O'Reilly logo

Mac® Security Bible by Joe Kissell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

3.8. Using Access Control Lists

The POSIX division of permissions into those for owner, group, and others works well in many cases, but it doesn't provide the sort of fine-grained control you may need in certain situations.

For example, suppose you want to assign permissions to a certain file as follows:

  • Bob, the owner, can read, write, and execute it. (So far, so good: -rwx------ bob.)

  • The group bcd, consisting of Bob, Cindy, and Dale, can read it but not change it. (Still possible with regular permissions: -rwxr----- bob bcd.)

  • Only Evelyn, Fran, or Gil can delete the file. (Whoops — no way to express that using POSIX permissions, at least while keeping the previous settings.)

  • The group consisting of Henry, Ilya, and Joachim can read the file and append information to the end but not change any other parts of the file. (This enters territory that POSIX permissions can't even touch.)

Luckily, Leopard and Snow Leopard have an additional mechanism for specifying detailed permissions that cover all these cases and go far beyond. This mechanism is called an access control list, or ACL.

3.8.1. What's an access control list?

At the risk of stating the obvious, an ACL is a list — associated with a given file, folder, or volume — that specifies which users can access it and in what ways. The ACL is normally invisible, and in fact, Leopard and Snow Leopard don't provide any convenient way to see or modify the contents of an ACL without using Terminal. But once you know what to look for and ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required