Skip navigation

How to add _www to folder ACL?

1253 Views 17 Replies Latest reply: Dec 4, 2012 1:58 PM by baltwo RSS
1 2 Previous Next
benze Level 1 Level 1 (0 points)
Currently Being Moderated
Dec 3, 2012 2:15 PM

Hi,

 

I'm using Lion and am trying to modify my ACL for a folder within Finder to share with the apache2 user _www .  I have opened the Properties window, and expanded the Sharing & Permissions section, but I do not see any of the system groups or users appear.  I realize that it is a system defined user, but I still expected to have an option to add it to my ACL.

 

I realize that I could change the POSIX group ownership/rights at the command line using `chmod`, but it would seem fairly restrictive that I cannot modify file rights from within the GUI.  Moreover, that does not give me finely grained access rights as I have to modify the group structure.

 

Is there no way to share a folder with _www via ACLs?  That seems extremely short sighted.  I've searched for an option to display system users/groups in the System Preferences, but cannot seem to find an option anywhere.

 

Thanks,

 

Eric

MacBook Pro, Mac OS X (10.7.3)
  • baltwo Level 9 Level 9 (59,150 points)
    Currently Being Moderated
    Dec 3, 2012 2:17 PM (in response to benze)

    AFAIK, you can only modify ACLs with chmod with Apple's supplied tools. There's no Apple-supplied GUI app that does it. BatchMod might be an alternative.

    27" i7 iMac SL, Lion, OS X Mountain Lion (10.8.2), G4 450 MP w/Leopard, 9.2.2
  • red_menace Level 6 Level 6 (14,275 points)
    Currently Being Moderated
    Dec 3, 2012 2:26 PM (in response to benze)

    Give TinkerTool System a look.  It isn't free, but the ACL tool alone is worth it.

  • twtwtw Level 5 Level 5 (4,580 points)
    Currently Being Moderated
    Dec 3, 2012 7:15 PM (in response to benze)

    It is an integral part of the OS (as are all command line utilities). But like other potentially dangerous activities it is kept out of plain view so that curious people don't nuke their systems just by casually poking around.  If you're not comfortable with unix you shouldn't be setting ACLs.

  • red_menace Level 6 Level 6 (14,275 points)
    Currently Being Moderated
    Dec 3, 2012 7:17 PM (in response to benze)

    Well, since there are almost 100,000 different combinations, ACLs can be complicated - and the Terminal is an integral part of the OS.  Typically, Apple will provide an easy solution for the simpler stuff and leave the rest to the command line (or third parties), since you can easily damage your system if you don't know what you are doing (just look at the number of posts from people that have mangled the regular POSIX permissions).

  • baltwo Level 9 Level 9 (59,150 points)
    Currently Being Moderated
    Dec 4, 2012 12:40 AM (in response to benze)

    I realize that I can chmod anything, but I prefer using a GUI for these types of things, esp when doing a lot of experimentation.  Plus, it is easier to see the different permissions available as opposed to using chmod/ls -le.

    Then, create your own app. BTW, BatchMod is donationware, so if it's useless don't pay for it.

    27" i7 iMac SL, Lion, OS X Mountain Lion (10.8.2), G4 450 MP w/Leopard, 9.2.2
  • BobHarris Level 6 Level 6 (12,505 points)
    Currently Being Moderated
    Dec 4, 2012 6:18 AM (in response to benze)

    Apple does provide a GUI for adding ACLs via the Finder -> Get Info -> Sharing & Premissions field.  It is NOT a full ACL editor, and it will NOT add _www, it does allow adding basic access ACLs for Users listed in the System Preferences -> Users & Groups.  And this is not new, as Get Info has been around since before Mac OS X, although back in the Mac OS Classic days, it was just playing with user and group permissions.

     

    Considering the complexity ACLs provide, the Get Info interface is just the approach Apple would take to using ACLs without giving a loaded gun to the the consumers Apple targets their products towards.

  • g_wolfman Level 4 Level 4 (1,110 points)
    Currently Being Moderated
    Dec 4, 2012 6:29 AM (in response to benze)

    One of the fundamental rules of HCI is to not put everything right in the User's face.  It's overwhelming, especially if everything includes rarely viewed and even more rarely modified configuration details.

     

    As for Windows, yes their file system security is fully accessible in the GUI - but everything in Windows is in a GUI, even things that should never be in a GUI because of the glaring security vulnerabilities it causes.  And yes, there are many things that should never, ever, be GUI accessable.

     

    Back to Apple, however...HCI says to give the most commonly used features of the majority of the people prominace, and give Power Users a way to get to advanced features.  Apples choice to do the second bit is the command line.  I think that makes a great deal of sense, personally.  It's the same reason that not all the functionality of the diskutil utility is exposed in the Disk Utility app.

  • Bill Scott Level 6 Level 6 (11,445 points)
    Currently Being Moderated
    Dec 4, 2012 6:40 AM (in response to benze)

    All on one line:

     

    sudo chmod -R +a "_www allow list,add_file,search,delete,add_subdirectory,delete_child,chown,file_inherit,di rectory_inherit" /Absolute/path/to/the/directory

  • baltwo Level 9 Level 9 (59,150 points)
    Currently Being Moderated
    Dec 4, 2012 8:45 AM (in response to BobHarris)

    BobHarris wrote:

    Apple does provide a GUI for adding ACLs via the Finder -> Get Info -> Sharing & Premissions field.  It is NOT a full ACL editor, and it will NOT add _www, it does allow adding basic access ACLs for Users listed in the System Preferences -> Users & Groups.  And this is not new, as Get Info has been around since before Mac OS X, although back in the Mac OS Classic days, it was just playing with user and group permissions.

    That doesn't do the trick in Snow Leopard and I don't think in earlier OSs. Didn't check in the iOSified OSs, so I missed that and I'll have to check later when I boot into one of those.  

    27" i7 iMac SL, Lion, OS X Mountain Lion (10.8.2), G4 450 MP w/Leopard, 9.2.2
  • BobHarris Level 6 Level 6 (12,505 points)
    Currently Being Moderated
    Dec 4, 2012 9:00 AM (in response to baltwo)

    I just added an ACL to a file via Get Info on my Snow Leopard system (10.6.8)

     

    Screen shot 2012-12-04 at 4 Tue 11.50 AM.jpg

     

    and here is the 'ls' view of that:

     

    /bin/ls -leO@ tmp.tmp
    -rw-r--r--+ 1 raharris  staff  - 0 Dec  4 11:48 tmp.tmp
     0: user:testing allow read,readattr,readextattr,readsecurity
    

     

    And I was able to do the same thing on my Mac mini running Leopard (10.5.8)

    MacBook Pro, Mac OS X (10.7.5), 27" iMac, MacBook, MacMini, etc...
1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.