3.8. Using Access Control Lists
The POSIX division of permissions into those for owner, group, and others works well in many cases, but it doesn't provide the sort of fine-grained control you may need in certain situations.
For example, suppose you want to assign permissions to a certain file as follows:
Bob, the owner, can read, write, and execute it. (So far, so good: -rwx------ bob.)
The group bcd, consisting of Bob, Cindy, and Dale, can read it but not change it. (Still possible with regular permissions: -rwxr----- bob bcd.)
Only Evelyn, Fran, or Gil can delete the file. (Whoops — no way to express that using POSIX permissions, at least while keeping the previous settings.)
The group consisting of Henry, Ilya, and Joachim can read the file and append information to the end but not change any other parts of the file. (This enters territory that POSIX permissions can't even touch.)
Luckily, Leopard and Snow Leopard have an additional mechanism for specifying detailed permissions that cover all these cases and go far beyond. This mechanism is called an access control list, or ACL.
3.8.1. What's an access control list?
At the risk of stating the obvious, an ACL is a list — associated with a given file, folder, or volume — that specifies which users can access it and in what ways. The ACL is normally invisible, and in fact, Leopard and Snow Leopard don't provide any convenient way to see or modify the contents of an ACL without using Terminal. But once you know what to look for and ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
