How to use ACLs to fine tune access permissions

The normal POSIX system of permissions, as shown in the Finder’s Get Info dialog for files and folders, is an effective foundation for security, but is very crude. As far as it goes, every user is categorised as being the owner of an item, a member of the group that owns it, or just another user. Permissions then govern which categories of users can read and write objects.

Access Control Lists (ACLs), introduced in Mac OS X 10.4 and enabled by default in 10.5, give you complete control over exactly who can do what to files and folders, even details such as their own inheritance in objects created within a given folder. Indeed, the control that they provide is so fine that, when overdone, they can make permission controls incomprehensibly complex. But used in moderation they can solve many problems posed by crude POSIX permissions.

One occasionally irritating problem which ACLs can solve is with inheritance of permissions. For example, documents and folders which you create in the Shared folder (/Users/Shared) default to the same permissions as those which you create in your own Documents folder: that is, you (the owner) have read and write access, but others can only read. If you want to share files and folders placed there, this can force you to manually change their permissions so that others can edit them too.

Here you can use ACLs to provide an overriding setting which will allow all users to edit the documents created in the Shared folder, and will ensure that is inherited by all folders and files created within it. The two tools or choice are TinkerTool System or MacPilot.

Using TinkerTool System

aclstts11. Add ACLs. Select the ACL Permissions tool, then drag and drop a folder, such as one in your Shared Folder, to the top selector, or click on the … tool to choose one. Click on the + tool to add permissions, then select the Groups tab. Locate (using the Search box if necessary) the Everyone group, which should have an ID of 12.

aclstts22. Set ACLs. Double-click the row entry for Everyone which you have just added to the ACL section of the pane to view the complete listing of the settings. You can now customise ACLs that define actions that are allowed, and those that are denied, for each user and group. This provides almost infinite variations in access and control that could become bewildering. In this case, as a minimum, set the folder to Read Attributes, Create Files, Create Folder, Write Attributes, and in Inheritance Apply to subfolder, to enclosed files, and to all subfolder levels. Then click the Close button, and then Apply the changed ACLs.

aclstts33. Test. Switch to the Effective Permissions tab, and set it to view the file or folder that you have just been working on. Select users and groups to view details of every nuance in their permissions. Next select the folder in the Finder, and inspect it in the Get Info dialog (Cmd-I), to ensure that the everyone group is listed as having Custom privileges. Try creating a folder and file inside it, and check their permissions.

Using MacPilot

aclsmacp11. Add ACLs. Select the File Browser tool, and navigate until the folder you wish to change is selected in the left pane. Then select the Access tab in the right pane. Click on the + tool to add ACLs, which drops a sheet down to allow you to set them. In the top pop-up menus, select Allow (left) everyone (right), and in the General tab below select at least Read attributes, Write attributes, Add a file, and Add a subdirectory.

aclsmacp22. Set ACL Inheritance. Select the Inheritance tab, and ensure that you check at least Inherit to files, Inherit to directories, and Only inherit. Then click on the Save button.

aclsmacp33. Test. There is no equivalent of the Effective Permissions tab in TinkerTool System, so select the folder in the Finder, and inspect it in the Get Info dialog (Cmd-I), to ensure that the everyone group is listed as having Custom privileges. Try creating a folder and file inside it, and check their permissions.

There are additional details about ACLs, and how to enable them in old versions of OS X, here.

Based on a Masterclass which was originally published in MacUser volume 25 issue 4, 2009.