Re: Are ACLs flawed?

Sat, 03 Mar 2012 08:26:28 -0800 

You can read up on ACLs in the File Services Administration manual 
<http://manuals.info.apple.com/en/File_Services_Admin_v10.5.pdf>  (starting on 
page 22). The part on explicit and inherited ACEs (starting on page 25) should 
be of interest to you.

Also, man chmod and scroll down to the section on inheritance:

ACL inheritance is controlled with the following permissions words, which may 
only be applied to directories:
   file_inherit
        Inherit to files.
   directory_inherit
        Inherit to directories.
   limit_inherit
        This flag is only relevant to entries inherited by subdi-
         rectories; it causes the directory_inherit flag to be
         cleared in the entry that is inherited, preventing further
         nested subdirectories from also inheriting the entry.
   only_inherit
         The entry is inherited by created items but not considered
         when processing the ACL.

Also, scroll down in chmod's man page to the section on ACL manipulation 
options (i.e., +a,  +a*, -a, =a*, -i, -I, etc.), as it is also a useful read 
with examples.

—Brian

On 2012 Mar 3, at 15:35, Ashley Aitken wrote:
> I'm trying to make a dynamic folder hierarchy to share via WebDAV.  I believe 
> directories and files must be readable/writeable by _www to be accessible by 
> WebDAV.
> 
> I was hoping if I set the ACL for the root folder with directory and file 
> inherit everything would be ok but it seems not.  ACLs seem to be problematic 
> because:
> 
> 1. inheritance does not apply to files and directories that already exist in 
> the hierarchy 
> 
> I guess I could apply the acl recursively to all files and folders currently 
> in the hierarchy, but that wouldn't get around the problem that,
> 
> 2. folders and files *moved* into the hierarchy do not inherit the ACLs
> 
> Are ACLs flawed or I am missing something?  I guess its perhaps a security 
> consideration - just by moving a file into a folder with inherit permissions 
> it shouldn't inherit those, but that's what I want.
> 
> The syntax for ACLs on the command line also seems very verbose - does one 
> really have to type (or copy) all those attributes, there is no "all" for 
> ACLs?
> 
> I only found the Sandbox GUI app for Mac ACLs after I had spent a good deal 
> of time typing the ACLs and correcting my typos, mistakes, ...
> 
> Cheers,
> Ashley.
_______________________________________________
MacOSX-admin mailing list
[email protected]
http://www.omnigroup.com/mailman/listinfo/macosx-admin

Reply via email to