TweetFollow Us on Twitter

Access Control Lists

Volume Number: 20 (2004)
Issue Number: 7
Column Tag: Programming

Patch Panel

by John C. Welch

Access Control Lists

A look at one of the features in Tiger that's going to change how Mac Networks are run

Welcome

With all the hype that Tiger is getting for such "ooh..aah" features like multipoint iChat, Dashboard, etc, I thought today we should take a look at one new feature of Tiger that, while not as obvious as such GUI-goodness, will have a near - instant and far - reaching effect on all who use the new version of OS X: The implementation of Access Control Lists, aka, ACLs in Tiger.

Access Con-who Huh?

ACLs are a new way of controlling, well, access to objects such as files and folders on a computer. Mac users currently don't have a traditional ACL implementation that ships with the OS. The closest thing we have now, is the login controls. That's a list of users who can log in to a Mac or Macs, and controls what they can do on a given Mac. So, in a sense, that's an ACL. It's a login ACL.

Unix Permission Basics

However, what most people use ACLs with are file system objects. Note: ACLs are by no means restricted to the file system. They can exist at any level where you have things you wish to control access to. But for this article, we're going to limit our discussion to the file system.

With current versions of Mac OS X and Mac OS X Server, you have traditional three-level Unix permissions. With any object on the file system, there are three levels of access:

  • Owner, the user that owns the object

  • Group, the group that has explicit access to the object. The Owner does not have to be in the Group

  • Everyone else, or every user who's not the Owner, or in the Group, or every group who is not the Group.

There's a fourth access here: root. Root's the super user, it has full access to everything so there's no need to explicitly include root. The Owner is always a user; it can never be a group. (This is a step backwards in some ways from the older AppleShare permissions, which did allow for group ownership of a file.) The Group, (obviously) must always be a group, not a user. Everyone else is just that.

Within this access structure, there are three things you can do to an object:

  • Read, that is, use the contents of the object in a non-modifying manner, i.e. viewing and printing

  • Write, which lets you modify the object and/or its contents, so you can erase the contents of the object, delete the object, etc.

  • Execute, which is what allows you to run a program, list the contents of a directory.

Everything you do with a File System (FS) object in Mac OS X is based on those nine bullets. It's fairly simple, although there are things that will catch you off guard. For example, if you own a file, but that file is in a directory that you don't have write access for, you can erase the contents of that file, but you can't delete the file itself.

Sometimes simple is bad

Now, for a long time, this was all you needed. Access was simple, and could be simply controlled. But in a modern computing environment, these simple permissions fall down. For example, you can have a situation with different groups needing different access to a single directory and its files. The obvious solution is to put each group's files in a different directory, but then you could have some files needing to be seen by both groups. You can put people into different groups, but then you have to create another group with more restrictive permissions. In a large company, you can easily hit the Mac OS X limit of 16 groups per user in this kind of situation.

For example: You have an accounting group with its own directory on a server.

  • The head of accounting needs unrestricted access to every object in that directory, and unrestricted control over the directory.

  • The accounting managers need to be able to modify the contents of a directory, but not change permissions

  • The IS group needs full control

  • The accountants need to be able to modify files, add files, but not delete

  • Non - accounting department heads need to be able to read and list specific files, but not modify them in any way

  • Everyone else has no access at all to the directory

Now, you could make the head accountant the owner, he's set. IS can always use root (if all of them have that) or sudo to bypass permissions. You can set everyone to 000. So far we have rwx???---, because we haven't decided groups. Here's where Unix permissions fail. We have three groups now that we have to deal with:

  • Accountants

  • Accounting managers

  • Department heads

We could make the group set for accounting managers, and now the directory is rwxrwx---, and put all three groups into a new group. Wait. We don't want department heads to have write/delete. Okay, put them into everyone. Wait, we don't want everyone to see inside the directory. The problem is, you have two groups that need rwx, and one that needs r-x. But within the first two groups, you don't want one to be able to delete files. Okay, set the sticky bit. but now, the group that DOES have to be able to delete can't, because the sticky bit means that only the head of accounting can delete files. So now he's doing the job of the accounting managers. Unix permissions are too simplistic to handle this, and this is not a terribly complex situation. If you are talking about a very large company, this scenario can get much worse.

Sometimes, complex is good

However, a decent set of ACLs can make this really simple. For our example, since we don't know how Apple is implementing ACLs in Tiger, and even if we did, we couldn't talk about it, we'll use the ACL implementation from the OpenAFS project, (http://www.openafs.org/). AFS is the acronym for the Andrew File System, an open - source distributed file system that can run on Mac OS X along with almost every other modern OS. While AFS can easily emulate Unix file permissions, it has a much richer native set of permissions:

  • r read the contents of files in the directory

  • l list the names of files in the directory

  • i insert files into the directory

  • d delete files from the directory

  • w write (or modify) files into the directory

  • k lock (or modify the write-mode bit) of files in the directory

  • a administer or change the acl of the directory

Note how the permissions, while more complex than standard Unix permissions, give you finer control. For example, adding a file to a directory is not the same as having write access to a directory. Deleting is its own permission, as is administering the ACLs of a directory. This is not the richest model of ACLs in use by any means. Both Novell and Windows have far richer ACL models, but this one is good as an example, and runs on many more environments than Novell or Windows do.

So let's revisit our accounting example, but with our new ACL goodness at our disposal:

  • The head accountant is the owner still, and as such, he gets: rlidwka He can do anything, including modify the rights of others needing access. Cool.

  • The IS group gets: rlidwka. Cool, they have the access they need.

  • The accounting managers get: rlidwk. They can modify files as needed, but they can't change anyone's permissions in the directory. Cool.

  • The accountants get: rliw. They can do their work, and add new files as needed, but they cannot delete files, lock files, or change permissions. Cool

  • The department heads get: rl. They can see and view the files, but not modify them or the directory.

No one else has any rights; the directory is a black box to them. IS has the access it needs without needing sudo, or root access. If we had very strict security needs, (Sarb-Ox or HIPAA anyone?), we could set it up so that IS could manage ACLs for a directory full of files they could see, but not read. You could even set it up so they could run a directory they couldn't read at all. (Yes, obviously if they can manage ACLs, there's a fast bypass of ACL limitations, but the point is, you have more flexibility with ACLs.)

Another advantage that ACLs give us is individual user permissions outside of groups. So you can have multiple users with different access to a file system object. So you can easily assign new groups or new users permissions without having to modify the user and group organization of your network setup. You do have to be more careful with ACLs than Unix permissions, because if you aren't, it's really easy to give someone, or a group a lot more access than you thought you were.

We also don't know how various commands are going to be changed, or what new ones will be introduced to deal with the new permissions structures. But in the end, we're going to get a lot more benefit from ACLs than pain.

Conclusion

This is a bit of a quickie look at ACLs, but it should give you an idea of the kind of power that ACLs give you. Since ACLs are going to be implemented throughout Mac OS X, they should also finally give you the same permissions in the Finder as you have at the command line, unlike the current situation. With the way modern networking environments are becoming more complex, even k-12, Mac OS X needed a more flexible permissions structure, and ACLs are the best way to get there.

Bibliography and References

http://web.mit.edu/answers/unix/unix_chmod.html

http://www.apple.com/macosx/tiger/unix.html


John Welch <jwelch@provar.com> is an IT Staff Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt, (http://www.tackyshirt.com/. He has over fifteen years of experience at making Macs work with other computer systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Tidy Up 5.3.7 - Find duplicate files and...
Tidy Up is a full-featured duplicate finder and disk-tidiness utility. Features: Supports Lightroom: it is now possible to search and collect duplicates directly in the Lightroom library. Multiple... Read more
Pinegrow 5.97 - Mockup and design web pa...
Pinegrow (was Pinegrow Web Designer) is desktop app that lets you mockup and design webpages faster with multi-page editing, CSS and LESS styling, and smart components for Bootstrap, Foundation,... Read more
BlueStacks 4.210.0 - Run Android applica...
BlueStacks App Player lets you run your Android apps fast and fullscreen on your Mac. Feature comparison chart How to install Bluestacks on your Mac Go to MacUpdate and click the green "Download"... Read more
WhatsApp 2.2027.10 - Desktop client for...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
Art Text 4.0.1 - $29.99
Art Text is graphic design software specifically tuned for lettering, typography, text mockups and various artistic text effects. Supplied with a great variety of ready to use styles and materials,... Read more
Adobe Dreamweaver CC 2020 20.2 - Build w...
Dreamweaver CC 2020 is available as part of Adobe Creative Cloud for as little as $20.99/month (or $9.99/month if you're a previous Dreamweaver customer). Adobe Dreamweaver CC 2020 allows you to... Read more
Adobe Acrobat DC 20.009.20074 - Powerful...
Acrobat DC is available only as a part of Adobe Creative Cloud, and can only be installed and/or updated through Adobe's Creative Cloud app. Adobe Acrobat DC with Adobe Document Cloud services is... Read more
beaTunes 5.2.10 - Organize your music co...
beaTunes is a full-featured music player and organizational tool for music collections. How well organized is your music library? Are your artists always spelled the same way? Any R.E.M. vs REM?... Read more
DiskCatalogMaker 8.1.5 - Catalog your di...
DiskCatalogMaker is a simple disk management tool which catalogs disks. Simple, light-weight, and fast Finder-like intuitive look and feel Super-fast search algorithm Can compress catalog data for... Read more
Meteorologist 3.4.1 - Popular weather ap...
Meteorologist is a simple interface to weather provided by weather.com. It provides the ability to show the weather in the main menu bar, displaying more detail in a pop-up menu, whose contents are... Read more

Latest Forum Discussions

See All

Steam Link Spotlight - Disco Elysium
Steam Link Spotlight is a feature where we look at PC games that play exceptionally well using the Steam Link app. Our last entry was Signs of the Sojourner Read about how it plays using Steam Link over here. | Read more »
Distract Yourself With These Great Mobil...
There’s a lot going on right now, and I don’t really feel like trying to write some kind of pithy intro for it. All I’ll say is lots of people have been coming together and helping each other in small ways, and I’m choosing to focus on that as I... | Read more »
Pokemon Go's July Community Day wil...
Pokemon Go developers have announced the details concerning the upcoming Gastly Community Day. This particular event was selected by the players of the game after the Gas Pokemon came in second place after a poll that decided which Pokemon would... | Read more »
Clash Royale: The Road to Legendary Aren...
Supercell recently celebrated its 10th anniversary and their best title, Clash Royale, is as good as it's ever been. Even for lapsed players, returning to the game is as easy as can be. If you want to join us in picking the game back up, we've put... | Read more »
Detective Di is a point-and-click murder...
Detective Di is a point-and-click murder mystery set in Tang Dynasty-era China. You'll take on the role of China's best-known investigator, Di Renjie, as he solves a series of grisly murders that will ultimately lead him on a collision course with... | Read more »
Dissidia Final Fantasy Opera Omnia is se...
Dissidia Final Fantasy Opera Omnia, one of Square Enix's many popular mobile RPGs, has announced a plethora of in-game events that are set to take place over the summer. This will include several rewards, Free Multi Draws and more. [Read more] | Read more »
Sphaze is a neat-looking puzzler where y...
Sphaze is a neat-looking puzzler where you'll work to guide robots through increasingly elaborate mazes. It's set in a visually distinct world that's equal parts fantasy and sci-fi, and it's finally launched today for iOS and Android devices. [... | Read more »
Apple Arcade is in trouble
Yesterday, Bloomberg reported that Apple is disappointed in the performance of Apple Arcade and will be shifting their approach to the service by focusing on games that can retain subscribers and canceling other upcoming releases that don't fit... | Read more »
Pixel Petz, an inventive platform for de...
Pixel Petz has built up a sizeable player base thanks to its layered, easy-to-understand creative tools and friendly social experience. It revolves around designing, trading, and playing with a unique collection of pixel art pets, and it's out now... | Read more »
The King of Fighters Allstar's late...
The King of Fighters ALLSTAR, Netmarble's popular action RPG, has once again been updated with a plethora of new content. This includes battle cards, events and 21 new fighters, which increases the already sizeable roster even more. [Read more] | Read more »

Price Scanner via MacPrices.net

Clearance 2019 13″ 2.4GHz/256GB MacBook Pro o...
B&H Photo has dropped their price on the clearance 2019 13″ 2.4GHz/256GB Quad-Core Silver MacBook Pro by $500 off Apple’s original MSRP to a new low of only $1299. Expedited shipping is free to... Read more
$219 Apple AirPods Pro are back at Verizon, s...
Verizon has Apple AirPods Pro on sale again for a limited time for $219.99 on their online store. Their price is $30 off Apple’s MSRP, and it’s the lowest price we’ve seen for AirPods Pro. Available... Read more
Apple’s $779 13″ MacBook Air deal returns to...
Apple has clearance, Certified Refurbished, 2019 13″ MacBook Airs available again starting at $779. Each MacBook features a new outer case, comes with a standard Apple one-year warranty, and is... Read more
$200 13″ MacBook Pro discounts are back at Am...
Amazon has 2020 13″ 2.0GHz MacBook Pros on sale again today for $150-$200 off Apple’s MSRP. Shipping is free. Be sure to purchase the MacBook Pro from Amazon, rather than a third-party seller, and... Read more
Deal Alert! Apple AirPods with Wireless Charg...
Sams Club has Apple AirPods with Wireless Charging Case on sale on their online store for only $149.98 from July 6, 2020 to July 9, 2020. Their price is $50 off Apple’s MSRP, and it’s the lowest... Read more
Xfinity Mobile promo: Apple iPhone XS models...
Take $300 off the purchase of any Apple iPhone XS model at Xfinity Mobile while supplies last. Service plan required: – 64GB iPhone XS: $599.99 save $300 – 256GB iPhone XS: $749.99 save $300 – 512GB... Read more
New July 2020 promo at US Cellular: Switch an...
US Cellular has introduced a new July 2020 deal offering free 64GB Apple iPhone 11 smartphones to customers opening a new line of service. No trade-in required, and discounts are applied via monthly... Read more
Apple offers up to $400 Education discount on...
Apple has launched their Back to School promotion for 2020. They will include one free pair Apple AirPods (with charging case) with the purchase of a MacBook Air, MacBook Pro, iMac, or iMac Pro (Mac... Read more
July 4th Sale: Woot offers wide range of Macs...
Amazon-owned Woot is blowing out a wide range of Apple Macs and iPads for July 4th staring at $279 and ranging up to just over $1000. Models vary from older iPads and 11″ MacBook Airs to some newer... Read more
Apple Pro Display XDR with Nano-Texture Glass...
Abt Electronics has Apple’s new 32″ Pro Display XDR model with the nano-texture glass in stock and on sale today for up to $144 off MSRP. Shipping is free: – Pro Display XDR (nano-texture glass): $... Read more

Jobs Board

Physical Therapist Assistant - *Apple* Hill...
Physical Therapist Assistant - Apple Hill Rehab - Full Time Tracking Code 62519 Job Description General Summary: Under the direct supervision of a licensed Physical Read more
Operating Room Assistant, *Apple* Hill Surg...
Operating Room Assistant, Apple Hill Surgical Center - Full Time, Day Shift, Monday - Saturday availability required Tracking Code 62363 Job Description Operating Read more
Perioperative RN - ( *Apple* Hill Surgical C...
Perioperative RN - ( Apple Hill Surgical Center) Tracking Code 60593 Job Description Monday - Friday - Full Time Days Possible Saturdays General Summary: Under the Read more
Product Manager, *Apple* Commercial Sales -...
Product Manager, Apple Commercial Sales Austin, TX, US Requisition Number:77652 As an Apple Product Manager for the Commercial Sales team at Insight, you Read more
*Apple* Mac Product Engineer - Barclays (Uni...
Apple Mac EngineerWhippany, NJ Support the development and delivery of solutions, products, and capabilities into the Barclays environment working across technical Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.