ansaurus

Question

remove an ACL entry for just ONE user in MacOS? oddly difficult

Answer 1

A:

I'd grep the output of ls -le for the username, then remove the rule with the index number you found using awk. As long as you don't call your users read, write, deny, allow, delete or such ;)

Graham Lee 2009-03-12 09:42:49

that would work fine for a single folder, but i need to perform this on thousands of files. it's a 2TB volume

username 2009-03-12 10:14:57

This is where loops or even the find command will help. If something works fine for a folder, it works fine for _all_ folders.

Graham Lee 2009-03-12 10:51:02

Answer 2

A:

find / -print0 -type fd | xargs -0 ls -le | more

might help you to start exploring the filesystem.

You could replace more with another command, such as a grep for ACL output, and a subsequent pipe to handle the results of grep with fsaclctl.

Alex Reynolds 2009-03-12 14:36:33

i'm trying to figure our if there's a dead easy way to do this. for starters, you can only delete an ACL entry either by its rule number (which wont be the same for 6TB of files), or by removing its exact permissions (strangely). all seems very kludgy. fsaclctl isnt installed by default on mac os

username 2009-03-12 22:03:38

... except that it is. fsaclctl i mean. sorry, misread as "setfacl"

username 2009-03-12 22:52:40

Answer 3

+2 A:

How about the chmod "-a" option?

find . -exec chmod -a "johndoe allow delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,read,write,append,execute,list,search,add_file,add_subdirectory,delete_child" {} \;

It will remove all ACL permissions for johndoe on all files recursively from the current directory. (It will print errors for all files without an ACL, but it will still work on the rest of 'em). As you mentioned, you'll have to run this with "inherited" and "deny" as well.

EDIT: Here are tools that use ACLs on Mac OS X:

# cat has_acl.sh 
otool -IV $1 2>&1 | grep _acl_ > /dev/null
# find /bin /sbin /usr/bin /usr/sbin -exec ./has_acl.sh {} \; -print
/bin/chmod
/bin/ls
/usr/bin/ex
/usr/bin/rview
/usr/bin/rvim
/usr/bin/vi
/usr/bin/view
/usr/bin/vim
/usr/bin/vimdiff
/usr/sbin/cupsd
/usr/sbin/kadmind
/usr/sbin/pkgutil

vi only reads & preserves the ACLs, the others don't seem useful, either. But there could be 3rd party tool. Maybe in Fink/MacPorts?

Jesse Rusak 2009-03-25 12:28:25

I've reposted this, as requested by the asker.

Jesse Rusak 2009-03-25 12:29:10

(Apparently, you can't accept an old answer - even an edited one - after posting a bounty? Crazy.)

Jesse Rusak 2009-03-25 12:31:18

Sorry Jesse, I still don't get any option to accept this as the answer. I don't get an option to set a bounty again either. It seems like either a SO bug, or some process I am ignorant of. I do see the option to Close/Open the question, but the status appears as Open already.

username 2009-03-27 08:46:22

Well, don't worry about it. I hope the command worked!

Jesse Rusak 2009-03-27 10:42:04

You probably have to accept it before the bounty has expired.

Jesse Rusak 2009-03-27 11:25:01

Hey Jesse, do you have an account at the SO sister-site: serverfault.com? If so, could you copy and paste your answer to http://serverfault.com/questions/6607/propagate-removal-of-an-acl-entry-for-just-one-user-in-mac-os

username 2009-05-16 17:01:59

I don't, unfortunately. Once it goes public, I'll try to remember.

Jesse Rusak 2009-05-16 23:59:07

ansaurus

tags:

views:

answers:

remove an ACL entry for just ONE user in MacOS? oddly difficult

related questions