Notes administration Linux Ubuntu Raspberry MacOsX Windows : ACL

lundi 25 mai 2026

ACL - Access Control List manipulation

Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions.
Filesystem object permissions
delete Delete the item. Deletion can be granted by either this permission on an object or the delete_child right on the containing directory.
readattr Read an objects basic attributes. This is implicitly granted if the object can be looked up and not explicitly denied.
writeattr Write an object’s basic attributes.
readextattr Read extended attributes.
writeextattr Write extended attributes.
readsecurity Read an object’s extended security information (ACL).
writesecurity Write an object’s security information (ownership, mode,ACL).
chown Change an object’s ownership.
Directory permissions:
list List entries.
search Look up files by name.
add_file Add a file.
add_subdirectory Add a subdirectory.
delete_child Delete a contained object. See the file delete permission above.
Non-directory filesystem object permissions:
read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes into areas of the file not previously written.
execute Execute the file as a script or program.
Directory ACL inheritance permissions:
file_inherit Inherit to files.
directory_inherit Inherit to directories.
limit_inherit For subdirectory inheritance; this causes the directory_inherit flag to be cleared, preventing further subdirectories from also inheriting the entry.
only_inherit The entry is inherited by created items but not considered when processing the ACL.
In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specify the type of name.
ACL Examples
Use ls -le to view the effect of all changes.
$ chmod +a "admin allow read,readattr,readextattr,readsecurity" MyDemoDirectory
$ chmod +a "admin allow write" myfile.txt
$ chmod +a "guest deny read" myfile.txt
$ chmod +a "admin allow delete" myfile.txt
$ chmod +ai "others allow read" myfile.txt
$ chmod +a# 2 "others deny read" myfile.txt
$ chmod -a# 1 myfile.txt
$ chmod -a "admin allow write" myfile.txt
$ chmod =a# 1 "admin allow write,chown"
Clear All ACLs:
$ sudo chmod -RN /path/to/folder
Disable Apple Remote Desktop by Revoking execute rights:
$ cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/
$ sudo ls -l
$ sudo chmod u-s ARDAgent

Aucun commentaire:

Enregistrer un commentaire

Avertissement

Ce blog est d'abord pour mon usage personnel. Il est une version on-line de mon carnet de notes qui était anciennement un cahier en papier.

Je ne garantis absolument aucune information publiée ici. J'hésite encore à rendre "privé" ce blog. Je le laisse public pour le moment. Si ces notes vous rendent service, tant mieux, sinon tant pis.

Attention, je suis un utilisateur expérimenté des systèmes unix. Ces notes souvent sommaires me suffisent à me souvenir de ce qu'il faut faire... ce ne sera pas forcément le cas pour vous. Inutile de m'en demander plus, je ne répondrai à aucune question.

Vous pouvez néanmoins laisser un commentaire si vous avez trouvé ici une information qui vous a été utile et donner un feedback sur ce qui a marché ou non pour vous.

delete	Delete the item. Deletion can be granted by either this permission on an object or the delete_child right on the containing directory.
readattr	Read an objects basic attributes. This is implicitly granted if the object can be looked up and not explicitly denied.
writeattr	Write an object’s basic attributes.
readextattr	Read extended attributes.
writeextattr	Write extended attributes.
readsecurity	Read an object’s extended security information (ACL).
writesecurity	Write an object’s security information (ownership, mode,ACL).
chown	Change an object’s ownership.

list	List entries.
search	Look up files by name.
add_file	Add a file.
add_subdirectory	Add a subdirectory.
delete_child	Delete a contained object. See the file delete permission above.

read	Open for reading.
write	Open for writing.
append	Open for writing, but in a fashion that only allows writes into areas of the file not previously written.
execute	Execute the file as a script or program.

file_inherit	Inherit to files.
directory_inherit	Inherit to directories.
limit_inherit	For subdirectory inheritance; this causes the directory_inherit flag to be cleared, preventing further subdirectories from also inheriting the entry.
only_inherit	The entry is inherited by created items but not considered when processing the ACL.

Rechercher dans ce blog

lundi 25 mai 2026

ACL - Access Control List manipulation

ACL - Access Control List manipulation

Aucun commentaire:

Enregistrer un commentaire