's Maps Evaluation Organization is seeking a Senior Manager to lead the Map services assertions and performance frameworks group. Key Read more
Shuttle Driver - APPLE EAST, APPLE EAST (Unit...
HERE WE GROW AGAIN!! We are adding to our team! Red Lion Chevrolet of Apple Automotive is growing and we are looking for a PART TIME SHUTTLE DRIVER/ PORTER FOR SERVICE Read more
*Apple* Retail - Multiple Positions (US) - A...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.