Apple Filing Protocol Programming Guide: Access Control Lists

< Previous PageNext Page >

Hide TOC

Access Control Lists

This version of AFP includes support for access control lists (ACLs), which can be enabled on a per volume basis. The inheritance and multiple ownership capabilities of ACLs improve workflow in environments where files and directories require different owners at various phases of work. When ACLs are enabled, computers running Mac OS X are full-fledged peers on Windows networks, which promotes the adoption of XServe as an NT replacement.

Note: ACLs also eliminate the 16 group membership limit.

When ACLs are enabled for a volume, each file and directory has a security descriptor. A security descriptor includes:

a set of flags, including flags for the discretionary and system ACL (described below), each indicating whether the ACL inherits the settings of the ACLs above it.
an owner SID, similar to the UNIX file owner
a primary group SID, similar to the UNIX file group owner
a discretionary access control list (DACL) that specifies which permissions are granted or denied to which users or groups
a system control list (SACL) that determines which file accesses by which users cause the access to be logged in a security log

Access control entries (ACEs) in the DACLs and SACLs contain the following information:

a SID, specifying the user or group to which the ACE applies
a set of flags, including inheritance flags (listed in Table 1-29) and a flag that applies only to SACL entries

**Table 1-29** Inheritance flags
Flag	Description
`INHERITED_ACE`	Indicates whether the entry was inherited from a parent ACL.
`INHERIT_ONLY_ACE`	Indicates whether the entry exists only to be propagated to children and is used only when child objects are created or when that entry is changed. If set, the entry is not checked when access or audit checks are done.
`CONTAINER_INHERIT_ACE`	Indicates whether the entry should be inherited by directories below the object to which the entry applies.
`OBJECT_INHERIT_ACE`	Indicates whether the entry should be inherited by files below the object to which the entry applies.
`NO_PROPAGATE_INHERIT_ACE`	Indicates, when the entry is copied to a child, whether the settings of the `CONTAINER_INHERIT_ACE` and `OBJECT_INHERIT_ACE` flags should be cleared, so that changes to the entry don’t propagate to grandchildren or objects below grandchildren.

a set of access right bits (listed in Table 1-30); for DACL entries, the access rights bits allow or deny permission; for SACL entries, the access rights bits specifying the types of accesses to be audited

**Table 1-30** Access rights bits
Access right bit	Description
Generic access rights	The four high-order bits of the access mask format used by securable objects. Each securable object maps these bits to a set of its standard and object-specific access rights. For example, a file object maps the `GENERIC_READ` bit to the `READ_CONTROL` and `SYNCHRONIZE` standard access rights and to the `FILE_READ_DATA`, `FILE_READ_EA` and `FILE_READ_ATTRIBUTES` object-specific access rights.
`GENERIC_ALL`	Read, w rite, and execute access
`GENERIC_EXECUTE`	Execute access, including `FILE_READ_ATTRIBUTES`, `FILE_EXECUTE`, and `SYNCHRONIZE`, all of which are described below.
`GENERIC_READ`	Read access, including `FILE_READ_ATTRIBUTES`, `FILE_READ_DATA`, `READ_CONTROL`, and `SYNCHRONIZE`, all of which are described below
`GENERIC_WRITE`	Write access, including `FILE_APPEND_DATA`, `FILE_WRITE_ATTRIBUTES`, `FILE_WRITE_DATA`, `FILE_WRITE_EA`, `WRITE_CONTROL`, and `SYNCHRONIZE`, all of which are described below.
Standard access rights	A set of standard access rights that correspond to operations common to most types of securable object. Constants defined for the standard access rights bits include the following:
`DELETE`	Right to delete the object
`READ_CONTROL`	Right to read the object’s security descriptor, but not including information in the SACL
`SYNCHRONIZE`	Right for a thread to block until the object is in the “signaled state”
`WRITE_DAC`	Right to modify the DACL in the object’s security descriptor
`WRITE_OWNER`	Right to change the object’s owner in the object’s security descriptor
File and directory access rights
`FILE_ADD_FILE`	Right to create a file in a directory
`FILE_ADD_SUBDIRECTORY`	Right to create a directory in a directory
`FILE_APPEND_DATA`	Right to create a directory in a directory (when set for a directory) or to append data to a file (when set for a file)
`FILE_DELETE_CHILD`	Right to delete a directory and all the files it contains
`FILE_EXECUTE`	Right to execute a program
`FILE_LIST_DIRECTORY`	Right to list the contents of a directory
`FILE_READ_ATTRIBUTES`	Right to read a file’s DOS attributes, including hidden, read-only, system, and archive attributes.
`FILE_READ_DATA`	Right to read data from a file or pipe (when set for a file or pipe), or to list the contents of a directory (when set for a directory)
`FILE_READ_EA`	Right to read an object’s extended attributes
`FILE_TRAVERSE`	Right to traverse a directory; equivalent to `FILE_EXECUTE`
`FILE_WRITE_ATTRIBUTES`	Right to write a file’s attributes.
`FILE_WRITE_DATA`	Right to write to a file (when set for a file) or create a file in a directory (when set for a directory); when applied to a directory, this bit is equivalent to `FILE_ADD_FILE`.
`FILE_WRITE_EA`	Right to write extended attributes

An ACL can have a mixture of explicitly set and inherited ACEs. When a file or directory is created, ACEs are copied to the new object in the following order:

Explicit ACL entries that deny an SID certain rights
Explicit ACL entries that grant an SID certain rights
Inherited ACL entries that deny an SID certain rights
Inherited ACL entries that grant an SID certain rights

Inherited entries are placed in order in which they are inherited. ACEs inherited from the parent come first, then entries inherited from the grandparent (that is, that the parent inherited and passed on), and so on. As ACEs are processed from first to last, explicit entries override entries inherited from further up the tree.

Inheritance occurs when the object is created and at the time an ACL for a directory is changed, and does not occur at the time that an object is moved into the directory tree. When a folder or file is moved within the volume, its ACL is also moved without change and without updating inherited permissions. Instead, the ACL is updated the next time its permissions are changed, which forces the parent to propagate its permissions.

ACEs in which the CONTAINER_INHERIT_ACE bit or the OBJECT_INHERIT_ACE bit is not set are not copied.

ACEs in which the CONTAINER_INHERIT_ACE bit is set are copied when a directory is created, but not when a file is created. The INHERIT_ONLY_ACE bit is cleared.

ACEs in which the OBJECT_INHERIT_ACE are copied when a file or a directory is created. If copied to a file, the INHERIT_ONLY_ACE bit is cleared. If copied to a directory, the INHERIT_ONLY_ACE bit is set. The intention is to allow directories to give one set of permissions to subdirectories and another set of permissions to files.

The INHERITED_ACE bit is set on all ACEs that are copied.

If the NO_PROPAGATE_INHERIT_ACE bit is set on the entry being copied, the CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE bits are cleared in the copy.

When ACLs are enabled for a volume, they are mapped to effective owner, group, and everyone UNIX permissions.

When accessing remote volumes for which ACL is enabled, use the FPAccess command to determine whether the client has access to the file or directory, and use the FPGetACL command to get the ACLs for a file or directory, and the FPSetACL command to set the ACLs for a file or directory.

< Previous PageNext Page >

Hide TOC

Last updated: 2006-04-04

Did this document help you?
Yes: Tell us what works for you. It’s good, but: Report typos, inaccuracies, and so forth. It wasn’t helpful: Tell us what would have helped.




	Get information on Apple products. Visit the Apple Store online or at retail locations. 1-800-MY-APPLE Copyright © 2007 Apple Inc. All rights reserved. \| Terms of use \| Privacy Notice