Traditional Unix file permissions (and their resultant issues and repairs) have been perplexing the majority of Macintosh users since OS X first appeared. Windows administrators, on the other hand, have bemoaned the lack of granular control in Apple’s operating systems, with less-detailed permissions available than with Microsoft’s XP and Vista. While Tiger introduced Windows-style ACLs (Access Control Lists) to the Macintosh, Leopard now utilizes them by default, making more complex file-sharing schemes a reality. Whether that’s a gift or a curse depends on your ability to make ACLs work for you.

Understand Access Control Lists:

As easy as ACLs are to implement, deciding how to use them can be quite complicated. Access Control Lists are ordinal, meaning that the system reads them in order until it finds one that applies. Because of this, they can contain contradictory entries, with the actual permissions determined by where each entry appears in the overall list. ACLs also overrule standard file permissions, meaning that once they’re utilized you can’t depend on POSIX access schemes to be enforced. Without a clear plan for how your files will be shared, these features can lead to a great deal of confusion among users (if not the administrative team itself).

Mac OS X breaks ACL permissions into four groups: Administration, Read, Write, and Inheritance. “Administration” allows a user or group to change ownership and permissions. “Read” and “Write” act much like their POSIX counterparts, but allow for a much finer degree of control (such as whether or not users can read file attributes and permissions or delete files and folders as well as write to them). Finally, “Inheritance” determines if and how these permissions will be propagated to other files within a folder. Add to that the ability to allow or deny any of these rights, and you can see how a complex ACL scheme can become overwhelming.

Until you’re comfortable with Access Control Lists, the best plan is to keep your plan simple. Assign “Administration” rights to a single administrative group, preferably the same group which has POSIX ownership of your share point. Then determine which user groups should have read or write access, and assign them to the list. Set these permissions at the root of your share point, and apply all inheritance options. Most importantly, avoid any “Deny” entries, which can make initial troubleshooting difficult.

Enabling Access Control Lists:

Now that you have a stragtegy to implement ACLs, you’ll need to make sure that your files can apply them. If the volume was attached to your server when Leopard was installed, this should have taken place by default. If, on the other hand, you have an external volume coming from an earlier OS X installation, you may have to enable ACLs manually before you can continue. Open the Terminal and type the following, replacing DISKNAME with the name of your volume:

fsaclctl -p /Volumes/DISKNAME -e

It’s important to note that enabling ACLs for a volume disables the ability to inherit permissions via standard POSIX (Unix-style) controls.

Configuring Access Control Lists:

Once you’ve enabled ACLs, the final step is to set them for your files. In Leopard, this can be done in the “Sharing” section of Server Admin.

In the top half of the window, select the share point you’d like to enforce access controls on. Then click the “plus” button on the bottom left, and the “Users and Groups” palette will appear. From the palette, you can drag the users or groups you’re granting permissions into the bottom half of the main window, then arrange them in whatever order you planned. The “Permission” column will allow you to set “Full Control”, “Read & Write”, “Read Only”, or “Write Only” from the main window. For additional options (such as removing the ability to delete files), select the “Custom” option.

Finally, if you want your existing files to have the same access controls, click the “gear” button at the bottom of the window and select “Propogate Permissions…” from the menu. When the propagation sheet appears, check the “Access Control List” box and click “OK”. Those permissions will be applied to all the files beneath that share point.

With Access Control Lists in place, Windows teams can finally have the same control over their Macintosh shares, while long-time Macintosh admins can escape the pitfalls of Leopard’s new file sharing issues.

Recommended Reading: John Siracusa gives a great overview of access control lists at Ars Technica, in his original review of Tiger (where they first appeared for Macintosh). Shareware author Marcel Bresink also has a great ACL overview in the manual for his application Tinker Tool. Lastly, if you’re struggling with Unix permissions under Leopard, you’ll want to see Apple’s discussion forum for the article on 10.5 Server not inheriting permissions correctly.