ACL Tips
Order of Operations for Permissions
ACL entries almost always override POSIX permissions. When determining a user's access to a file or folder, Mac OS X will give the user access in the following way:
1. ACL Permissions Model: Deny or Allow
ACL entries are listed and consulted in a whole-number numerical fashion starting with 0,1,2, and so forth.
Deny rules will always have lower numbers than allow rules, so every deny rule is evaluated first. If a deny rule is encountered, the permissions model ignores POSIX permissions and rejects access for the connecting user.
If an allow rule is encountered, Mac OS X continues down the ACL list, "adding" applicable allow rules for the user and his or her group memberships by GUID, taking the union of all the ACL rules that apply to him or her.
2. POSIX Model
The POSIX model is consulted only if there is no ACL deny rule for the connecting user (e.g., no applicable ACLs encountered, only applicable ACLs encountered, no ACLs set for share point).
a. POSIX Owner - If the user attempting to access the filesystem object (folder/file) is the POSIX owner, he or she is granted the permissions of same.
b. POSIX Primary Group - If the group GID for the filesystem object is the primary group GID of the user accessing the object, then he or she gets permissions assigned to the group.
c. POSIX Member of the object's group - If the group of the filesystem object is not the primary group of the user accessing the object, then the user's additional group GID memberships are consulted. If one such GID matches the GID of the object's group, then the user gets permissions associated with that group.
d. POSIX Everyone permissions - As a last resort, the user gets these permissions. If guest access is enabled and POSIX access is consulted, guests will get these permissions*.
Effective Permissions
Finally, Mac OS X gives access to the resource based on the union of the ACL permissions returned (which itself is a union of relevant ACL entries) and the POSIX permissions as they apply to the user. Here are examples:
1. Deny Rule - As mentioned above, if tim attempts to connect and an ACL deny entry is in place for tim (or a group that contains tim), Mac OS X stops evaluating ACL rules and denies access. It also disregards POSIX permissions that may apply to tim.
2. Allow Rule - Suppose jill is a member of the group staff and the share point "shared" has the following ACL entries and POSIX permissions. For now, we'll keep the ACL permissions to simple POSIX-like read and write.
ACL #0 Deny user tim read, write
ACL #1 Allow user jill read, write
ACL #2 Allow group staff read only
ACL #3 Allow group admin read,write
Owner root can read and write
Group admin can read only
Everyone can read only
When jill connects to "shared," Mac OS X evaluates permissions: ACL #0 does not apply to jill. ACL #1 gives jill read & write access. ACL #2 gives jill read access (since jill is a member of staff). ACL #3 does not apply to jill. Thus, the ACL permissions returned for jill is (read & write) union with (read), which gives read & write ACL access. Now, POSIX permissions are consulted. Jill isn't the owner. Jill's primary group isn't admin, and jill is not a member of the group admin. Thus, jill gets the everyone permissions of read only. Now, Mac OS X adds the ACL permissions to the POSIX permissions for jill: (read & write) union with read = read & write. Thus, as you'd expect, jill can read & write to the "shared" folder.
--Gerrit DeWitt
Apple Certified System Administrator