Howto Specify a Group Using Access Control Lists

tgunr · #1 October 17th, 2005, 12:30 AM

I cannot for the life of me get chmod +a "admin allow read,write,delete" /Applications to refer to the group 'admin' . It only seems to look first in the users and if a user is named 'admin it thinks that is what I want. I want the group not the user, how do I do this?

BjarneDM · #2 October 27th, 2005, 05:34 PM

doesn't seem possible.

none of the the documentation I've found seems to destinguish between users and groups in any way. the Workgrup Manager on X 10.4 Server also seems to treat users and groups as a whole. for screenshots and discussions see here:
http://images.apple.com/server/pdfs/...s_TB_v10.4.pdf
http://arstechnica.com/reviews/os/macosx-10.4.ars/8

tgunr · #3 October 27th, 2005, 07:02 PM

A workaround is to rename the group, I changed the group 'admin' to 'sysadmin' and can now specify the 'sysadmin' as I desired.

sourcehound · #4 November 27th, 2005, 02:04 AM

Quote:

Originally Posted by tgunr

A workaround is to rename the group, I changed the group 'admin' to 'sysadmin' and can now specify the 'sysadmin' as I desired.

The "admin" group is group 80, one of the builtin OS X groups and the group specified in /etc/sudoers, so changing its name is a bad thing. It's better to create a new group, and nest the admin group inside, then specify the new group in the ACL.

However, I do have to say that the ACLs are still pretty immature and have some issues. I get around that by using the nested groups which work well.

So, instead of changing "admin" to "sysadmin" simply create "sysadmin" and nest the admin group inside of it. That way, you won't mess with the built in group structures on OS X.

tgunr · #5 November 28th, 2005, 04:09 PM

Great idea, I should have remembered that!

FWIW, the name change seems to have caused no problems so far, but I am going to try the subgroup anyway, much cleaner.