Previous 1 2 Next 17 Replies Latest reply: Dec 4, 2012 1:58 PM by baltwo
benze Level 1 Level 1 (0 points)

Hi,

 

I'm using Lion and am trying to modify my ACL for a folder within Finder to share with the apache2 user _www .  I have opened the Properties window, and expanded the Sharing & Permissions section, but I do not see any of the system groups or users appear.  I realize that it is a system defined user, but I still expected to have an option to add it to my ACL.

 

I realize that I could change the POSIX group ownership/rights at the command line using `chmod`, but it would seem fairly restrictive that I cannot modify file rights from within the GUI.  Moreover, that does not give me finely grained access rights as I have to modify the group structure.

 

Is there no way to share a folder with _www via ACLs?  That seems extremely short sighted.  I've searched for an option to display system users/groups in the System Preferences, but cannot seem to find an option anywhere.

 

Thanks,

 

Eric


MacBook Pro, Mac OS X (10.7.3)
  • baltwo Level 9 Level 9 (61,900 points)

    AFAIK, you can only modify ACLs with chmod with Apple's supplied tools. There's no Apple-supplied GUI app that does it. BatchMod might be an alternative.

  • red_menace Level 6 Level 6 (14,760 points)

    Give TinkerTool System a look.  It isn't free, but the ACL tool alone is worth it.

  • benze Level 1 Level 1 (0 points)

    I find it pretty appalling that I have to resort to third party apps (paid or elsewise) or to the command line to do something which, in theory, should be a pretty integral part of the OS.

     

    Thanks for the tip.


    Eric

  • twtwtw Level 5 Level 5 (4,900 points)

    It is an integral part of the OS (as are all command line utilities). But like other potentially dangerous activities it is kept out of plain view so that curious people don't nuke their systems just by casually poking around.  If you're not comfortable with unix you shouldn't be setting ACLs.

  • red_menace Level 6 Level 6 (14,760 points)

    Well, since there are almost 100,000 different combinations, ACLs can be complicated - and the Terminal is an integral part of the OS.  Typically, Apple will provide an easy solution for the simpler stuff and leave the rest to the command line (or third parties), since you can easily damage your system if you don't know what you are doing (just look at the number of posts from people that have mangled the regular POSIX permissions).

  • benze Level 1 Level 1 (0 points)

    I still feel that it is a critical part of the OS that should have a GUI.  To say that they are hidden from the general population b/c people mangle POSIX permissions is a cop-out.  Even Windows has their entire security system available in a GUI.  All they do by hiding it is discourage people from properly setting security parameters and therefore end up making the system much less secure than necessary.  ie: can't figure it out so just give everyone full access to everything.

     

    I realize that I can chmod anything, but I prefer using a GUI for these types of things, esp when doing a lot of experimentation.  Plus, it is easier to see the different permissions available as opposed to using chmod/ls -le.

     

    The fact that a third party can build an app for it goes to show you that it isn't too complicated.  Sure ACL's can be complex, but that's what training is all about.  Even Linux has GUIs for acls.

     

    Eric

  • baltwo Level 9 Level 9 (61,900 points)

    I realize that I can chmod anything, but I prefer using a GUI for these types of things, esp when doing a lot of experimentation.  Plus, it is easier to see the different permissions available as opposed to using chmod/ls -le.

    Then, create your own app. BTW, BatchMod is donationware, so if it's useless don't pay for it.

  • BobHarris Level 6 Level 6 (14,930 points)

    Apple does provide a GUI for adding ACLs via the Finder -> Get Info -> Sharing & Premissions field.  It is NOT a full ACL editor, and it will NOT add _www, it does allow adding basic access ACLs for Users listed in the System Preferences -> Users & Groups.  And this is not new, as Get Info has been around since before Mac OS X, although back in the Mac OS Classic days, it was just playing with user and group permissions.

     

    Considering the complexity ACLs provide, the Get Info interface is just the approach Apple would take to using ACLs without giving a loaded gun to the the consumers Apple targets their products towards.

  • g_wolfman Level 4 Level 4 (1,120 points)

    One of the fundamental rules of HCI is to not put everything right in the User's face.  It's overwhelming, especially if everything includes rarely viewed and even more rarely modified configuration details.

     

    As for Windows, yes their file system security is fully accessible in the GUI - but everything in Windows is in a GUI, even things that should never be in a GUI because of the glaring security vulnerabilities it causes.  And yes, there are many things that should never, ever, be GUI accessable.

     

    Back to Apple, however...HCI says to give the most commonly used features of the majority of the people prominace, and give Power Users a way to get to advanced features.  Apples choice to do the second bit is the command line.  I think that makes a great deal of sense, personally.  It's the same reason that not all the functionality of the diskutil utility is exposed in the Disk Utility app.

  • Bill Scott Level 6 Level 6 (11,445 points)

    All on one line:

     

    sudo chmod -R +a "_www allow list,add_file,search,delete,add_subdirectory,delete_child,chown,file_inherit,di rectory_inherit" /Absolute/path/to/the/directory

  • benze Level 1 Level 1 (0 points)

    Don't get me wrong - I have always been a command line proponent - since the days long before GUIs existed for some OSes.  But that being said, there is definitely a huge value to GUI interaction for some things, as anyone who has had to repartition or move parititons around using things like fdisk can attest to.  Sure - you can get a lot finer control via command line than you do graphically, but sometimes, you don't really care about that extra control and would just prefer seeing things fast and easy.

     

    I understand you HCI point.  And I know some basic ACL functionality exists in the GUI.  I just find it disappointing that one needs to invest in external tools if you want additional graphical tools.  At the very least, I would have hoped that Apple would/could have produced "Power Tools" that one could add to their machine as opposed to learning command line syntax for all the different tools.

     

    Thanks,


    Eric

  • baltwo Level 9 Level 9 (61,900 points)

    BobHarris wrote:

    Apple does provide a GUI for adding ACLs via the Finder -> Get Info -> Sharing & Premissions field.  It is NOT a full ACL editor, and it will NOT add _www, it does allow adding basic access ACLs for Users listed in the System Preferences -> Users & Groups.  And this is not new, as Get Info has been around since before Mac OS X, although back in the Mac OS Classic days, it was just playing with user and group permissions.

    That doesn't do the trick in Snow Leopard and I don't think in earlier OSs. Didn't check in the iOSified OSs, so I missed that and I'll have to check later when I boot into one of those.  

  • BobHarris Level 6 Level 6 (14,930 points)

    I just added an ACL to a file via Get Info on my Snow Leopard system (10.6.8)

     

    Screen shot 2012-12-04 at 4 Tue 11.50 AM.jpg

     

    and here is the 'ls' view of that:

     

    /bin/ls -leO@ tmp.tmp
    -rw-r--r--+ 1 raharris  staff  - 0 Dec  4 11:48 tmp.tmp
     0: user:testing allow read,readattr,readextattr,readsecurity
    

     

    And I was able to do the same thing on my Mac mini running Leopard (10.5.8)

  • benze Level 1 Level 1 (0 points)

    Absolutely.  That works fine for non system accounts.  But if you want to share with a system user/group then you can't via Finder.  Similarly, if you want to modify any system user/group accounts, you are out of luck in the GUI (to my knowledge), unless you install the Server Admin Tools and point to localhost.

Previous 1 2 Next