OS X ACL's from the Commandline

I recently had needed to set up a project based directory structure on our server at work. The directory structure has a fairly complex permission structure that was very time consuming to set up with the Workgroup Manager.

In order to simplify the process, I set up a shell script that could be run as an application using Platypus and CocoaDialog. One note, is that the ACL's do not differentiate between a user or a group in it's syntax.

Workgroup Manager

Apple's Workgroup Manager generates the following ACL setting:

Directory - Full Access

group allow list,add_file,search,delete,add_subdirectory, \
delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity, \
writesecurity,chown,file_inherit,directory_inherit

Directory - Read/Write

group allow list,add_file,search,delete,add_subdirectory,delete_child, \
readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit, \
directory_inherit

Directory - Read Only

group allow read,execute,readattr,readextattr,readsecurity

File - Full Access

group allow read,write,execute,delete,append,readattr,writeattr, \
readextattr,writeextattr,readsecurity,writesecurity,chown

File - Read/Write

group allow read,write,execute,delete,append,readattr,writeattr, \
readextattr,writeextattr,readsecurity

File - Read Only

group allow read,execute,readattr,readextattr,readsecurity

General Usage

The basic syntax of setting up the permissions of ACL's that I used was as follows.

chown user:group file
chmod 660 file
chmod chmod +a \
"thisgroup allow read,write,execute,delete,append,readattr,writeattr, \
readextattr,writeextattr,readsecurity" file
chmod chmod +a \
"othergroup allow read,execute,readattr,readextattr,readsecurity" file

This grants read/write access to thisgroup and read only access to the othergroup. To display the current permissions with ACL's, use the following:

ls -le

This will return something like:

-rw-r--r-- +  1 user  group    0 Aug 21 17:49 file
 0: group:thisgroup allow read,write,execute,delete,append,readattr,writeattr,readextattr,\
 writeextattr,readsecurity
 1: group:othergroup allow read,execute,readattr,readextattr,readsecurity

Platypus Setup

Download the following applications and scripts.

Platypus lets you wrap your shell script into a double clickable application. You can embed both CocoaDialog and the template folder in the application bundle. For this script it is required to use administrative privledges. I also set the application to remain open afterward so that you can review any errors. The Platypus setup should look something like the following:

Platypus Setup