OS X Access Control List

A few weeks ago I set up a shared folder on my Mac. To share over LAN with my sister's Macbook. I followed this Apple guide (PH21810). Also created a new user account on my Mac. It's for accessing shared folders and allows me not to grant read permission to everyone. I used another guide (PH18891) to accomplish this.

Things went smoothly. She could access the shared folder, browse and read files and sub-folders inside. The only problem is that she cannot delete nor create any files.

I again followed another Apple guide (PH18894) and applied proper permissions. Sadly this only helped on existing files and sub-folders already created. If I create a new file, the permissions I set for the parent, the shared folder are not inherited by this new file.

My journey reached a point where I felt missing something significant. Here comes the access control list. ACL is an extension to the classic Unix permission. Two attributes of ACLs in OS X file_inherit and directory_inherit solved my last problem.

I launched Terminal, issued the following command:

iMac:~ Stephen$ chmod +a "user:FamilyShareAcct allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/WD/shared_folder

Since I also wanted to apply the new permission to existing files, I added -R before +a in the above command. This option means do it recursively on all files and sub-folders under /Volumes/WD/shared_folder.

More details of OS X implementation of ACLs can be found in Apple Developer Library.

I also found chmod -R -N handy. I made a couple of mistakes in the beginning and used this command to clear all ACLs by issuing:

iMac:~ Stephen$ chmod -R -N /Volumes/WD/shared_folder

Apple added ACLs operations into chmod. This practice apparently is not shared among other Unix-like systems. Both Linux and FreeBSD followed the withdrawn POSIX ACL standard. Implemented ACL operations in the pair setfacl and getfacl.

If you know a trick in using ACLs, I would like to hear.

comments powered by Disqus