Lion Server: Access control entries (ACEs)
Learn about about access control lists (ACLs).
An ACE is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder and the rules of inheritance.
What’s stored in an ACE
An ACE contains the following fields:
- User or Group. An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity.
- Type. An ACE supports two permission types, Allow and Deny, which determine whether permissions are granted or denied.
In the Server app, you can only set the Allow permissions type. You can use the ls and chmod command-line tools to set the deny permissions type. For information, see their man pages.
- Permission. This field stores the settings for the 13 permissions supported by the Apple ACL model.
- Inherited. This field specifies whether the ACE is inherited from the parent folder.
- Applies To. This field specifies what the ACE permission is for.
Explicit and inherited ACEs
The Server app supports two types of ACEs:
- Explicit ACEs, which are those you create in an ACL. See Set folder access permissions.
- Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder.
ACL inheritance lets you specify how permissions pass from a folder to its descendants.
The Apple ACL inheritance model
The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application of ACEs (in other words, how to propagate permissions through a folder hierarchy):
|Apply to this folder||Apply (Administration, Read, and Write) permissions to this folder|
|Apply to child folders||Apply permissions to subfolders|
|Apply to child files||Apply permissions to the files in this folder|
|Apply to all descendants||Apply permissions to all descendants
Note: If you want an ACE to apply to all descendants without exception, you must select the “Apply to child folders” and “Apply to child files” options in addition to this option.
Mac OS X Lion propagates ACL permissions at two well-defined times:
- At file or folder creation time—when you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder.
- When initiated by administrator tools—for example, when using the Propagate Permissions option in the Server app.
The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text represents an inherited ACE.
ACL inheritance combination
When you set inheritance options for an ACE in the Server app, you can choose from 12 unique inheritance combinations for propagating ACL permissions.
ACL permission propagation
The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases when you might want to manually propagate permissions:
- You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of that subtree.
In the following example, the items in white had their ACLs removed by manually propagating ACLs.
- You can propagate permissions in order to reapply inheritance in cases where you removed a folder’s ACLs and decided to reapply them.
- You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removing ACEs.
- When you propagate permissions, the permissions of bundles and root-owned files and folders aren’t changed.
For more information about how to manually propagate permissions, see Propagate access permissions.
Rules of precedence
Mac OS X Lion uses the following rules to control access to files and folders:
- Without ACEs, POSIX permissions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIX permissions.
- With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied.
- You can change the ACE order from the command line using the chmod command.
- Allow permissions are cumulative. When evaluating Allow permissions for a user in an ACL, Mac OS X Lion defines the user’s permissions as the union of all permissions assigned to the user, including standard POSIX permissions.
After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and standard POSIX permissions, Mac OS X Lion determines the type of access a user has to a shared file or folder.