Re: Access Control Lists

---

• From: Bob Harris <nospam.News.Bob@xxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 02 Sep 2005 02:16:12 GMT

---

In article <1h27njl.1svnffi787b55N%egusenet@xxxxxxxxxxx>,
egusenet@xxxxxxxxxxx (Eric) wrote:

> Has anyone else been playing around with Access Control Lists (ACL)
> under Mac OS X (Tiger) Client?
>
> What I have noticed is the following:
>
> 1. ACLs are honored if a user logs into the actual machine
>
> 2. ACLs are honored if a user ftps into the machine
>
> 3. ACLs are honored if a user connects via SMB
>
> 4. ACLs are not honored if the user connects via AFP
>
> Of course, #4 is the method I would most like to see ACLs honored under.
> Is there any way to have this work properly?
>
> I understand that ACLs are honored if a user connects via AFP if the
> machine is running Mac OS X Server.

Sounds like the AFP server is not checking ACLs. Using the "Way Back
Machine", I used to develop and maintain an AFP file server on an
OpenVMS system.

Generally, the file server runs as a very privileged user (and looking
at Mac OS X, AppleFileServer is running as root). As root, ACLs mean
nothing to AppleFileServer, since root is allowed to do anything it
wants. For a file server this is generally a good thing, _HOWEVER_, it
does mean that the server must perform all security checks.

It is my guess that AppleFileServer, on the desktop Mac OS X software
version, has not been updated to perform ACL check, so it is only
performing User, Group, Other checks.

This is all a guess, but an educated guess.

I would suggest submitting feedback via the
http://www.apple.com/macosx/feedback/
web page, and maybe even going to the http://developer.apple.com/ and
trying to submit a bug report.

Security violations are not a good thing.

Bob Harris
.

---

• References:
  • Access Control Lists
    • From: Eric

• Prev by Date: Remove iMac G4 LCD monitor for use on another Mac?
• Next by Date: Re: sharing airport express wireless with pc and mac
• Previous by thread: Access Control Lists
• Next by thread: sharing airport express wireless with pc and mac
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Macs getting kicked off Win2k ... Windows Server 2003 uses the ... older AFP 2.2 file sharing protocol and Mac OS X uses AFP 3.1. ... Be sure that none of your Mac clients have their Energy Saver settings ... advantage of Access Control Lists (ACLs). ... (microsoft.public.win2000.macintosh) Re: [ANN] unionfs patchset-13 release ... The buggy behaviour won't affect the host system, but the jail could ... I also have this feeling that ACLs also aren't ... We do not know well around MAC and ACL. ... information should be copied to shadow file when it makes ... (freebsd-current) Re: [ANN] unionfs patchset-13 release ... The buggy behaviour won't affect the host system, but the jail could ... I also have this feeling that ACLs also aren't ... We do not know well around MAC and ACL. ... information should be copied to shadow file when it makes ... (freebsd-hackers) Re: rsync in funktionierend? ... Eigentümerschaft, flags, eflags und ACLs via ssh von einem Mac zum anderen ... nicht mit hfs-Dateisystemen, sondern nfs bzw. cifs. ... ACLs unterstützt. ... (de.comp.sys.mac.misc) Access Control Lists ... under Mac OS X Client? ... ACLs are honored if a user logs into the actual machine ... ACLs are not honored if the user connects via AFP ... machine is running Mac OS X Server. ... (comp.sys.mac.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.sys.mac.misc  > 2005-09