OSX ServerのACL
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
単語検索
|
最終更新
|
ヘルプ
]
開始行:
[[作業関連知識]]
マックのアクセスコントロールリストをコマンドで制御します。
ファイルサーバの運用などで絶大な力を発揮します。
元ネタ
http://www.real-world-systems.com/docs/chmod.mac.1.html
chmod -- change file modes or Access Control Lists (ACL)
chmod [-fv ] [-R [-H | -L | -P] mode file …
chmod [-fv ] [-R [-H | -L | -P] [-a | +a | =a] ACE file …
chmod [-fhv] [-R [-H | -L | -P] [-E] file …
chmod [-fhv] [-R [-H | -L | -P] [-C] file …
chmod [-fhv] [-R [-H | -L | -P] [-N] file …
Modifies the file mode bits and Access Control Lists (ACLs)
-f Do not display a message if modify fails for file.
-R Change the modes of the file hierarchies rooted in th...
-H, -L and -P are ignored without -R , override each othe...
•Symbolic link behavor ( with -R)
-H symbolic links on the command line are followed.
Symbolic links encountered in the tree traversal are not ...
-L followed.
-P NOT followed.Default.
-h change the mode of the link itself rather than the ta...
-v verbose, showing filenames as the mode is modified.
Specified more than once, the old and new modes of the fi...
Only the owner of a file or the super-user is permitted t...
DIAGNOSTICS
The chmod utility exits 0 on success, and >0 if an error ...
MODES
Modes may be absolute or symbolic. An absolute mode is an...
4000 (the set-user-ID-on-execution bit) Executable files...
2000 (the set-group-ID-on-execution bit) Executable file...
1000 (the sticky bit) See chmod(2) and sticky(8).
0400 Allow read by owner.
0200 Allow write by owner.
0100 For files, allow execution by owner. For directorie...
0040 Allow read by group members.
0020 Allow write by group members.
0010 For files, allow execution by group members. For di...
0004 Allow read by others.
0002 Allow write by others.
0001 For files, allow execution by others. For directori...
For example, the absolute mode that permits read, write a...
mode ::= clause [, clause ...]
clause ::= [who ...] [action ...] action
action ::= op [perm ...]
who ::= a | u | g | o
op ::= + | - | =
perm ::= r | s | t | w | x | X | u | g...
The who symbols u, g, and o specify the user, group, and ...
The perm symbols represent the portions of the mode (perm...
r read bits.
w write bits.
x execute/search bits.
s set-user-ID-on-execution and set-group...
t sticky bit.
X execute/search bits if the file is a d...
set in the original (unmodified) mode....
meaningful in conjunction with the op ...
u user permission bits
g group permission bits
o other permission bits
ls -l
-rw------- 1 5595 Feb 22 12:31 .bash_history
-rwxr----- 1 27 Dec 15 16:31 .profile
The op symbols represent the operation performed:
+ If no value is supplied for perm, + has no eff...
If no value is supplied for who, each permissi...
Otherwise, the mode bits represented by the sp...
- If no value is supplied for who, each permissi...
Otherwise, the mode bits represented by the sp...
= The mode bits specified by the who value are c...
owner, group and other mode bits are cleared.
if no value is supplied for who, each permissi...
clear, is set.
Otherwise, the mode bits represented by the sp...
Each clause specifies one or more operations to be perfor...
Operations upon the other permissions only (specified by ...
EXAMPLES OF VALID MODES
644 make a file readable by anyone and writable by the o...
go-w deny write permission to group and others.
=rw,+X set the read and write permissions to the usual d...
+X make a directory or file searchable/executable by eve...
755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone ...
go= clear all mode bits for group and others.
g=u-w set the group bits equal to the user bits, but cle...
ACL MANIPULATION OPTIONS
Using extensions to the symbolic mode grammar.
Each file has one ACL, containing an ordered list of entr...
ls -l displays + when ACL entries are present
ls -le displays the ACL entries
drwx------+ 108 dgerman staff 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
Each entry refers to a user or group, and grants or denie...
If a user and a group have the same name (exmple mail) , ...
Applicable to all filesystem objects:
delete Deletion may be granted by either this permission ...
readattr implicitly granted if the object can be looked ...
readextattr
writeattr
writeextattr
readsecurity
writesecurity
chown Change an object's ownership.
Applicable to directories:
list
search Look up files by name.
add_fil
add_subdirectory
delete_child Delete a contained object. See the file dele...
Applicable to non-directory filesystem objects:
read Open for reading.
write Open for writing.
append Open for writing, but only allow writes into areas...
execute Execute the file as a script or pro
ACL inheritance is controlled with the following permissi...
which may only be applied to directories:
file_inherit Inherit to files.
directory_inherit Inherit to directories.
limit_inherit only relevant to entries inherited by subdi...
preventing further nested subdirectories from also inheri...
only_inherit The entry is inherited by created items but ...
+a inserts into the canonical location.
If the supplied entry refers to an identity already liste...
Examples
ls -dle Documents
drwx------+ 108 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
+a maintains correct canonical form .
local deny, local allow, inherited deny, inherited allow
By default, chmod adds entries to the top of the local de...
Inherited entries are added by using the +ai mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
+a# insert entry at a specific location
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
+ai# inserts inherited entries at a specific location. Th...
-a deletes matching ACL entries.
If the entry lists a subset of rights granted by an entry...
Entries may also be deleted by index using -a# .
Inheritance is not considered .
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow delete
=a# rewritten Individual entries , but may not add new e...
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown"
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow write,chown
-E Reads the ACL information from stdin, as a sequential...
-C Returns false if any of the named files have ACLs in ...
-i Removes the 'inherited' bit from all entries in the n...
-I Removes all inherited entries from the named file(s) ...
-N Removes the ACL from the named file(s).
終了行:
[[作業関連知識]]
マックのアクセスコントロールリストをコマンドで制御します。
ファイルサーバの運用などで絶大な力を発揮します。
元ネタ
http://www.real-world-systems.com/docs/chmod.mac.1.html
chmod -- change file modes or Access Control Lists (ACL)
chmod [-fv ] [-R [-H | -L | -P] mode file …
chmod [-fv ] [-R [-H | -L | -P] [-a | +a | =a] ACE file …
chmod [-fhv] [-R [-H | -L | -P] [-E] file …
chmod [-fhv] [-R [-H | -L | -P] [-C] file …
chmod [-fhv] [-R [-H | -L | -P] [-N] file …
Modifies the file mode bits and Access Control Lists (ACLs)
-f Do not display a message if modify fails for file.
-R Change the modes of the file hierarchies rooted in th...
-H, -L and -P are ignored without -R , override each othe...
•Symbolic link behavor ( with -R)
-H symbolic links on the command line are followed.
Symbolic links encountered in the tree traversal are not ...
-L followed.
-P NOT followed.Default.
-h change the mode of the link itself rather than the ta...
-v verbose, showing filenames as the mode is modified.
Specified more than once, the old and new modes of the fi...
Only the owner of a file or the super-user is permitted t...
DIAGNOSTICS
The chmod utility exits 0 on success, and >0 if an error ...
MODES
Modes may be absolute or symbolic. An absolute mode is an...
4000 (the set-user-ID-on-execution bit) Executable files...
2000 (the set-group-ID-on-execution bit) Executable file...
1000 (the sticky bit) See chmod(2) and sticky(8).
0400 Allow read by owner.
0200 Allow write by owner.
0100 For files, allow execution by owner. For directorie...
0040 Allow read by group members.
0020 Allow write by group members.
0010 For files, allow execution by group members. For di...
0004 Allow read by others.
0002 Allow write by others.
0001 For files, allow execution by others. For directori...
For example, the absolute mode that permits read, write a...
mode ::= clause [, clause ...]
clause ::= [who ...] [action ...] action
action ::= op [perm ...]
who ::= a | u | g | o
op ::= + | - | =
perm ::= r | s | t | w | x | X | u | g...
The who symbols u, g, and o specify the user, group, and ...
The perm symbols represent the portions of the mode (perm...
r read bits.
w write bits.
x execute/search bits.
s set-user-ID-on-execution and set-group...
t sticky bit.
X execute/search bits if the file is a d...
set in the original (unmodified) mode....
meaningful in conjunction with the op ...
u user permission bits
g group permission bits
o other permission bits
ls -l
-rw------- 1 5595 Feb 22 12:31 .bash_history
-rwxr----- 1 27 Dec 15 16:31 .profile
The op symbols represent the operation performed:
+ If no value is supplied for perm, + has no eff...
If no value is supplied for who, each permissi...
Otherwise, the mode bits represented by the sp...
- If no value is supplied for who, each permissi...
Otherwise, the mode bits represented by the sp...
= The mode bits specified by the who value are c...
owner, group and other mode bits are cleared.
if no value is supplied for who, each permissi...
clear, is set.
Otherwise, the mode bits represented by the sp...
Each clause specifies one or more operations to be perfor...
Operations upon the other permissions only (specified by ...
EXAMPLES OF VALID MODES
644 make a file readable by anyone and writable by the o...
go-w deny write permission to group and others.
=rw,+X set the read and write permissions to the usual d...
+X make a directory or file searchable/executable by eve...
755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone ...
go= clear all mode bits for group and others.
g=u-w set the group bits equal to the user bits, but cle...
ACL MANIPULATION OPTIONS
Using extensions to the symbolic mode grammar.
Each file has one ACL, containing an ordered list of entr...
ls -l displays + when ACL entries are present
ls -le displays the ACL entries
drwx------+ 108 dgerman staff 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
Each entry refers to a user or group, and grants or denie...
If a user and a group have the same name (exmple mail) , ...
Applicable to all filesystem objects:
delete Deletion may be granted by either this permission ...
readattr implicitly granted if the object can be looked ...
readextattr
writeattr
writeextattr
readsecurity
writesecurity
chown Change an object's ownership.
Applicable to directories:
list
search Look up files by name.
add_fil
add_subdirectory
delete_child Delete a contained object. See the file dele...
Applicable to non-directory filesystem objects:
read Open for reading.
write Open for writing.
append Open for writing, but only allow writes into areas...
execute Execute the file as a script or pro
ACL inheritance is controlled with the following permissi...
which may only be applied to directories:
file_inherit Inherit to files.
directory_inherit Inherit to directories.
limit_inherit only relevant to entries inherited by subdi...
preventing further nested subdirectories from also inheri...
only_inherit The entry is inherited by created items but ...
+a inserts into the canonical location.
If the supplied entry refers to an identity already liste...
Examples
ls -dle Documents
drwx------+ 108 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
+a maintains correct canonical form .
local deny, local allow, inherited deny, inherited allow
By default, chmod adds entries to the top of the local de...
Inherited entries are added by using the +ai mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
+a# insert entry at a specific location
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
+ai# inserts inherited entries at a specific location. Th...
-a deletes matching ACL entries.
If the entry lists a subset of rights granted by an entry...
Entries may also be deleted by index using -a# .
Inheritance is not considered .
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow delete
=a# rewritten Individual entries , but may not add new e...
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown"
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 ...
owner: juser
1: admin allow write,chown
-E Reads the ACL information from stdin, as a sequential...
-C Returns false if any of the named files have ACLs in ...
-i Removes the 'inherited' bit from all entries in the n...
-I Removes all inherited entries from the named file(s) ...
-N Removes the ACL from the named file(s).
ページ名:
![[PukiWiki]](image/wclogo02.png "[PukiWiki]")
