Forwarding Address: OS X

Tuesday, April 12, 2005

More info about ACLs pleased

From the MacCentral Tiger round-up...
Access Control Lists In the current OS X, you define access to files and folders by setting permissions for the file’s owner, the group to which the file belongs, and others (anyone who isn’t the owner or a member of the defined group). In Tiger, you can use Access Control Lists (ACL) to set permissions—any file or folder can have an associated ACL. For example, an associated ACL would allow you to give your spouse access to your Pictures folder, without going through complex group or permissions tricks.

Can anyone here provide a few more details about what ACLs are, how they work, and if they might, for instance, provide at last a simple way for multiple accounts on the same machine to share a music library, address book, iPhoto library, etc.



  • traditional UNIX filesystems allow a file to have permissions set for only one user and one group (and a third set for everyone else).

    ACLs allow you to list permissions for additional users or groups. While Apple's documentation is not online yet, and I haven't really looked at this aspect of Tiger to see how they're doing it (and I couldn't tell you anyway due to the NDA) it's probably similar to POSIX ACLs, which are used on Linux and other systems. Here's a page describing how they work on Linux.

    By Tim Buchheim, at 2:27 PM  

  • Basically, without ACLs, if you want to make a file accessible to someone, but not everyone, you have to create a group that contains them, then give that group permission to access the file. Often you end up creating a group for each thing you want to grant access to (assuming you want to give different people access to each file). There is no easy way to say "let anyone in group A and group B access this file." You have to create a third group, C, and manually add the members of groups A and B to it. Later, if you add or remove anyone to A or B, you have to remember to do the same for group C.

    With ACLs each resource has a list of rules associated with it to control access (hence the term access control list), and you can easily say "Let Joe or Suzy or any member of Group A or B have read access to this file, but not anyone in Group C (even if they're in A or B), and let Suzy and Bob have write access." In some ACL implementations there are more permissions besides read, write, and execute -- for example, there might be a permission that allows the holder to grant permissions to others, within a specific folder hierarchy. (Not sure if Tiger allows these extended permissions, but I assume it does have some.)

    By Jerry, at 3:13 PM  

  • for more on the history, google VMS and ACL; while the concept may have been implemented elsewhere earlier that's the earliest that I know of (and then of course VMS betat NT which became Windows 2000 etc). if you're having trouble sleeping, see this and this for example [grin]

    By steven vore, at 5:11 AM  

  • I believe OS X is getting ACLs thanks to the move to FreeBSD 5.x. Read more about them in the FreeBSD handbook.

    By pbx, at 7:00 AM  

  • This sounds terrific. I find permissions to be a bit of a pain in their restrictiveness, especially since OS X doesn't have any elegant tools for managing users and especially groups. (NetInfo just doesn't cut it. It's a throwback to the NeXT days.)

    It would be great if Apple provided a good management tool to go along with the ACL implementation.

    By Sly Revolutionary, at 11:55 AM  

  • Thank you!
    [url=]My homepage[/url] | [url=]Cool site[/url]

    By Anonymous, at 2:23 AM  

  • Great work!
    My homepage | Please visit

    By Anonymous, at 2:23 AM  

  • Great work!
    My homepage | Please visit

    By Anonymous, at 2:23 AM  

  • Well done! |

    By Anonymous, at 2:24 AM  

Post a Comment

<< Home