Skip to content

Instantly share code, notes, and snippets.

@nelstrom
Last active November 1, 2024 06:46
Show Gist options
  • Save nelstrom/4988643 to your computer and use it in GitHub Desktop.
Save nelstrom/4988643 to your computer and use it in GitHub Desktop.
Setting ACL on OS X

I have two user accounts set up on my mac. User drew I use for most things, but if I'm making a screencast I'll switch to the demo user. I know that the demo user has a clean desktop, and the font size is larger than usual in my terminal and text editors, making everything a bit more legible when capturing the screen. When I record a screencast as the demo user, I save the file to /Users/Shared/screencasts. As I understand it, the /Users/Shared directory is supposed to be accessible to all user accounts on the mac. If I created and saved a screenflow document as the demo user, I should be able to read and write that file when logged in as user drew.

That was the theory, but it didn't always work out that well in practice. I would occasionally find that a directory was only writable by one user or the other. Perhaps I'd open a screenflow document as user drew and attempt to export the video to the same directory, only to find that the directory was owned by demo, meaning that I couldn't create new files in that directory when logged in as user drew.

Ideally, I'd like to be able to set the permissions on the /Users/Shared/screencasts directory, and have all files and directories created beneath it inherit those permissions. This seems to have done the trick:

$ chown -R demo:staff /Users/Shared/screencasts
$ chmod -R +a "group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Users/Shared/screencasts

In the first command, the owner is set to demo and the group is set to staff for the screencasts directory, as well as all files and subdirectories contained below it. Both demo and drew users are already in the staff group. If I can make it so that the staff group has read, write, and execute (where apt) rights for all files/directories, then I'll have what I need.

The second command assigns an access control list (ACL) for the staff group on the screencasts directory (and all of its children). I've included a lot of flags, but the ones to note are file_inherit and directory_inherit. If I create a file or directory inside of the screencasts directory, then it will inherit the same ACL flags.

To inspect the ACL, you can run the ls command with the -e flag. For example:

$ ls -ale /Users/Shared/screencasts/
total 0
drwxr-xr-x+  2 demo  staff   68 19 Feb 18:56 .
 0: group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-xrwx  11 root  wheel  374 19 Feb 18:56 ..

As well as seeing the usual line of info about each listing, there's an extra row giving details about the ACL. The screencasts directory has r-x mode set for the group, so you might think that users in the staff group would be unable to add files and directories to the screencasts directory. But the ACL includes the flags: add_file and add_subdirectory, which means that users in the staff group can do those things.

I could demonstrate as user drew:

$ whoami
drew
$ cd /Users/Shared/screencasts/
$ mkdir -p foo
$ touch foo/bar
$ ls -ale foo
total 0
drwxr-xr-x+ 4 drew  staff  136 19 Feb 23:10 .
 0: group:staff inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-xr-x+ 4 demo  staff  136 19 Feb 19:38 ..
 0: group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
-rw-r--r--+ 1 drew  staff    0 19 Feb 23:10 bar
 0: group:staff inherited allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity

The directory foo and the file bar are both owned by user drew, but they're assigned to the group staff. And since the demo user is in the group staff, it gets all of the privileges listed in the ACL.