OS X ACL usage
© May 2019 Anthony Lawrence
Starting with 10.4, Mac OS X has ACL's. The "chown" man page tells you about their usage, but it leaves a little bit out and isn't all that helpful.
If you landed here searching for a basic introduction to OS X permissions, I recommend Brian Tanaka's Take Control of Permissions in Mac OS X, a $10 PDF E-book that will teach you the basics. The article you are reading here is a bit more advanced.
You need to turn on ACL's before you can use them. To enable the root filesystem, I'd do:
sudo fsaclctl -p / -e
The "-e" enables ACL use, "-d" disables. No reboot required, the change is instantaneous (the man page says you do need to reboot or remount).
Note: this command disappeared after 10.5. I assume it is no longer needed; ACL's seem to be enabled by default.
ACL's are listed by adding "-e" to a long "ls" listing:
ls -le
You'll notice nothing different about the output unless you had acl's enabled previously. However, there is a little oddity there: if a file EVER had an ACL list, and the ACL's were later deleted (see blow), a "+" sign will appear in the "ls -le" listing:
$ ls -le
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
Turning off with fsaclctl does not delete ACL's; it just makes them temporarily invisible and ineffective:
$ sudo fsaclctl -p / -d
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- 1 apl apl 900 Feb 28 07:34 s
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat
$ sudo fsaclctl -p / -e
$ ls -le
total 32
-rwxr-xr-x 1 apl apl 3740 Feb 28 07:34 dstate.pl
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
-rw-r--r-- + 1 apl apl 900 Feb 28 07:34 s
0: group:admin allow write
1: user:tony inherited allow write
-rw-r--r-- 1 apl apl 4662 Feb 28 07:34 time.dat
In the above listing, "s" has two ACL's, and "foo" has none (but "foo" had one or more ACL's sometime in the past).
You apply ACL's using extended chmod commands:
$ chmod +a "tony allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
0: user:tony allow delete
The format is always user or group, allow or deny, attribute. By default, rules stack as you apply them:
$ chmod +a "admin allow delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
0: group:admin allow delete
1: user:tony allow delete
Notice that the new rule became rule #0? You can control the positioning:
$ chmod +a# 1 "admin deny delete" foo
$ ls -lde foo
drwxr-xr-x + 2 apl apl 68 Jul 19 18:32 foo
0: group:admin allow delete
1: group:admin deny delete
2: user:tony allow delete
That pushed are new rule in between 0 and 1, and also shows why we'd need or want to do that: which rule matters now? We say in 0 that an admin can delete the file, and in 1 that we deny that ability. Which takes precedence?
The "deny" takes precedence, but would even if we reversed the order. "Allow" rules are cumulative, so order is unimportant, but "Deny's" short circuit and take effect the moment they are encountered: no more rules are read.
Deleting ACL's is easy:
$ chmod -a# 2 foo
$ chmod -a# 1 foo
$ chmod -a# 0 foo
Because the rules would "move up" as they are deleted, you could accomplish the same thing with:
$ chmod -a# 0 foo
$ chmod -a# 0 foo
$ chmod -a# 0 foo
Inheritance ACL's can be added to directories:
$ chmod +a "admin allow delete,file_inherit,directory_inherit" foo
Any NEW files or directories we create in foo will inherit the ACL "admin allow delete". Directories in foo will also inherit the "inherit" attribute and will pass that on to their files and directories. We may not want that, so we can instead say :
$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit" foo
That applies the "admin allow delete" to files and directories created in "foo", but doesn't keep passing that on down. There's one more inheritance that is useful:
$ chmod +a "admin allow delete,file_inherit,directory_inherit,limit_inherit,only_inherit" foo
The "only_inherit" avoids applying the ACL to "foo" itself.
Read the "chown" man page for the list of attributes that can be allowed or denied with ACL's.
Got something to add? Send me email.
Inexpensive and informative Apple related e-books:
El Capitan: A Take Control Crash Course
Take control of Apple TV, Second Edition
Photos for Mac: A Take Control Crash Course
Digital Sharing Crash Course
Take Control of Upgrading to El Capitan
More Articles by Anthony Lawrence © 2011-11-13 Anthony Lawrence
The best of us would rather be popular than right. (Mark Twain)
This post tagged:
Skills Tests
Unix/Linux Book Reviews
My Unix/Linux Troubleshooting Book
This site runs on Linode
Tue Apr 1 15:14:05 2008: 3929 Mike
Ah! Thank you; I've been tearing my hair out as to why a collection of NFS mount points were mounting and showing correct disk usage info, but couldn't be seen by the users who were supposed to see it. I wasn't aware of having to enable ACLs on the client root FS, and now I am.
Thanks again.
Fri Apr 18 10:41:21 2008: 4060 pmstar
Hello,
I am having trouble with ACLs...I had issues when I was no longer able to rename or move some of my files (in the Documents Folder)...I did solve this, but now I have another problem. A file of my desktop, for some reason, cannot be copied to an external disk. when a perform a ls -ale o the desktop, the file has the same permissions (and no ACLs) of the other files on the desktop (which I can copy), with the only difference that it lacks a "@" at the end of the permissions string.
"-rw-r--r--@" instead of "-rw-r--r-- "
What does the @ stand for and how do I add it?
Many thanks!
Fri Apr 18 11:01:21 2008: 4061 TonyLawrence
The "@" at the end means it has extended attributes. See "man ls"
See "chflags" and "SetFile" (setfile is in Developer tools) also.
But I'm not sure what's stopping you from copying..
Fri Apr 18 11:22:47 2008: 4062 TonyLawrence
Actually, after looking at the man pages and playing a bit, I think the "ls" man page is wrong..
I don't know what the "@" means. I have some files that show that, but I don't know why they are different than ones that do not..
ls -@l
(you have to put the l after the @)
shows stuff like this:
drwxrwxrwx 16 apl apl 544 May 17 2007 Adsense
-rw-r--r-- 1 apl apl 8634 Oct 14 2007 Brewster Line.pdf.zip
drwx------+ 39 apl apl 1326 Apr 17 10:58 Desktop
drwx------+ 15 apl apl 510 Apr 7 17:19 Documents
drwx------@ 57 apl apl 1938 Apr 14 13:58 Downloads
com.apple.FinderInfo 32
-rwxr-xr-x@ 1 apl apl 275 Apr 18 07:15 F
com.apple.quarantine 42
-rw-r--r-- 1 apl apl 1067520 Jan 24 10:53 Fprice.xls
drwx------+ 49 apl apl 1666 Mar 21 09:00 Library
drwx------+ 4 apl apl 136 Mar 21 10:19 Movies
drwx------+ 6 apl apl 204 Dec 14 2006 Music
-rwxr-xr-x@ 1 apl apl 275 Jan 2 2007 PageRank
com.apple.quarantine 42
I'm not sure what that means.. has to do with "xattr" but I haven't investigated that..
Fri Apr 18 11:27:23 2008: 4063 TonyLawrence
Ahh: see this for xattr.
(link)
I knew you could do that but didn't realize Apple was actually using it for anything - apparently they are.
Fri Apr 18 11:35:08 2008: 4064 TonyLawrence
So..
Obviously com.apple.quarantine is for downloaded files - the thing that makes the message pop up when you first try to execute something downloaded.
I don't yet know what com.apple.FinderInfo means.. arstechnica says
"(Interestingly, type and creator codes are already (redundantly?) stored this way in Tiger. Assigning them to a file results in a new extended attribute key, com.apple.FinderInfo, with a value that is the concatenation of the type and creator codes. This is done transparently whenever a type or creator code is assigned to a file.)"
but I'm still unclear WHY some of my files have this.
But your un-copyable file has NO "@", right? So it's nothing to do with this..
Fri Apr 18 12:46:00 2008: 4065 TonyLawrence
Actually, we should start with basics:
Exactly what message do you get when you try to copy?
Tue Jan 27 20:14:08 2009: 5251 SamiGuirguis
chmod -N filename
removes all access lists with one shot.
Tue Jan 27 20:19:10 2009: 5252 TonyLawrence
If I ever knew that, I had forgotten it - thanks!
Mon Mar 16 18:49:59 2009: 5719 billyverde
I get the following error when I try to add an ACL:
"chmod: Unable to translate group:<group_name> to a UID/GID: Invalid argument"
Happens with all groups I've tried - not a matter of a simple typo in the <group_name>. I've verified that they're all valid group names, ACL is enabled, and I have root access. Anybody know what's up with that?
Mon Mar 16 19:11:14 2009: 5720 TonyLawrence
You did "sudo fsaclctl -p / -e ", right?
You are doing something like
chmod +a "admin allow delete" foo ??
I can only get that error if I use a non-existent group or user.. $ chmod +a "nosuchgroup allow delete" foo chmod: Unable to translate 'nosuchgroup' to a UID/GID
Mon Mar 16 21:14:44 2009: 5721 billyverde
Gah... never mind. Syntax error on my part. I'll go sit in a corner now.
Mon Mar 16 21:18:45 2009: 5722 billyverde
PS. Thanks for the help!
Mon Mar 16 21:29:48 2009: 5723 TonyLawrence
Just curious - what were you typing?
Thu Sep 3 21:02:21 2009: 6846 Roy
in the second sentence you mention that the "chown" man page discusses acl usage - I believe that it is actually in the "chmod" man page...
also looking forward to reading this page carefully, as I've a similar issue to Mike in the first comment, which is that ACLs from my server over NFS mounts are not propagated. Hopefully will learn enough here to remedy.
cheers - Roy
Thu Sep 3 21:05:33 2009: 6847 TonyLawrence
Yes, chmod not chown.
Sun Mar 14 14:50:35 2010: 8215 Bryan
I have two questions.
I need to be able to take ownership of files and directories on my Mac OS X 10.6. I had copied files from an NTFS A.D. domain ACL controled CIFS\SMB share. Inside OS X I can not take onwership of these CIFS directories, nor add users to it using the GUI/right click/get info/permissions/change them /then apply doe not work. I also tried running
>sudo chown -R Bryan /Users/bryan/Documents/
which gives me a operation not permitted error even in bash$
1. I need to strip all CIFS based ACL's
2. Then remove all NFS ACL's, turn them all off or reset them to everyone read write which is perfable.
Is there a single command to do this locally? Also I need to run this command on an NFS mount point on a NAS qtree directory within a volume top down, doing the same thing, removing all CIFS ACL's from the top most directory down to the last file.
Any help would be appreciated!
Bryan
Sun Mar 14 15:00:53 2010: 8216 TonyLawrence
An NFS mount is its own file system - it has its own semantics and you can't change the underlying system semantics there (nor do you necessarily even have the same access).
On the local files, I'm not sure how you got them over here with ACL's - I suspect there is something more basic here. What does "ls -le" show you?
Sun Mar 14 19:47:59 2010: 8217 Bryan
This is one dir I just created locally:
drwxr-xr-x 2 bryan staff 68 Mar 14 10:25 logos-test
Here is the a dir I do not have change access to (even though it shows I do).
drwx------ 11 bryan staff 374 Mar 17 2008 Logos
Last login: Sun Mar 14 10:29:15 on ttys000
Bryans-MacBook-Pro:~ bryan$ cd /Users/bryan/Documents
Bryans-MacBook-Pro:NetApp bryan$ ls -le
total 736
drwx------ 7 bryan staff 238 Jul 7 2008 401k
drwxr-xr-x 4 bryan staff 136 Mar 14 2009 Benifits
drwx------ 4 bryan staff 136 Mar 17 2008 Beta programs
drwxr-xr-x 4 bryan staff 136 Feb 23 11:04 Blogs
drwx------ 5 bryan staff 170 Mar 17 2008 ClearSpace
drwx------ 8 bryan staff 272 Apr 16 2008 Clients
drwx------ 6 bryan staff 204 Nov 6 15:37 Connected Backups
drwxr-xr-x 4 bryan staff 136 Nov 25 2008 Design Guidelines
drwx------ 5 bryan staff 170 Mar 17 2008 Discounts
drwx------ 127 bryan staff 4318 Nov 5 10:43 Documentation
drwx------ 3 bryan staff 102 Mar 17 2008 Education
drwx------ 28 bryan staff 952 Mar 4 13:26 Expense Reports
drwx------ 11 bryan staff 374 Mar 17 2008 GoodLink
drwx------ 3 bryan staff 102 Mar 17 2008 HR - Compensation
drwx------ 9 bryan staff 306 Jun 4 2008 HR - Health Insurance
drwx------ 9 bryan staff 306 Mar 17 2008 HR - Insurance & Investment
drwx------ 8 bryan staff 272 Mar 17 2008 HR - New Hire
drwx------ 3 bryan staff 102 Jun 26 2008 Hardware Universe
drwx------ 3 bryan staff 102 Mar 17 2008 HelpDesk
drwx------ 9 bryan staff 306 Aug 2 2008 IM Lists PS SE
-rw-r--r--@ 1 bryan staff 0 Jun 8 2009 Icon?
drwxr-xr-x 4 bryan staff 136 Dec 23 10:47 Ideas Patent
drwx------ 9 bryan staff 306 Mar 17 2008 Information
drwx------ 4 bryan staff 136 May 27 2008 Interviews
drwx------ 10 bryan staff 340 Apr 22 2008 Licenses
drwx------ 11 bryan staff 374 Mar 17 2008 Logos
drwx------ 7 bryan staff 238 Mar 17 2008 MAN Pages
drwx------ 21 bryan staff 714 Mar 17 2008 Meetings
drwx------ 4 bryan staff 136 May 30 2008 Microsoft Hotfix
drwx------ 7 bryan staff 238 Mar 17 2008 My Drawings
drwx------ 7 bryan staff 238 Mar 17 2008 My Pictures
drwxr-xr-x 6 bryan staff 204 Nov 18 2008 NEO Training
drwx------ 5 bryan staff 170 Sep 17 2008 Users Group
drwx------ 3 bryan staff 102 Mar 17 2008 OS & Firmware
drwx------ 8 bryan staff 272 Oct 26 09:43 Orders
drwxr-xr-x@ 8 bryan staff 272 Aug 2 2009 Partner Enablement
drwx------@ 25 bryan staff 850 May 19 2009 Portfolio Areas
drwx------ 22 bryan staff 748 Nov 6 15:38 Practice Areas
drwx------ 4 bryan staff 136 Nov 18 2008 Pricing
drwx------ 6 bryan staff 204 Sep 4 2008 Projects
drwx------ 6 bryan staff 204 Aug 7 2008 Publications
drwx------ 6 bryan staff 204 Jul 9 2008 Quotes - SOW - TnM
drwx------ 7 bryan staff 238 Mar 17 2008 Reports
drwx------ 7 bryan staff 238 Dec 11 09:48 Reviews
drwx------ 3 bryan staff 102 Mar 17 2008 Sales Orders
drwx------ 11 bryan staff 374 Jan 11 15:55 Stock & Grants
drwx------ 7 bryan staff 238 Mar 17 2008 Tech OnTap
drwx------ 10 bryan staff 340 Jul 24 2008 Templates
drwx------ 3 bryan staff 102 Jun 8 2009 Tools & Applications
drwx------ 12 bryan staff 408 Nov 25 2008 Training
drwx------ 6 bryan staff 204 Sep 1 2008 Travel
drwx------ 2 bryan staff 68 Mar 17 2008 Web.Dev
drwx------ 3 bryan staff 102 Mar 17 2008 WebEx
-rw-r--r--@ 1 bryan staff 343429 Apr 2 2009 cell march.pdf
drwx------ 42 bryan staff 1428 Mar 27 2009 kb
drwxr-xr-x 2 bryan staff 68 Mar 14 10:25 logos-test
drwx------ 49 bryan staff 1666 Jul 20 2008 ~ Notes From Outlook.07.20.08 ~
Bryans-MacBook-Pro: bryan$
Sun Mar 14 19:59:20 2010: 8218 TonyLawrence
I really have no idea what you are trying to tell us.
In one place you say you are trying to chown Documents (why, I have no idea) and then it's something about Logos which is in Documents.
Look:
ls -lde Documents
drwx------+ 131 apl apl 4454 Mar 5 21:50 Documents
0: group:everyone deny delete
"apl" is me. I can
sudo chown linda Documents
$ ls -lde Documents
drwx------+ 131 linda apl 4454 Mar 5 21:50 Documents
0: group:everyone deny delete
If you can't do -R, it's because you don't have perms on something IN Documents. Find out what it is and use -e if necessary for acl's.
Wed Jun 9 14:50:02 2010: 8675 LK
I'm running into an interesting problem that I have not yet seen an answer to any where on the web despite several hours of searching.
I'm trying to set up ACE for a folder, let's call it "copywriting", to create folders and files by default as read/write for owner, read/write for group, read for everyone. The problem is that the group name has a space in it ("creative services") and I can't find the correct syntax for making that work.
I was using the command line:
chmod +a "creative services allow list,add_file,search,delete,add_subdirectory,delete_child,file_inherit,directory_inherit,read,write,delete,append,execute" /Volumes/Shared/copywriting
to do this but I always get the "unable to translate creative to a uid/gid" error. I've tried a series of different inputs including slashes (\) and quotations (") but I can't find anything that works.
Do you have any advice for me?
Wed Jun 9 16:02:13 2010: 8676 TonyLawrence
Spaces in a group name are a bad idea.
Did you try
'creative services'
in single quotes within the double quotes?
Wed Jun 9 20:32:44 2010: 8677 LK
I completely agree that spaces in user/group names are a bad idea and I would never set them up that way. This is a problem that I've inherited, however, and short of re-doing the entire groups structure (which would be a massive pain with around 75 different groups), I'm not sure what to do about it.
Yes, I tried both "creative services" and 'creative services' within the original quotes without any luck. Also tried creative\ services with quotes and without both ways. No luck with any of them.
Wed Jun 9 21:37:04 2010: 8678 TonyLawrence
I have no more ideas, sorry. If you do solve it, let us know.
Wed Nov 3 17:29:08 2010: 9095 Marcin
If you have space in user or group you have to use : (colon) as a delimiter between name and permission. That's it.
Tue May 10 16:34:32 2011: 9490 chris
what might be the cause of this error?
chmod: The specified file 'Forms' does not have an ACL in canonical order, please specify a position with +a#
thanks!
Tue May 10 16:43:45 2011: 9491 TonyLawrence
It means the ACL's aren't ordered as they should be. You can still get it in there:
From "man chmod"
The +ai# mode may be used to insert inherited entries at a specific location. Note that these modes allow non-canonical ACL ordering to be constructed.
Thu Aug 11 06:11:17 2011: 9688 AndyCanfield
I would emphasize two points:
1) The entire access list entry has to be in quotes; e.g. 'chmod +a "fred allow delete" FileX'. If you leave out the quotes you get weird error messages.
2) The syntax "user:fred" is accepted; e.g. 'chmod +a "user:fred allow delete" FileX". I don't know if "group:staff" is accepted, but probably is.
------------------------
Printer Friendly Version
OS X ACL usage Copyright © July 2006 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version