Technical professionals. Trusted advisors. Certified expertise.
Access Control Lists, abbreviated ACLs, are an additional method to grant specific permissions to certain users. Apple introduced this technology in Mac OS X 10.4 “Tiger”, but it can be found in other Unix® operating systems and Microsoft® Windows as well. ACLs are a supplement to the existing POSIX permissions, so you don’t necessarily need to use ACLs. The conventional rules for access rights still apply, but some optional new rules can be added. Technically seen, an ACL is a list of individual rights which can be attached to a file system object. The ACL can either be empty -in this case, only the conventional POSIX permissions apply-, or it can contain one or more objects called Access Control Entries (ACEs).
An Access Control Entry includes the following information:
Individual rights you can specify
ACLs allow the definition of 13 different rights to access a file-system object:
These rights can be merged in any possible combination.
Settings to control inheritance
Each Access Control Entry is allowed to contain additional information that specifies how this entry is inherited to objects located at deeper levels in the file system hierarchy, for example, a file in a folder which is enclosed in another folder. The top folder may have an ACL which is automatically inherited to objects inside this folder.
Inheritance takes only place when new objects are created. For example, when a file B is created in a folder A, the file B will inherit ACEs from A only at that moment. When somebody changes the permissions of B at a later time, the system will not automatically reinforce a new inheritance from A to B. However, when somebody changes a setting of folder A, and this setting is marked for inheritance, the changes will also apply to the objects that initially inherited settings from A.
There are 4 different settings which control how ACE permissions should be inherited:
There are 16 possible combinations of these settings, but only 12 of them really make sense in practice.
Inherited and explicit settings
Because ACE settings can be inherited from folders to the objects they contain, the system has to keep track which ACEs in an ACL are inherited and which are not. Only ACEs which are not inherited can be changed. Non-inherited entries are called explicit. To change an inherited entry, it is either necessary to change the entry at the parent level where this inherited entry came from, or to delete the ACL for this object (hereby breaking the inheritance), replacing the inherited entries by explicit entries.
How Mac OS X processes Access Control Lists
As mentioned before, an Access Control List consists of several Access Control Entries. Certain rules define how Mac OS X evaluates the entries when a specific user wants to access an object in the file system. Note that ACEs could contradict each other. For example, if user A is allowed to access the file B, but user A is also member of a user group which is denied access to file B, we have a contradiction which must be resolved. The following rules apply:
Access Control Lists are a powerful tool to define specific rights at a low granularity. However, you should keep in mind that ACLs are also very complex.
There are 13 different permissions which can be granted or denied, and 12 possible ways to define inheritance. This results in a total of 2^13 * 12 = 98,304 different access rights you can define.
Each of these nearly 100,000 different access rights can be applied to a user or user group to form an ACE, and a nearly unlimited number of ACEs can be combined into an ACL. Each file or folder in your system can be attached to a different ACL, so maintaining all these entries can easily become a nightmare. For this reason you should define ACL permissions with greatest care only.
ACLs in the Finder
The Finder is fully compatible with ACLs. However, it can only display ACLs, not define or alter them. The standard feature to display permissions can be used on ACLs, too:
File systems supporting ACLs
Access Control Lists can only be used on file systems which are capable of storing them. Mac OS X allows the usage of ACLs for the following types of file systems, if the computers hosting these file systems are using an operating system version compatible with ACLs:
Other file systems, including disk volumes formatted using UFS, FAT, VFAT, FAT32, or NTFS, and network volumes accessed via NFS, FTP, or WebDAV cannot support Access Control Lists.
Enabling or disabling ACL support for local disk volumes
Access Control Lists are consuming a certain amount of storage space, and their usage might also slow down access to files. For this reason, you have to decide if you want to use ACLs on disk volumes or not. By default, Mac OS X will create disk volumes without ACL support when you are installing the standard version, and it will create disk volumes with activated ACL support when you are using Mac OS X Server. TinkerTool System allows you to change the support state for ACLs at any time:
If you disable ACL support for a volume which had stored Access Control Lists, all lists will be deleted.
Setting POSIX and ACL permissions
To set or modify permissions for a file or folder, select the tab-item Set Permissions.
You can either drag a file or folder from the Finder into the field File or Folder, or you can press the button […] to navigate to a file system object, or enter a BSD path manually. All current permission settings will be displayed in the lower portion of the window.
By pressing the button Users & Groups you can open a drawer which contains all users and groups currently known on your system. This includes users and groups defined in network directory services your computer is bound to.
To specify a new owner or group owner for the selected object, drag a user or group into the respective fields at Standard Permissions. Using the pop-up buttons at the right, you can define the POSIX permissions for the selected object. Choose between Read & Write, Read Only, Write Only, or None.
To add a new Access Control Entry, drag a user or group from the drawer into the table Access Control List. New entries will always be added at the end of the Access Control List. Each line allows you to set the access type to Allow and Deny, and to choose between the predefined permission entries Full Control, Read and Write, Read, and Write. If you want to have access to all 98,304 different settings, select Custom, or press the button Details… at the left, or double-click a line in the table.
If you modify any of the permission settings, the changes don’t become active immediately. They become effective when you press the button Save. You can also go back to the previous state by pressing the button Revert.
To remove an ACE from the ACL, select the respective line in the Table and press the button Delete.
Special operations on the permission settings
Additional operations can be executed by selecting one of the items in the pull-down menu Operations at the bottom of the window. The operations vary depending on whether you have selected a file or a folder.
If you have selected a folder, you can
If you have selected a file, you can either
Removing all entries of an Access Control List does not erase the Access Control List. It just creates an empty one, which needs a bit more storage space than a “non-exisiting” ACL. Mac OS X does not support the complete removal of an ACL. So if you attach an ACL to an object, the object will always keep the ACL storage space during its whole lifetime.
Displaying effective permission settings
The combination of several ACEs and the POSIX permissions for an object can make it sometimes difficult to judge how the final rights for a particular user will come out. For this reason, you can display the effective access permissions, a selected user has for a selected file system object.
The table Effective Access Rights will list the permissions. Granted rights appear with a checkmark and in bold type, denied rights are displayed without a checkmark in regular type.
80 Orville Drive Suite 100
Bohemia, NY 11716
Tel: (866) 518-9672
65 High Ridge Road #510
Stamford, CT 06905
Tel: (866) 518-9672
3321 SW 194th Terrace
Miramar, FL 33029
Tel: (866) 518-9672
218 Barksdale Drive
Broussard LA 70518
4 Knollwood Place
Joliet, IL 60433
10 Grosvenor Court
London SW15 2AX UK