ANTINY Mac OS

OS X ACL usage

Anthony Agius Mac OS X Admin & Professional Geek Melbourne, Australia 4 connections. Join to Connect RMIT University. Swinburne University of Technology. Personal Website. Report this profile About Specialties: Mac OS X, media encoding & publishing, web forums & blogging. Anthony Mackie, Actor: The Hurt Locker. Anthony Mackie is an American actor. He was born in New Orleans, Louisiana, to Martha (Gordon) and Willie Mackie, Sr., who owned a business, Mackie Roofing. Anthony has been featured in feature films, television series. Starting with 10.4, Mac OS X has ACL's. The 'chown' man page tells you about their usage, but it leaves a little bit out and isn't all that helpful. If you landed here searching for a basic introduction to OS X permissions, I recommend Brian Tanaka's Take Control of Permissions in Mac OS X, a $10 PDF E-book that will teach you the basics. Can DIgSILENT run on a MAC OS X???? Your help is very much appreciated. If not is there an alternative software you could suggest. Thanks-Anthony Saved-Soldier Asante Akuoko.


© May 2019 Anthony Lawrence

Starting with 10.4, Mac OS X has ACL's. The 'chown' man page tells you about their usage, but it leaves a little bit out and isn't all that helpful.

If you landed here searching for a basic introduction to OS X permissions, I recommend Brian Tanaka's Take Control of Permissions in Mac OS X, a $10 PDF E-book that will teach you the basics. The article you are reading here is a bit more advanced.

You need to turn on ACL's before you can use them. To enable the root filesystem, I'd do:

sudo fsaclctl -p / -e

The '-e' enables ACL use, '-d' disables. No reboot required,the change is instantaneous (the man page says you do need to reboot or remount).

Note: this command disappeared after 10.5. I assume it is no longer needed; ACL's seem to be enabled by default.

ACL's are listed by adding '-e' to a long 'ls' listing:

ls -le

You'll notice nothing different about the output unless you had acl's enabled previously. However, there is a little oddity there: if a file EVER had an ACL list, and the ACL's were later deleted (see blow), a '+' sign will appear in the 'ls -le' listing:

$ ls -le
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo

Turning off with fsaclctl does not delete ACL's; it just makes them temporarily invisible and ineffective:


$ sudo fsaclctl -p / -d
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- 1 apl apl 900 Feb 28 07:34 s
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat
$ sudo fsaclctl -p / -e
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- + 1 apl apl 900 Feb 28 07:34 s
0: group:admin allow write
1: user:tony inherited allow write
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat

In the above listing, 's' has two ACL's, and 'foo' has none (but 'foo' had one or more ACL's sometime in the past).

You apply ACL's using extended chmod commands:

$ chmod +a 'tony allow delete' foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
0: user:tony allow delete

The format is always user or group, allow or deny, attribute.By default, rules stack as you apply them:

$ chmod +a 'admin allow delete' foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
0: group:admin allow delete
1: user:tony allow delete

Notice that the new rule became rule #0? You can control the positioning:


$ chmod +a# 1 'admin deny delete' foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
0: group:admin allow delete
1: group:admin deny delete
2: user:tony allow delete

That pushed are new rule in between 0 and 1, and also shows why we'd need or want to do that: which rule matters now? We say in 0 that an admin can delete the file, and in 1 that we deny that ability. Which takes precedence?

The 'deny' takes precedence, but would even if we reversed the order. 'Allow' rules are cumulative, so order is unimportant, but 'Deny's' short circuit and take effect the moment they are encountered: no more rules are read.

Mac

Deleting ACL's is easy:

Antony

Antony Marcus

$ chmod -a# 2 foo
$ chmod -a# 1 foo
$ chmod -a# 0 foo

Because the rules would 'move up' as they are deleted, you could accomplish the same thing with:

$ chmod -a# 0 foo
$ chmod -a# 0 foo
$ chmod -a# 0 foo

Inheritance ACL's can be added to directories:

$ chmod +a 'admin allow delete,file_inherit,directory_inherit' foo

Any NEW files or directories we create in foo will inherit the ACL 'admin allow delete'. Directories in foo will also inherit the 'inherit' attribute and will pass that on to their files and directories. We may not want that, so we can instead say :

$ chmod +a 'admin allow delete,file_inherit,directory_inherit,limit_inherit' foo

That applies the 'admin allow delete' to files and directories created in 'foo', but doesn't keep passing that on down. There's one more inheritance that is useful:

$ chmod +a 'admin allow delete,file_inherit,directory_inherit,limit_inherit,only_inherit' foo

The 'only_inherit' avoids applying the ACL to 'foo' itself.

Read the 'chown' man page for the list of attributes that can be allowed or denied with ACL's.


Got something to add? Send me email.


(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
-> -> OS X ACL usage


Inexpensive and informative Apple related e-books:
El Capitan: A Take Control Crash Course
Take control of Apple TV, Second Edition
Photos for Mac: A Take Control Crash Course
Digital Sharing Crash Course
Take Control of Upgrading to El Capitan

I’m writing this partially for myself so I have a reference for what’s wrong while trying to install Django in a Python virtual environment on OS X. I’m just going to write about errors I encountered I think.

In the directory where I wanted to put the virtual environment type:

where django-ve will be the virtual environment. It should exist first.

Activate it:

2
source bin/activate

Following Django’s own guide still use pip to install it:

But when I did this I got an error with the SSL connection to PyPy exactly as in, this Stack Overflow post. The solution was as they describe in the accepted answer though you also have to update pip both inside the new virtual environment and outside. (I first tried updating it, then recreating the virtual environment, but this didn’t help, which kind of makes sense if it fetches a new pip each time.)

Antony Mac Os Download

Since I want to use a full MySQL database I needed to install the Python connectors. I stuck with the Django recommended way. I tried to follow their instructions.

When I tried to install mysqlclient I got this same error. Updating Wheels as per one of the suggestions didn’t help, but running

Antony Mac Os Update

did fix the problem by installing the Apple provided developer command line tools which install a C compiler.

I verified that the Python virtualenv could see Django as instructed and it could.

At this point, the setup guide ended so I’m just proceeding along with the tutorial.

Antony Mac Os X

I continued through the tutorial pretty well OK up until the part about configuring timezones. Silly me, I wrongly assumed I could modify it from ‘UTC’ to ‘AEST’, but even as is linked in their own guide, it’s based on the TZ Database so I should use ‘Australia/Queensland’

Then proceeding along and running

runs successfully and going back to MySQL Workbench I can see all the tables that Django created. Looking good so far.

By this stage I’ve set it up and worked connect it to a real database, so that’s enough for now. I may come back later and critically evaluate Django for my purposes.