16

Most unix derivates can copy ACLs from one file to another with:

getfacl filename1 | setfacl -f - filename2

Unfortunately Mac OS X does not have the getfacl and setfacl commands, as they have rolled ACL handling into chmod. chmod -E accepts a list of ACLs on stdin, but I haven't found a command that will spit out ACLs in a suitable format on stdout. The best I have come up with is:

ls -led filename1 | tail +2 | sed 's/^ *[0-9][0-9]*: *//' | chmod -E filename2

Is there a more robust solution?

Bonus question: is there a nice way to do it in Python, without using any modules that aren't shipped with 10.6?

MagerValp
  • 311
  • 1
  • 3
  • 9
  • 1
    So it's now year 2020, and macOS still has no `getfacl`/`setfacl`. Quite remarkable. https://github.com/jvscode/getfacl is 10 years old I've not been able to make it work. https://serverfault.com/a/303752/104173 looks complicated, and I'm not clear if it attempts to replace `get/setfacl` functionality. I get it that macOS is not a server platform, but it can still experience security intrusions. Is it worth restarting this conversation on http://apple.stackexchange.com? – Johnny Utahh Feb 24 '20 at 14:49

4 Answers4

10

ls -e Print the Access Control List (ACL) associated with the file, if present, in long (-l) output.

this gives a result such as...

drwxr-xr-x@ 19 localadmin   646B Aug  4 00:21  APPBUNDLE
0: user:localadmin allow add_file,add_subdirectory,writeattr,writeextattr,writesecurity
                   ⬆    ⇧                      ⇶                                     ⬆

Personally, I have "exports" in my ~/.bash_profile 

export FILE_ALL="read,write,append,execute,delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"
export DIR_ALL="list,search,add_file,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"

that make such a chmod possible...

sudo chmod +a "allow localadmin $DIR_ALL" /APPBUNDLE

From the chmod man page, there is this bit of info... that hints that it may indeed be possible to do something like you describe..

"ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions. In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specqify the type of name."

chmod -E Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If the information parses correctly, the existing information is replaced.

Also, I'll give a shout out to BatchMod, an oldie, but a goodie for ACL's, as well as TinkerToolSystem.

mralexgray
  • 1,353
  • 3
  • 12
  • 29
  • This worked for me, but I had to change the chmod command to: `sudo chmod +a "localadmin allow $DIR_ALL" /APPBUNDLE` (switching the user name and the `allow`) – E. Moffat Jan 23 '19 at 21:02
2

Maybe have a look at https://github.com/jvscode/getfacl.

ken
  • 21
  • 2
  • 1
    Good reference. Alas, this project appears to be 10 years old, has no `setfacl` (only `getfacl`), and the `getfacl` functionality appears to be quite limited. I've unfortunately not found a better solution. – Johnny Utahh Feb 24 '20 at 14:54
  • That is a vintage repo. – Watchmaker Oct 09 '20 at 09:25
1

https://github.com/ptrrkssn/acltool might be of interrest - it works on MacOS, FreeBSD, Linux & Solaris. I got tired of the different ACL tools on each system so decided to create one that works the same on all...

With it you can do things like:

% acltool list-access  -v .
# file: .
# owner: peter (501)
# group: staff (20)
# type: directory
        group:everyone:-----d--------:-------:deny  # gid=12

% mkdir t

% acltool copy-access -v . t
t: ACL Updated

% acltool edac -v peter:full_set t
t: ACL Updated

% acltool lac t
# file: t
# owner: peter
# group: staff
          user:peter:rwxpDdaARWcCos:-------:allow
      group:everyone:-----d--------:-------:deny

(It has some bugs but mostly works now)

Peter Eriksson
  • 11
  • 1
0

You should be able to get stat to format its output in a suitable way.

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151