TweetFollow Us on Twitter

Access Control Lists

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Programming

Patch Panel

by John C. Welch

Access Control Lists

A look at one of the features in Tiger that's going to change how Mac Networks are run

Welcome

With all the hype that Tiger is getting for such "ooh..aah" features like multipoint iChat, Dashboard, etc, I thought today we should take a look at one new feature of Tiger that, while not as obvious as such GUI-goodness, will have a near - instant and far - reaching effect on all who use the new version of OS X: The implementation of Access Control Lists, aka, ACLs in Tiger.

Access Con-who Huh?

ACLs are a new way of controlling, well, access to objects such as files and folders on a computer. Mac users currently don't have a traditional ACL implementation that ships with the OS. The closest thing we have now, is the login controls. That's a list of users who can log in to a Mac or Macs, and controls what they can do on a given Mac. So, in a sense, that's an ACL. It's a login ACL.

Unix Permission Basics

However, what most people use ACLs with are file system objects. Note: ACLs are by no means restricted to the file system. They can exist at any level where you have things you wish to control access to. But for this article, we're going to limit our discussion to the file system.

With current versions of Mac OS X and Mac OS X Server, you have traditional three-level Unix permissions. With any object on the file system, there are three levels of access:

  • Owner, the user that owns the object

  • Group, the group that has explicit access to the object. The Owner does not have to be in the Group

  • Everyone else, or every user who's not the Owner, or in the Group, or every group who is not the Group.

There's a fourth access here: root. Root's the super user, it has full access to everything so there's no need to explicitly include root. The Owner is always a user; it can never be a group. (This is a step backwards in some ways from the older AppleShare permissions, which did allow for group ownership of a file.) The Group, (obviously) must always be a group, not a user. Everyone else is just that.

Within this access structure, there are three things you can do to an object:

  • Read, that is, use the contents of the object in a non-modifying manner, i.e. viewing and printing

  • Write, which lets you modify the object and/or its contents, so you can erase the contents of the object, delete the object, etc.

  • Execute, which is what allows you to run a program, list the contents of a directory.

Everything you do with a File System (FS) object in Mac OS X is based on those nine bullets. It's fairly simple, although there are things that will catch you off guard. For example, if you own a file, but that file is in a directory that you don't have write access for, you can erase the contents of that file, but you can't delete the file itself.

Sometimes simple is bad

Now, for a long time, this was all you needed. Access was simple, and could be simply controlled. But in a modern computing environment, these simple permissions fall down. For example, you can have a situation with different groups needing different access to a single directory and its files. The obvious solution is to put each group's files in a different directory, but then you could have some files needing to be seen by both groups. You can put people into different groups, but then you have to create another group with more restrictive permissions. In a large company, you can easily hit the Mac OS X limit of 16 groups per user in this kind of situation.

For example: You have an accounting group with its own directory on a server.

  • The head of accounting needs unrestricted access to every object in that directory, and unrestricted control over the directory.

  • The accounting managers need to be able to modify the contents of a directory, but not change permissions

  • The IS group needs full control

  • The accountants need to be able to modify files, add files, but not delete

  • Non - accounting department heads need to be able to read and list specific files, but not modify them in any way

  • Everyone else has no access at all to the directory

Now, you could make the head accountant the owner, he's set. IS can always use root (if all of them have that) or sudo to bypass permissions. You can set everyone to 000. So far we have rwx???---, because we haven't decided groups. Here's where Unix permissions fail. We have three groups now that we have to deal with:

  • Accountants

  • Accounting managers

  • Department heads

We could make the group set for accounting managers, and now the directory is rwxrwx---, and put all three groups into a new group. Wait. We don't want department heads to have write/delete. Okay, put them into everyone. Wait, we don't want everyone to see inside the directory. The problem is, you have two groups that need rwx, and one that needs r-x. But within the first two groups, you don't want one to be able to delete files. Okay, set the sticky bit. but now, the group that DOES have to be able to delete can't, because the sticky bit means that only the head of accounting can delete files. So now he's doing the job of the accounting managers. Unix permissions are too simplistic to handle this, and this is not a terribly complex situation. If you are talking about a very large company, this scenario can get much worse.

Sometimes, complex is good

However, a decent set of ACLs can make this really simple. For our example, since we don't know how Apple is implementing ACLs in Tiger, and even if we did, we couldn't talk about it, we'll use the ACL implementation from the OpenAFS project, (http://www.openafs.org/). AFS is the acronym for the Andrew File System, an open - source distributed file system that can run on Mac OS X along with almost every other modern OS. While AFS can easily emulate Unix file permissions, it has a much richer native set of permissions:

  • r read the contents of files in the directory

  • l list the names of files in the directory

  • i insert files into the directory

  • d delete files from the directory

  • w write (or modify) files into the directory

  • k lock (or modify the write-mode bit) of files in the directory

  • a administer or change the acl of the directory

Note how the permissions, while more complex than standard Unix permissions, give you finer control. For example, adding a file to a directory is not the same as having write access to a directory. Deleting is its own permission, as is administering the ACLs of a directory. This is not the richest model of ACLs in use by any means. Both Novell and Windows have far richer ACL models, but this one is good as an example, and runs on many more environments than Novell or Windows do.

So let's revisit our accounting example, but with our new ACL goodness at our disposal:

  • The head accountant is the owner still, and as such, he gets: rlidwka He can do anything, including modify the rights of others needing access. Cool.

  • The IS group gets: rlidwka. Cool, they have the access they need.

  • The accounting managers get: rlidwk. They can modify files as needed, but they can't change anyone's permissions in the directory. Cool.

  • The accountants get: rliw. They can do their work, and add new files as needed, but they cannot delete files, lock files, or change permissions. Cool

  • The department heads get: rl. They can see and view the files, but not modify them or the directory.

No one else has any rights; the directory is a black box to them. IS has the access it needs without needing sudo, or root access. If we had very strict security needs, (Sarb-Ox or HIPAA anyone?), we could set it up so that IS could manage ACLs for a directory full of files they could see, but not read. You could even set it up so they could run a directory they couldn't read at all. (Yes, obviously if they can manage ACLs, there's a fast bypass of ACL limitations, but the point is, you have more flexibility with ACLs.)

Another advantage that ACLs give us is individual user permissions outside of groups. So you can have multiple users with different access to a file system object. So you can easily assign new groups or new users permissions without having to modify the user and group organization of your network setup. You do have to be more careful with ACLs than Unix permissions, because if you aren't, it's really easy to give someone, or a group a lot more access than you thought you were.

We also don't know how various commands are going to be changed, or what new ones will be introduced to deal with the new permissions structures. But in the end, we're going to get a lot more benefit from ACLs than pain.

Conclusion

This is a bit of a quickie look at ACLs, but it should give you an idea of the kind of power that ACLs give you. Since ACLs are going to be implemented throughout Mac OS X, they should also finally give you the same permissions in the Finder as you have at the command line, unlike the current situation. With the way modern networking environments are becoming more complex, even k-12, Mac OS X needed a more flexible permissions structure, and ACLs are the best way to get there.

Bibliography and References

http://web.mit.edu/answers/unix/unix_chmod.html

http://www.apple.com/macosx/tiger/unix.html


John Welch <jwelch@provar.com> is an IT Staff Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt, (http://www.tackyshirt.com/. He has over fifteen years of experience at making Macs work with other computer systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

FileMaker Pro 19.4.2 - Quickly build cus...
FileMaker Pro is the tool you use to create a custom app. You also use FileMaker Pro to access your app on a computer. Start by importing data from a spreadsheet or using a built-in Starter app to... Read more
Adobe Illustrator 26.0.3 - Professional...
You can download Adobe Illustrator for Mac as a part of Creative Cloud for only $20.99/month. Adobe Illustrator for Mac is the vector graphics classics in the design industry. It is a digital... Read more
WhatRoute 2.4.9 - Geographically trace o...
WhatRoute is designed to find the names of all the routers an IP packet passes through on its way from your Mac to a destination host. It also measures the round-trip time from your Mac to the router... Read more
Notion 2.0.20 - A unified workspace for...
Notion is the unified workspace for modern teams. Notion Features: Integration with Slack Documents Wikis Tasks Release notes were unavailable when this listing was updated. Download Now]]> Read more
Monterey Cache Cleaner 17.0.2 - Clear ca...
Monterey Cache Cleaner is an award-winning general-purpose tool for macOS X. MCC makes system maintenance simple with an easy point-and-click interface to many macOS X functions. Novice and expert... Read more
Firetask Pro 4.6.8 - Innovative task man...
Firetask Pro represents the next generation of easy-to-use, project-oriented task management apps. By combining David Allen's powerful Getting Things Done (GTD®) approach with classical task... Read more
Smultron 13.0.4 - Easy-to-use, powerful...
Smultron 13 is the text editor for all of us. Smultron is powerful and confident without being complicated. Its elegance and simplicity helps everyone being creative and to write and edit all sorts... Read more
Box Sync 4.0.8057 - Online synchronizati...
Box Sync gives you a hard-drive in the Cloud for online storage. Note: You must first sign up to use Box. What if the files you need are on your laptop -- but you're on the road with your iPhone? No... Read more
Audio Hijack 3.8.10 - Record and enhance...
Audio Hijack (was Audio Hijack Pro) drastically changes the way you use audio on your computer, giving you the freedom to listen to audio when you want and how you want. Record and enhance any audio... Read more
Direct Mail 6.0.1 - Create and send grea...
Direct Mail is an easy-to-use, fully-featured email marketing app purpose-built for macOS. Create, send, and track great looking email campaigns that get results. Start your newsletter by selecting... Read more

Latest Forum Discussions

See All

SwitchArcade Round-Up: ‘Pokemon Legends:...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for January 28th, 2022. We’ve got a bunch of new releases to look at today, with a few big hitters, a few mid-level diversions, and a healthy supply of compost. Since it’s Friday, we... | Read more »
Phantom Blade: Executioners, S-Game...
S-Game has kicked off its first Closed Beta Test for Phantom Blade: Executioners, inviting a selected few to get first dibs on the upcoming KungFuPunk action RPG on mobile. The CBT officially begins this January 28th, and beta testers will receive... | Read more »
‘Infinite Galaxy’ First Anniversary: Cel...
Cultivating a new generation of valiant commanders across 240 countries worldwide, Infinite Galaxy has quenched players’ thirst to explore the vastness of space – and there are only more intergalactic adventures to embark on from here on out. Camel... | Read more »
War and Order: How to brave the cold in...
War and Order's 6th-anniversary celebrations are underway, and all in good time too - this season not only brings about fabulous festivities, but it also lets players experience the harsh winter in an entirely new way. [Read more] | Read more »
‘Hidden Folks+’ Is This Week’s New Apple...
The original Hidden Folks from Adriaan de Jongh is an excellent hidden objects game featuring hand drawn visuals. It is an absolute joy to play, and it has now released on Apple Arcade in the form of Hidden Folks+ () as an App Store great. If you’... | Read more »
Mini Metro’s First Big Update of 2022 Ad...
Last year saw great updates for Dinosaur Polo Club’s Mini Metro ($3.99) which is also available on Apple Arcade as an App Store Great. | Read more »
SwitchArcade Round-Up: ‘Gunvolt Chronicl...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for January 27th, 2022. In today’s article, we’ve got a whole bunch of new releases to check out. It’s a dangerous one for the wallet today, as there are several interesting games to... | Read more »
SIEGE: Apocalypse lets you engage in mil...
Launching today to the delight of military enthusiasts across the globe, SIEGE: Apocalypse is a new 1v1 military battler from KIXEYE that's set in the early days of the War Commander universe. Players need to collect and upgrade unit cards to build... | Read more »
‘SIEGE: Apocalypse’, KIXEYE’s Military-T...
Military fans across the globe now have more reasons to dive into the War Commander universe as KIXEYE launches SIEGE: Apocalypse on both iOS and Android devices today. The 1v1 military battler pits two players against each other in intense real-... | Read more »
‘Yu-Gi-Oh! Master Duel’ Is Rolling Out N...
Following its launch on PC and all consoles last week, Yu-Gi-Oh! Master Duel has finally released on mobile platforms. Since launch, the game has exploded on multiple platforms with it having over 260k concurrent players on Steam. It has full... | Read more »

Price Scanner via MacPrices.net

Apple has clearance 2020 13″ MacBook Airs ava...
Apple has clearance, Certified Refurbished, 2020 13″ Intel-based MacBook Airs in stock today starting at only $719 and up to $370 off original MSRP. Each MacBook features a new outer case, comes with... Read more
The cheapest iPhones for sale today at Apple...
Apple has restocked Apple Certified Refurbished iPhone 8 models starting at only $359. Each refurbished iPhone comes with a fresh external case, standard Apple 1-year warranty, and free shipping.... Read more
14″ MacBook Pro with Apple M1 Max CPU now in...
Looking for a new 14″ MacBook Pro with an Apple M1 Max CPU? Stock is finally trickling into Apple resellers. B&H has Silver 14″ M1 Max MacBook Pros in stock today for $2899 including free 1-2 day... Read more
14″ MacBook Pros with Apple M1 Pro CPUs are i...
Amazon is reporting stock of 14″ MacBook Pros with M1 Pro CPUs today with a $50 discount. Shipping is free, and delivery is available by February 1st for most configurations. Be sure to make your... Read more
Apple has restocked 13″ M1 MacBook Pros for $...
Apple has restocked a full line of 13″ M1 MacBook Pros available Certified Refurbished, starting at only $1099 and up to $230 off original MSRP. These are the cheapest M1 MacBook Pros for sale today... Read more
Apple’s AirPods Max headphones are on sale fo...
Amazon has Silver, Blue, and Space Gray Apple AirPods Max headphones on sale today for $100 off MSRP. Shipping is free, and all models are in stock today. Their price is the lowest currently... Read more
Open a new line of service at Verizon and get...
Verizon is giving away 64GB Apple iPhone 12 minis or your choice of an iPhone 11 to customers who choose one of these phones and open a new line of service. Offer is available online only, and no... Read more
Open-box 13″ M1 MacBook Airs now available st...
QuickShip Electronics has open-box return 13″ M1 MacBook Airs in stock and on sale for $200-$400 off MSRP on their eBay store right now with free express delivery. According to QuickShip, “The item... Read more
Verizon’s 2022 iPad promo: $100-$310 off any...
Verizon has cellular-capable iPads on sale for $100-$310 off MSRP when purchased with an Unlimited service plan. Sale price is applied to your account monthly over a 24 or 30 month period, depending... Read more
Sunday Sale: Apple AirPods are on sale for up...
Amazon has Apple AirPods on sale for $10-$100 off MSRP today, depending on the model. All are in stock today with free delivery: – AirPods Max headphones (Blue): $449 $100 off MSRP – AirPods Max... Read more

Jobs Board

Registered Nurse (RN) Employee Health PSJH -...
…is calling for a Registered Nurse (RN) Employee Health PSJH to our location in Apple Valley, CA.** We are seeking a Registered Nurse (RN) Employee Health PSJH to be Read more
Systems Administrator - Pearson (United State...
…and troubleshoot Windows operating systems (workstation and server), laptop computers, Apple iPads, Chromebooks and printers** + **Administer and troubleshoot all Read more
IT Assistant Level 1- IT Desktop Support Anal...
…providing tier-1 or better IT help desk support in a large Windows and Apple environment * Experience using IT Service Desk Management Software * Knowledge of IT Read more
Human Resources Business Partner PSJH - Provi...
…**is calling a** **Human Resources Business Partner, PSJH** **to our location in Apple Valley, CA.** **Applicants that meet qualifications will receive a text with Read more
Manager Community Health Investment Programs...
…is calling a Manager Community Health Investment Programs PSJH to our location in Apple Valley, CA.** **Qualified candidates will be invited to do a self-paced video Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.