Detailed tutorial on setting ACLs from the command line

[premiermac]

Does anybody know where I can find a detailed tutorial, with examples, on setting ACLs from the command line, including the WGM equivalents? The man page for chown barely touches on the ACLs, and has zero examples for setting them recursively on a sharepoint. Even Mac OS X Server Administration Reference Vol 1 just rehashes the man page.

[Magus255]

The man page in leopard seems to be pretty detailed. I don’t know of any tutorials for ACLs. I have set them up to some extent or another on both tiger and leopard though, so if you have specific questions I might be able to help. There isn’t really that much to them for a tutorial to cover.

[premiermac]

Thanks! For example, I want to apply an ACL to a directory that gives the “allstaff” group R/W permissions. Then I want to propagate that ACL all the way down through all the sub-directories so they all have inherited permissions. I’ve never seen examples of that, and those are likely some of the most common commands used on any server.

[Magus255]

Do you want read write or full control? For either 1 you could use WGM on tiger and take your pick and set it to inherit. Then hit propagate permissions from the little action menu. To do it through the command line it is just chmod like normal only with +a. So an example would be

[code]chmod -R +a “allstaff allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit” “/path/to/folder”[/code]

That would do full control. Then you can just eliminate what you don’t want them to be able to do. So if you don’t want them to be able to add new files then you remove add_file. The different options are in the man page for chmod in leopard and tiger server, not sure about tiger client. That is also for a directory, the options for files are a little bit different, but they are sill applied the same way. The -R options is optional and just makes it recurse though all the files and sub folders like a normal chmod.

You can check the permissions that you set though the command line with ls -le they should also show up in WGM.
And the last thing is you may have worry about is using group:allstaff or user:allstaff instead of just allstaff. If should work fine without the group: or user: as long as you don’t have users and groups with the same name.

[premiermac]

Thanks! Obviously it can be done from GUI. I want to do it from command line. The documentation sucks eggs.

Looks like this is what I want to do since I pretty much never put Full Control on a directory for anybody. [code]chmod -R +a “allstaff allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit” “/path/to/folder”[/code]

[Magus255]

Yeah, looks about right. I was thinking you were doing their home folders which you would want full control for. You may want this but I don’t think you need readsecurity. You can also just check and see what WGM uses when you set it on a file and pretty much copy it.

[Author]

Posts