Information Technologies • 1:02:21
Access Control Lists (ACLs) enable servers to enforce fine-grained control of who can access shared files and services and which level of access they are allowed. Discover how to use ACLs to ensure the right people in your organization have the appropriate level of access, and learn how to use ACLs with non-Mac OS X servers and clients on your network.
Speakers: Josh Wisenbaker, Sean Eric Fagan
Unlisted on Apple Developer site
Transcript
This transcript has potential transcription errors. We are working on an improved version.
[Josh Wisenbaker]
We're gonna talk about access control lists today, managing and deploying these things. And we're gonna talk specifically about file system access controls and we're gonna talk about service access controls basically ACLs ands SACLs as we like to call them. We're not gonna get into dACLs, which would be the directory access ones.
So we're not gonna get into any other kind of access control on Mac OS X strictly looking at the deploying and managing of the other two that are the ones that you commonly see in an IT environment since this is more of an administration sort of track. That said, my name is Josh Wiesnbecher (Sp?) I'm one of the enterprise CE's at Apple computer that takes care of I take care of deployment and management of client technologies. And even though this is an IT sort of track before I get into my little bit I wanna introduce John Fagan who's one of our local file system engineers to talk to you a little bit about how all this stuff actually works.
( Applause )
John: Alright, as said, I'm John Fagan I work in the file systems group. And we're talking mainly about the implementation of re sales just to give you an idea of what they are and how they work. And I'll also be talking about the command line interface because that's where I live. Josh will be talking about the graphics later.
As everyone should already be familiar with the CH pod command, we have it have had Apple in CH pod since Tiger. The (inaudible) describes them in very good detail I recommend reading it if you haven't already. The basic syntax is you say plus A that indicates you're gonna be adding an ACL or an ace to a file ace enter to access control entry and access control has a list of those. You can use minus A to remove a specific one. And dash capital N will remove all the ACLs from the file if you need to clear it out for some reason.
The LS command has been extended and this was in Tiger to show a plus on the out put of LS dash L and that's the permission bit to indicate that there is an ACL on the file. The reason it is right next, right at the end of the (inaudible) is that any script that happens to parsit (Sp?) based on spaces will continue to work.
And I verify that all my scripts continue to work, which is useful. The (inaudible) dash E is a list out the ACLs for the file in the example on the screen describes it pretty well. There are number when you use the CH model, you can specify an order and again, this is in the man page. Josh will get into the semantics of ACLs later describing why you'd want to care about the order.
If, the new and leopard, if you want, if you specify the at sign to that LS dash L it will list out extended attributes that a file has. Again, Y is similar with the plus sign at, at the end of the mode bit it will indicate that there are EA's present. The one caveat there is, if a file has both ACLs and the EA's only the at sign will be listed.
Now, I said I would talk about the implementation here it is. On most of the file systems ACLs are implemented as EA's. As we've indicated in the past EA's have a reverse DNS name or we recommend you use this. So, EA's on for example, HFS plus UF as etcetera are in the com dot apple dot system dot security EA, witch does not show up to any other attributes. So generally, this doesn't matter, unless you happen to be set kind of set in EA with that name and find out. It doesn't work.
Now since it's all supplemented as an EEA on those file systems it's also subject to the normal limitations that an EA may have on that file system, which I'll get to in a bit. File systems that have native EA support are HFS plus and UDF. And as we've mentioned as available is that FS also has native EA support.
File systems that do not have native EA's, which include UFS and MS dot also NFS for the network file system implement EA's using an Apple double file. The kernel will emulate this by creating a dot under bar file with the same name as file fu. The kernel will create and manipulate dot under bar fu.
Now when I say this as an Apple double file. It's not exactly an Apple double file. It's a very limited version of it. It only supports the finder info section and the resource force section and the EA's are in this gap between the finder and fo and resource fork.
The (inaudible) are getting used more and more You know as 10 and as we started saying with Tiger. We recommend you use those for storing small amounts of metadata. The OS X uses several of them, again using the reverse DNS information com dot apple dot finder info com dot apple dot resource fork are the, well finder and info and resource fork fairly obviously ACLs and corn king, which I'm not sure we've mentioned yet, but will start showing up on your files.
Since they're implemented as EA's and ACLs as well as generic EA's have some limitations on HFS plus. There is about a 3000 byte jus0t under four K limit for the size of an EA except for the resource fork. When it's emulated for example, on USF or MS dos there's about a 64 k byte limdits total. And EDTA can be up to that size.
There is no hard limit on the number of EA's. So if you're going to write a program or script to stifle through them. Then you need to be prepared that there may be lots. Some of my test programs generate 10,000 EA's on a file. Now for the IT track most important is to be concerned about maintaining EA's. We have, since Tiger, we have had program, the command line programs, tried to deal with them. There have been bugs, but generally, they do work and they've been working better with each version.
Rsink and SEP actually do not copy EA's by default. You have to use the dash capital E option to get them. CP will copy them by default. You have to tell it not to, but you need the CP dash P option to copy the ACL because that's the only way CP will copy permissions.
Tar will copy everything by default. And sort the files in the EA metadata as a dot under bar file in the archive. If you extract it on another file system or another operating system, and then retar it up it will just work because the file has the right name.
One caveat is that when you modify an EA on the system. The modification time for the file does not change. The only exception for this is on HSF plus with the resource fork. And that is due to the actual implementation of HSF plus where the resource fork and data fork are considered parts of the same aspects of the file. No other EA causes a modification time. If we're going to be looking at copying files over based on their modification time. You have to be aware of this.
Now this is just for any programmers in the room, or anyone who wants to write their own code. Tar and all the other utilities, copy and manipulate EA's using the copy fly routine. This is a routine that was added to Tiger, but as a private interface we've made it public for leopard.
We recommend you use it. It can copy all the metadata we support, which includes the POSIX permissions, the EA's, ACLs, quarantine bit, and anything else we happen to add later. It also can copy the normal data. I've got two usages on this screen. The first one will copy just the metadata. The second one is the simplest CP program we have on the system. One caveat, it only works on single files. It won't copy an entire hierarchy. But I like it I recommend people use it. And that's it for me. Let's go back to Josh.
( Applause )
[Josh Wisenbaker]
Thanks Shawn. All right thank you Shawn. So now that everyone's got a little bit of better understanding. I think underneath of what's going on hopefully we'll avoid the whole arsenic OS X server and bloodbath thing in Q and A later because that's fixed now. So work in a talk a little bit about file system asil administration. Just a quick show of hands, how many people in here are more administrative than developer? I should have expected that in the IT track actually. I imagine.
So we are going to talk a little bit about ACL's why we have them, what we're using them for. In the very first thing to know about is the whole point in using these file system ACL's is to give you more control over your file system. We always before at this (inaudible) file permissions, you know the owner of the group, everyone. And then you had just your three bits on that you could set. And it was extremely easy to get stuck.
Because you couldn't do anything more than owner group, everyone else on the system. So you if you had to say give two different varying levels to two different groups. If you had the owner you wanted to have one thing and everyone else got something else. And then you had one group you wanted to read access in one group you wanted write only access like a drop box, you couldn't do it.
So you're kind of get stuck. We had a bunch of these special so that we could throw on their stickies and other things like that. And you could kinda try and make things work. But it really didn't do exactly what you wanted. And it became difficult to make it work that way. So ACL's give us a lot more flexibility, and a lot more control and more importantly, a lot more granular control.
So how do these things actually work when we start looking at them and figuring out how we're going to evaluate our file system? Well, the basic items of this include a gued (Sp?). This is something new on OS X and 10 three and four, and it's coming on up. And we have gueds for just all kinds of stuff now.
And all it is, and sometimes you'll see it called the UUID to, this allows you to uniquely identify something in the operating system, whether it's a user, whether it's a volume. You can use this in F stab to put mouse points and things like that in. But their unique across space and time or so claims the man page. And they're made by taking the Mac address and just like milliseconds since the Epoc (Sp?) in some sort of other calculation thrown in there. And so you get these big alphanumeric numbers that are unique.
And these are really important because if we just use traditional UID, say what's everyone's first UID on their system? It's 501. So if I had 501 and someone else at 501 and someone else at 501 and I tried to do ACLs with that. They'll get the same resolution because the system doesn't really care about your name he cares about your number. So the gued allows us to have is absolutely guaranteed function across space and time. Don't change them. I've seen people try to duplicate them on different systems to get similar results. That's all bad. Don't do that.
So an ACL it self is actually a list of things called aces, access control entries. And an ace itself is a list of four specific items. So each ace includes the gued of the user or the group that this particular ace applies to. That allows you to uniquely tie it to a specific thing.
The permission of type, whether this is an allow or whether this is a deny, and we'll talk a little bit about the differences in those. There are some really significant changes to the way the system behaves when it sees allow or deny. And this comes into the ordering that Shawn was talking about.
The actual permissions setting, we have 13 different possible permissions. We can set all to individual allow or deny. So you can make up an incredibly complicated ACL to control access to single folders. And then we also have the inherited field. And what the inherited field does is it specifies whether this ace was inherited from the public folder from the parent folder or whether it was explicitly defined on that folder.
And there are, like I said, 13 possible permissions. We are way beyond read write execute at this point. So these are organized into three different categories to help you kind of keep an idea down and understand what it is you're working on. And its administrative privileges, read privileges, and write privileges.
Under administration, privileges, and I should note that a lot of our ACL's mirror the Windows ACL and management. And this is good for you as administrators, because it makes us compatible with the UCL world, and it also makes it so that our ACL's are not strange scary Apple ACL's to all the Microsoft guys.
It gains us a lot of acceptance in the IC server room. So these are ones that if you ever admin a Windows file server, which I have had the glory of doom before you're really familiar with these because it's difficult, especially on 2000 to just tak e control of things and change things around.
So these two administration privileges are change permissions which allows the user to change the permissions on there or take ownership meaning you could CH own it basically to you. So you can block these two out for regular users, and then you're pretty well certain that they're not going to be able to take any control over anything. They're not going to be able to just arbitrarily change the permissions on your file system.
We've got read privileges. And we've got read attributes, which is things like the time and the modification date and creation date things like that. We've got read extended attributes and reading these EA's allows us to see like our new, like the folder EA's, and the finder EA's. It also allows us to read the ACL's.
We also have list folder contents, which would be like if you did in LS on directory. You can read out the contents without actually going into the directory. This also allows you to read the data in a file. We have traverse folder. This would be like if you type a CD directory and you actually went inside that. And this is what you need to create a drop box. Even if you don't give any other read permissions. You have to be able to traverse that file bound the, the directory boundary.
And this also is equivalent to the execute on a file. And then we also have read permissions in this allows you to read the permissions on a file. Even in the server when we go in here and you turn off all this stuff, and you don't want the user to happen. Even if you go in and give them a deny on it. It is going to give them a read attributes and extended attributes and permissions.
Because how is the finder otherwise going to read the ACLs to know that he can't let you touch the file? You have to be able to see the extended attributes to be able to know what to do with that file. We have some write privileges as well. And these are very similar. They're pretty much just opposite of the other ones. We can write our attributes, which are things like change the creation date change the modification date.
We can change the extended attributes, which would allow someone to edit the ACL. You can have, you can create files, which is write data. This would be adding files to a fold her. You can create a folder which is also a pending data to a file. And we can delete and delete subfolders and files. And the key thing here with delete, delete means this actual item.
Alright, so deleting this actual item or deleting the subfolders and files contained within this directory. If you want users to be able to rename files and folders inside a directory they actually have to be able to remove it and rename it and drop the file back down. So they have to be able to have the delete subfolders and files to rename files and folders.
So now we know a little bit about what the aces are what the ACLs are, what our permission possibilities are and there's a lot of them. So one of the things that people get confused on is how these are actually applied by the system. And ACL, as it would sound access control list is just a list of access control entries.
And so what we can look that there is the order of precedence that determines how Mac OS X is going to decide how to act upon those. So the thing to remember is one ACL's are checked first starts, if there's any ACL's signed to that it starts there first. It starts at the top of the list, and it just goes one by one down the list.
The ACL in the POSIX permissions are going to be combined. If it doesn't find matches in the ACL's for what it's looking for. It's got a look at the POSIX, and it's going to composite those two together to create what the individual users should be able to see. And the POSIX permissions are only going to be used if no ace matches.
And that deny ace overrides everything. If I tell someone to deny Shawn write to this folder because the E doesn't need to stick in his head in here. What's going to happen is, that's automatically, in workgroup manager, or looking at it with LS is going to jump to the top of the list.
And that's a very important security point, because you don't want to run into conflicts, where if I had to deny on Jule and I had an allow on the CD group team, which Jule's a member of, the problem would be if I have that allow above the deny his explicit deny wouldn't take because this thing stops when it finds its match.
And if it finds an allow before it finds a deny it lets people in. So in order to combat that and make it so you don't have to worry about it that deny's always jump to the top of the list and you can't move them You can not bring them down. And any deny overrides any allow.
So you've gone to the situation there where you have to remember it's kind of like the atomic bomb of ACL's. If you put a deny down there that's it. Those users that match that aren't going to get in there. An evaluation for each requested permissions stops when that match is found. And there's 13 different ones it's going to be looking for.
So you can have this nested in and we'll look at some of these in our demo, where we have one group that has both a deny and an allow and an enclosing group one that includes that one all of them layering together to build out what the affected permissions are for that user. It can get really complicated really fast.
So usage and propagation of this, he usages model that Apple has is fairly simple. We apply ACL to folders. We don't apply ACL to files (inaudible) or to tools and application of aces to files is only done through inheritance. And there are four types of inheritance you need to consider.
So we have just applied to this folder, and when you do this one. It doesn't affect anything inside the folder. These are things that only apply to that particular item. We've apply to child folders. So this one used in this method, you notice, doesn't apply to the parent folder at all. It only applies to the child, first level child folders inside that directory tree.
Same goes for child files. And then if you want to recurs back down all the way through, you have an apply to all the descendents. Notice if you just use apply to all descendents. It doesn't apply to the parent folder here. So you're going to have to mix and match these to come up with the ones you want.
By default when you define an ace it's going to put all of them down so that it automatically applies to the parent folder, and everything in it. Now when I say, it automatically applies to everything in it. That's the place where were different from the Windows systems and that we do not do automatic ACL propagation when you click the okay button or the save button.
We have to propagate these things down. And propagation of ace, ACL's only happens in Mac OS X at two very specific times. One of them is a follow directory creation time, the kernel will actually apply that ACL to that new file or new folder. Or you could use an administrative tool that propagation tool in server admin on Leopard or (inaudible) manager on Tiger or CH mod you could use also to apply recursively just like you always do, although Shawn will probably, not like I say, doing ACL's from the command line to do complex ones gets very cumbersome. They're very long. And they'll show you some of these and what they look like. But if one of these two events does not happen no ACL's propagate.
Time and time again I've seen a SysAdmin that goes in selects that parent folder in their tree, turns in all their inheritance bits, clicks save, and then calls their alliance line because nothing happened. Well, nothing happened because nothing triggered the propagation. So you do have to be aware of that.
So like I said, setting the inherent in its will not automatically propagate ACL's. Again, if you have ever been blessed with being a Windows server adminal arch file server you probably know the pain of changing one ace in an ACL, clicking okay, then having Windows Explorer sit there and just kind of hang on you for 25 minutes, while it recourses through some giant directory going down through the tree and applying that change. I really like the way we do it more. And I do really also like the propagation tool because of the control it gives you over what you propagate. And we'll take a look at that in our demo as well.
So this is a Leopard sort of session. So we're going to talk about Leopard tools. On all these same sort of ideas here apply to workgroup manager on Tiger. If any of you have taken your little Leopard disc out so far, and popped it in a machine with the fly ware drive and the Ethernet cable and something else to plug in to get the nick to come active.
And you booted up OS X server, and you found that file sharing is now in server admin is no longer in workgroup management. So this is the easiest tool to use on Mac OS server to be able to do this. It allows for easy creation of ACL's. It allows for custom ace creation, which are very nice just little clicky clicky boxes.
We can propagate these tools down. And we'll look at this a bit more in our demo. But notice our propagation tool. I have all kinds of flexibility. I could just push out the group owner of these files. I could just push out the everyone's permissions, the POSIX owner, and the ACL's if I wanted. Generally, I end up just using this for ACL's. This is also how you can remove ACL's very quickly from your tree as well. But it propagates down very selectively what you need to go.
We have the effect of permission inspector, which now looks different. It's got the HUD display, because this is a media ap. And so we can use this to evaluate what we're going through, and we can, we can use this to effectively take a look at that complex composting of that. And we will show you a little bit of this in our demo with a few little caveats.
So I'm going to switch over to my demo machine now, which looks like the screen has dimmed on. There we are. And we're going to take a look here, and we're going to do a very quick little demo. A word of caution here, we do seem to have a couple of challenges currently with the effective permissions manager in this build. So the effective permissions manager may not be showing us exactly what is right. But it is actually functioning.
And it will be fixed well before you guys try to put this in production and well before we ship the first production builds at this. So I wouldn't worry about it too terribly much. When you're using file system, ACL's generally were going to go ahead and were going to use it in a file sharing sort of sense here on server. And a lot of times, you know, you've got users you want to keep out of things and users you want to let into things and users you want to restrict how much access they have.
So we're going to take a look at this demo and we're just going to very easily go through and create a small file structure. We're going to limit some users and allow others in. So we have this pretend design firm here, which is, you know creative market's a big part Apple's market place. And we have a couple different groups. We've got designers, freelancers and managers. Alright? Now in workgroup manager here, we can also take a look at these groups.
If I were to look at the user, you can see the inherited groups come down, because I actually have another group called global for applying these global changes. Now when you're looking at doing administration on your servers you might be tempted to use everyone here. The problem with using everyone for defining file system writes is that everyone means everyone else. It's everyone you didn't specifically defined in a previous access control. So it includes Cyrus iMap, and includes the Web server user, it includes all that stuff.
And if we're defining file system privileges for file sharing to a specific group of people we probably don't want to have to worry about having all these other users that we normally don't think about inside the system having access to our file systems. So I tend to make another group called Goebel or file sharing or whatever and then I just nest in my other group of users that I want to use.
So the managers are going to need full access to everything the full control set which, is one of our defaults. It means they can do what ever they want to anything. They automatically get and allow on every single thing. We've got designers. And these designers are going to need access to everything read wise, but not right wise. We have a manager's folder that we want them to have no access to it all. And we want them to be able to move things around between folders. And then we have these lowly freelancers.
These are probably college kids may be high school dropouts that you had to hire and work your way at night building your new ad campaign. So we only want them to have read write access to the freelancers area and then we want a drop box that they're supposed to put their finished work in that they can't get it back out, because you know, they were on my space or something like that and they dropped their own file in and you want to be able to catch them at that so you can get rid of them. So if you're using Tiger, one of the, this is where your sharing will be. Now in Tiger, there is, you have to make sure the ACL's are enabled.
In Leopard it's a default state. And later builds of Tiger it's a default state But in Tiger and workbook manager there actually is a checkbox in the sharing pane. To enable access control lists on this volume. And it actually gives you a funny little warning, it says warning, this gives you lots of control, you know, which is usually why I turn it on. But like I said I don't want the power going to my head.
But you can check that with, in that tool you can also enable them with the file system ACL control application at the command line. And you can use this to enable or disable ACL's on a particular volume as well. But in Leopard it's all on by default so we don't have to worry about turning it on anywhere. And we can go right ahead to building things. So I'm gonna switch over to server admin. And look at the nice sign in server admin if no one's seen that yet.
And our file sharing tab is just right here in the middle and we can see our directories. I've got my main drive and I've got my backup drive. So we can go ahead and switch this over to volumes and we're gonna browse. And I'm gonna make a new folder on server. And I'm gonna call it AFP design.
Okay there's AFP design. And then I want to share this item. So I will share this item and then I can switch over to my share points and eventually it will show up there. Save changes, there it is okay just to the second. And then on the permissions tab we have got what we want our permissions to be.
So we're going to go ahead and we're going to, the first thing we're going to do is we're going to, lets get rid of most of this POSIX stuff. This is an exercise in ACL's. So I want this to be done by the local admin user on the box.
And I don't want any writes for groups or and I don't want any writes for the others, which again should be everyone. We'll take a look here at permissions now. So now we can see the writes on this are very restricted right now from a POSIX standpoint. So we're gonna start to build this out.
So we want to make a folder inside here which I can use the new folder button for. And the first folder we're gonna make is called, we're gonna make one called managers. Okay, and you kinda have to click on and off here, there it is. We're gonna make one called jobs. And we're gonna make one called freelance as soon as that one shows up, now freelance.
Okay, and let's figure out where to put those. I put them in the wrong place. So I'll do it with this actually, this probably works better. Jobs, there we go, and freelance. Okay, so we'll jump back to our share points now. Now when I start defining my ACL's and I start thinking about how I'm gonna plan these things out, I find it's probably best to do the broad strokes first. In this case I am gonna make one more folder called drop box in here just so we can see a little bit deeper hierarchy and how things go together. And this is really decided it wants to ignore me today.
and of course I've messed things up with those rights but we'll get there. There we go, alright. So I want thing about the broad strokes and how things work. So in this case I know that the managers need full control to everything. So that's an easy one to define.
I can just come in and drop them in and then I can have manager full control everything and I can propagate that to everything. So I'll just pull up my groups here real fast. And I'll grab my managers group and I'll drop that in there. And then here you can see our defaults. Our defaults are we do all four methods of inheritance right off the top.
Our default is also an allow and our default is a read only. It's a nice safe default. It doesn't give anyone access to go in and mess anything up, which is, you know, one of the points of being an administrator is you don't want them messing with your stuff.
so, in this case though I want it to be a full control because these are the people that, you know, write the checks and they need to be able to have control to everything in this case. So I'm gonna switch to a full control. All that full control means is it gives every single write possible.
It gives the, it goes through the ace and it defines every single one. And if we were to look at that actual that ace in depth here we could see that all that does and it comes through and it just checks every box. And we'll look at creating some custom aces here in just a moment. So I click okay on that I click save. Now if I go back in, wait for it to stop pin wheeling.
( Silence )
And this is acting even more strangely than it was before. There we go, okay. So now you can see that's on there. But if I click on one of these other items, I don't have any ACL's. I remember that's because it doesn't propagate automatically just because I told it you're gonna be able to inherit down. You have to actually go through that process manually. So that's pretty easy to do. we'll select AFP design here.
and I'll pull up the propagations permissions tool. And in here I do have all these different options. Can everyone see that alright? Good. I can propagate any of the POSIX things and I can do these on an individual basis. I don't have to just say POSIX or ACL's.
I can actually pick the owner name and the everyone permission and then the access control list. In this case we're going to go ahead and propagate everything down so that everything is owned up and looks like this enclosing folder. Click okay, it grinds away for a minute there, okay.
And if we look at it we should start seeing that they did in fact inherit down So now we cans tart drilling down. And these are inherited. And you can tell they're inherited because they're gray and they aren't available for editing. If I double click on one notice it's there but I can't do anything to it. It's not an explicit ACL. In Tiger there's actually a little inherited yes no box as well that you'll see. But here this is one with a nicer simpler interface.
They're easy to tell apart so the actual yes no inherit thing was a little bit redundant because if you can't make changes to it and it's grayed out it's inherited. Now I can perform options actions on all these inherited ACL's. I could come in and I could remove my inherited entries which then remove the inherited entries from that file or folder. And I could also make these explicit and then I could further edit them from that point and then they'll propagate down again.
as long as I don't go back to the root and do a forced propagation again or somehow magically recreate that file in some way that it just kind of is reborn, then it's not gonna pick up that original inherited again because one of the two key operations is not happening. It's just gonna stay in an explicit state.
So, we're not gonna change anything on that right now. But what we're gonna do is, I'm gonna pull out, and here's the part of the demo that might get a little bit hairy. I'm gonna pull out the affected permissions inspector. Now when you are working on ACL's leave this guy up on the screen.
Okay? Just leave it there, put it in the corner. You all have twin 30 inch displays for a reason. And so you can use that and you can put this over on one and, you know, everything's on the other screens. So, in this case you can see what directory I'm looking at, what user I'm evaluating.
And this will look so much better than the one on Windows I'll tell you that for sure. But I can take in a user notice it's user not group. And in fact, if I try to drop a group in there I can't. That is the way it works by default because you really can't evaluate the permissions for a group in that way. So I'm going to drop in myself being a manager and looks like drop box, and of course it doesn't do. So we'll go back here. This is the part that's acting a little bit strange. It's okay, we'll work through it.
So this one normally then would light up and it will show me everything down the line. It gives checks for the things I have, if there's a group that I don't have complete control over you get the little minus tick mark there. If there's an area that I do have complete control over you'll see a checkbox there.
And I can actually show you some of these in a couple different places let me put local admin in there. There we go. Local admin is a local admin on the box and he is the POSIX read and write owner. So notice he's not in the manager's group, but it composites those writs out so that he has all these writes here. And the tool is working very nicely for showing those results.
It's just getting confused on the multiple ACL's. If I looked around the rest of the file system here, I can easily see, and it keeps the user I'm looking at what their writes are. There's a full control. If I were to drop another use them on the system in there though. You can see, the default writes that you have. So this would be if I click on it to 755 permissions. And notice that we have in this case, a custom everyone deny this is injured by default.
I did not create this. We are moving on at Apple to using ACL's more and more as we can. And if we were to look at what this was denying here. We can see, it denies delete, and it denies the inheritance. So by denying the delete. It means that everyone can not delete that.
If I were to look at another user in their you can see that Jule just has those options. And if I were to look at the drop box can see it's a drop box. Not drop boxes, traditionally when you may be. You could just do read write in everyone and you just would do read only read write and execute for the owner and you would just do write and execute for the other people. But here we actually have a little more complication going on. We have read attributes and we have traverse folder and read permissions. And then under right we have everything except delete.
So deleting the subfolders and files, which is something they can't do because they can't actually go into the folder, although they can traverse the folder, which is the part that confuses most people. And so they can actually change the contents of that directory, because really what is a directory. It's kind of, it's a record of things in the area. It isn't actually a bucket that stuff is stacked up in its actually, when you change the contents of that folder, you're changing that.
So, in this case we need to traverse so you can actually put something in there, if you don't have the traverse, if you just came through with an ACL and told that I want to allow write one day be able to delete the file, which also depends on the enclosing folder writes, and the other one is that they would be able. They would not be able to actually put anything in it, because they cannot traverse the boundary of that directory to be able to drop anything in there.
And I'm going to continue to just look around here a bit in the system so that we can see this stuff. And we can evaluate different users. Notice in the share they can't delete, local admin, Jule, they cannot have access, it just has read access. But the actual local admin has the regular amount of access. Notice on OS X server. We don't give them the ability to delete the home folder, because that would be a fun phone call. I just threw it in the trash, but it's on the server. So you have a backup right.
So, in this case will go through here and take a look at, because these it is evaluating properly. We're going to get brave though and kind of try to soldier back through here. So taking a look in here with local admin, if we look at Justice entry level point here, which it should work okay on this, and I put in a manager.
And of course it's not working properly on that. But what you would see normally is, it would be all full and in this case any other user that wasn't local admin or inside this managers group would have no access to the share point whatsoever. When they connect with AFP, we do our nice share point enumeration with AFP. So that people can actually see share points that they can't connect to.
With SNB without tuning in a bit, you know, you get all the share points anyway. And then you get a nasty message when you try to use it. But in this case we would need to allow more people to have read access to everything. Otherwise, they don't even get to the share point.
If I were to come through here and in freelance on the freelancer folder I were to give them my freelance group write access to this because this is an area they need to be able to get into and use. So I'm gonna give them read and write it applies to only this folder because I do not want and it only applies, actually it does apply to all the descendants, excuse me.
So we'll click that button and then we'll propagate that down. Or actually we don't even have to. so if we propagated it down then we'd have to remove it from here. but in this case because propagation's not automatic it doesn't go. So I didn't have to go back and clean up the ACL I didn't want on there.
So, in this case now, the freelance folder has two different ones. It's got managers full control and it's got freelancers read and write. The EPI on Tiger and when this one gets working all the way will show for any member of the freelancer's group that they have no access to this folder, which seems completely counter intuitive to what the aces actually say on the screen.
And the reason it will tell you that is because they don't have access to get to that folder. And if you can't actually traverse the tree far enough to get there then you don't have any access. So, in this case what we need to do is add our global group and give our global group a read only to the route of the file share.
So, that's a pretty easy thing to do. and this is a reason I like to create these groups that are just generic groups for file sharing. This group would only contain users I wanted to actually connect in a file sharing way. So I'll click save on that and then I will propagate it down because that's another one of those broad strokes that you may not notice the first time when you're trying to set this up. And in this case we just wanna propagate the ACL's.
And it's gonna propagate that real fast. And then when we take a look now we can see we've got that global and that managers in there. Now I'm not gonna go through all the creation of the drop box when I already showed you guys the drop box writes. The important ones to remember when we look at the drop boxes if I click back through and look at local admin's drop box here.
these are the important ones to remember. You gotta be able to read the attributes, read the permissions, traverse the folder, and just don't let them delete it. And that creates a drop box with an ACL. It's a different way to do it than with the POSIX command, POSIX permissions but it will allow you to create that drop box so that it's not a big issue.
So before I put everyone to sleep with this enormously long demo, I'm gonna go ahead and show you one last thing here. And that is the ultimate power of the deny. So, we only want managers to be able to get in here. and in this case let's pretend, for whatever reason, I don't know why, I don't wanna remove my global read.
So right now I've got a situation where I could have people be able to go in here and get in, and actually now that I think about it what's wrong about, no that one does work, so. I'm gonna take a look at my managers folder. And I don't wanna remove that global read. Manager's full control, great that's what they need.
So, what I need to do though is take designers and freelancers and this will be a situation where I could use the everyone also to go ahead and clean up everything else on the system as well to deny this out. And I'm gonna make these denys. And I'm gonna make them full controls.
And now when I save that, and I go back to my folder, there at the top. So even if I really messed up and I said oh yeah them adding my controls freelancer allow oh I gotta get out of here. I gotta get home my favorite show's on.
I don't want to be able to give that allow and mess it up. So even if I fat fingered it and I gave the freelancers full access to the accounting data this isn't gonna make me get run out on some sort of sox petard because they're not gonna be able to come get me because we've reordered that ace automatically to put that deny at the top. So, I could go and add as many allows as I'd like for people. But, that deny is gonna stop them in their tracks. It's not gonna let them in and it's gonna override them. Okay, so we're gonna switch back to the slides now.
( Silence )
All that essentially works the same on Tiger. You just do it in work group manager. I wanted to show it in server admin because that's a major change of where those controls are. The next little bit we're gonna talk about is service access controls. This is something that's slowly been creeping into the OS a little bit. Anyone in here run a 10 3 VPN server? Yeah a couple hands.
That had a SACL in it, remember, you could restrict VPN access to a specific group of users. Well this allows us to do this for everything. And we get a bunch of different fun ones. And in Leopard now we get them on the client's side too. So we can get a lot more granular about who can do things without having to go and edit SSH comp files and all that stuff.
so, what a service access controlled list does is essentially it's finery control of who can do what. Who can access what services on that box, whether it's a client, whether it is a server machine you can start controlling this. For example you could restrict FTP access, wonderful clear FTP, and you could restrict that down to just very under privileged users that are not critical that have extremely tight access on the system and things like that.
So that that way, you don't have some admin user, while some guys outside with a wire crack, and he's taken a look at your system. And all of a sudden he sees an admin log in with FTP in the clear, that's a bad thing. So this will be able to deny users from doing that. SACL's also have a really cool trick.
And districts actually in the documentation now too. And it's been documented on afp548 dot com and a couple other websites. This is a cool way you can use an OS X server a mail server to provide mail access from non open directory accounts. And we'll talk about that in just a minute.
But on Mac OS X, the non-server version, the SACL's again there are fine grained control, and you can restrict access to specific groups or users. And we do this in system preferences. It used to be you did this in (inaudible) manager and other places kind of got real hacky about it on your Tiger. But it all worked. But in this case, we're going to use the system preferences to set up our SACL's.
And it's pretty easy. Most of them are found in the sharing panel. And in this case, you can see. I restrict it down to only these users. The plus and minus buttons here are really cool, and they'll look out in directory services and other places like that. So you can kind of get in there and get really granule with this. You can do this on just about everything. So I can control is allowed to as SSH into my box. I can control who can send a remote Apple events in my box, which prevents so many pranks.
It's almost hardly worth turning on if it's not your system. On Mac OS X server, we have more levels of these now and in this case now, any server on the box can be restricted. We can restrict this big long list of stuff, and we also now have the ability to re create restricted service administrators You can say this admin can only look at these services. You can say this admin can only monitor the services.
So it allows you to start handing out things to people that you normally really wouldn't be handing them out to.
( Applause )
how many people on Tiger or earlier, took server admin made some silly little admin user and then ripped all the modules out of server admin so you could give someone control to restart service? Yeah yeah see don't do that anymore.
You can just give them the server admin and let them get you down, but they can only have access to what you say so on server, server admin is where we do our SACL's. This is very similar to Tiger. It has changed a little bit. So the access tab allows us for easy SACL creation so that we can go through and be able to take care of that.
We have our administrative SACL's and were going to take a look at these as well. In this case, you can see. I'm giving the managers the ability to monitor the AFP group. Why? Because their managers, they are not administrators. Alright, they might sign my paycheck, but they're not touch in my box.
So, we also have this ability to go in and ad these SACL's for the mail server. And I will talk about this one in just a couple more seconds here. OS X in open directory, we have this thing called the mail attribute. And the mail attribute is a sign when you go into work group manager, and you click enable mail for this user on Xserver that makes your mail attribute.
And if it doesn't have that then it has no, the mail server doesn't know what to do. So in this case, you can take a group from AD, drop it in here as a SACL, and enable it. And this will enable a more traditional UNIX mail accounts for these users.
This is actually in the Tiger documentation now that you can do this and in various other Mac OS X server books that you can pick up as well as afp548 dot com. So we've got a demo we're gonna take a look at here really quick. So I'm going to switch back to my demo machine.
We probably have, I put more into this demo, because I knew that the other demo was going to get cut a little bit short. So the first thing I'm going to look at here, is my system preferences. And this is on a client machine. And these are things I didn't have before. I did not have SACL's before.
And you can see I have even much more control over AC else now as well here with the file sharing with the new file sharing systems that we have with Mac OS X. We also have better display of ACL's in here, although it's still you really can't do it as much as you'd like to do in them. If I were to actually click on a folder I own there we go to like documents let's see, you can see again, I really can't do much in here right now. This is pretty much what we had in Tiger as well.
So in this case, I can go through and I can restrict different access. So in this instance, I won a restrict from the login. And by default, I've got it set. It set for all users in this case, I set it up for just me. But I want to do something a little more creative here.
So instead of only these users and if I click the plus you can see, I kind of get this system built out. I can create a new person in here, and other things like that. Wouldn't it be great if we could do groups on the client? Which you can though, so I'm going to come in here and I'm going to create a new group, and I'm going to collect SS age access, SSH users. I can spell that easier.
Creates a group, I'm going to put these two accounts in it. And there we go. So now I've got this SSH users group and I can see who's in there. I'm going to go back now go back to my sharing pane, and in this case, remote login is going to be restricted, ooh it didn't find it.
Well in this case, we'll say to administrators. How about that, so this restricts this just to local administrators, so that we can go ahead and start ratcheting down on the services a little bit. And you can see, this is pretty pervasive stuff. It's in all our different services, remote management this always was here.
It just looks a little bit different now in ARD. And we have we just split out some of the writes some a little bit. Xgrid, remote Apple events, like I said great for pranks, but you know it's something you might want to try to restrict some on your network, because it could be seen as a security pool.
And so we got pretty easy ways now to do SACL's and ACLs on flying is not something we've ever really had before. You could do it before, and there were some shareware utilities on Tiger to allow you to get in there and do that. But the real meat of this again still is on the server.
So if I look at server admin here. And I go up to settings, and I go to services access. This is where I can start to really restrict down what I'm looking at. And in this case, I've got this FTP only group which has one user on it called FTP user. You can use this, I've seen people do this to hand out a generic FTP user account. I know it sounds like generic accounts, that's terrible, but if there's only one possible account you can access with FTP.
If you ever have an FTP breach, how much cleanup do you have? Not a lot. So you know, hey, that's that user, I better change the password and all of a sudden you're done. So it makes your life a lot easier in this case were going to go ahead and were going to restrict FTP. And we have a couple more checkboxes, and I'm going to say FTP only can get access to that before I do that I am going to connect to it once.
And I'm going to connect with just a regular user name and password. Josh, and it'll connect here in just a second. So it's going through it's evaluating that. And there we go. I connected up with FTP. And I'm going to make one quick change here. There we go.
For the sake of the demo that's much easier. So I'm going to eat check that out. So but I don't want Josh having access to that. Josh in this case is a manager user. Local admin at this point could FTP in, and that's not a username and a password. You want getting compromised. So I'm going to take a look and I'm going to restrict FTP access down to only allow members of the FTP group.
And in here, I only have one user. So now, if Josh tries to connect, and I'm going to go through again and it's going to spin for second Josh Apple. It's not going to let me connect to the FTP. But FTP user can get in, so I'm restricting down this service, and I'm controlling who's allowed to have access to this. And this is really good for insecure services.
So the next thing that I want to show you in here is the male attribute, which, again sounds really simple. You know it here we go there we go. Alright, now I've got a Mac OS, in a nutshell I've now enabled mail use if I turn on the mail server and configure it properly for that group of users from active directory. You can use this to build a really fast outgoing FTP service or something like that, because I know you all love exchange.
So that's a very quick way to go ahead and connect and restrict this. So another thing we can do here that's really cool is the login window. And this came up in some discussions that Jule and I had with a couple of people this week. How do you control access to the consul of a workstation or server? Now, if you're using our policy out of the directory our MCX stuff.
You can go in and you can do this with computer lists and restrict you can login and things like that. But what about the server? You know, I know all your servers have no keyboards there behind locked grates on the racks behind you know the three different biometric locks to get into the manager out.
But we all don't have that I had one place where ran servers, where they actually wouldn't let me have a door for the server closet, because there was no air vents and it. There were several problems with that sentence, all of which I won't go into. If you went to the effective system admin session yesterday, you probably know, what most of them are. But in this case, I can actually control login window, and in the case of this, this will control access to the consul of the server, which is very important to get.
Apple when we started in 10 4 separating by default are directory administrator in our local administrator on the box. That is a great thing, because you don't, it may mean you have one extra button to click and one extra password to tie or put in your key chain, but it restricts and keeps the local administration separate from the directory Main administration. And in this case, I don't want a domain admin to come in and login on this machine.
So I've actually created a group called Consol Admins, which only contains, if I go look at Consol Admins here, it's a local group. It's not in the directory. It is local to this machine. And it only contains the local administrator on this box because I want to control who can log in through the window. So in this case, I'm going to restrict login window to just Consol Admins. I'm going to click save, and I'm going to go take a look at that. Ooh finder pen wheeling, come on finder.
( Silence )
Oh come on. Oh there it is, alright. It was that FTP on melt. So I'm going to go in and take a look here using nifty new feature in a leper right. And I can try to log in as their admin. No not allowed in local admin I can log in and in fact, that's the only user I'll be able to log in as because I've restricted down console access to that one particular thing. It's kind of confusing name, I found login window, because it seems like an odd service to access the login window service. But in this case, it makes perfect sense because it keeps you from using the login window.
Another little nice bit of UI I like there to share folder bar that shows up at the top of any shared folder. So before you drop the accounting data in there, you can know that it's a shared folder, and it's probably time to check it out. So let me log out of that row fast.
Yes. The reason that connection failed his I'm not allowing guest access into my server. Another little bit here that we like is notice that I've only got the active services in server admin and without talking about it too much outside the scope of this session. It means I can basically select in server admin which ones I show and which ones I don't show.
And in this case, I'd love to be able to give out permissions for a group of users to monitor a service. So they can actually look to see if it's running before they call me, because it may be something else that's wrong, it could be any number of things. So we actually have the second tab under access called administrators.
And I can say for the AFP service, I'm going to give my local admins, remember file sharing is a local administrative privilege because it's actually changing things on the box. They can administer a server and then I'm going to say that designers, because they're the ones that always call kid monitor. You can tell I've got a pre press back there. The designers always call.
And now I can hand out server admin, and I can give server admin after I've restricted my other services as well to the appropriate groups and make sure all my SACL's are set up. I can hand out server admin now to members of the administrator group. And they can login and they can take a look at AFP, and they can see. Oh yeah AFP is running. It says it's up I can see there's current connections, and everything else. I better not call Josh and wake him up. I'll let him sleep.
I'll call his minion. So Jule gets a phone call, and then we go on from there. In this case the local admin group could then log in and administer the server. And remember again that file sharing is a local. It's in the context of the local administrator group because it is something that is a local operation to the file system and where you share out there.
( Silence )
So, real quick here, to sum up what we just looked at today before we get into our Q and A discussion, is that ACLs allow for control. Like the funny little dialog box in workgroup manager in Tiger would tell you. Look out this may be more than you're asking for.
So don't go crazy with ACL's on your file system. If you don't need to go crazy with ACL's on your file system. We seen people get into trouble because, you know, all those sure POSIX would have worked just fine. They could have done everything they wanted to with the they wanted to use ACL's for it.
And in the case of very simple structures. It may be more complication than you actually need to get your job done. And who once more work? No hands, so you can use the traditional UNIX tools to work with your ACL's. And currently all this works, right. Rsync with the E flag, the Big E, it works.
Copy, TAR, CPIO all that stuff, if it uses our copy file it's going to work, and it continues to work in Leopard. So you can use that to work with these tools like I said deploy with moderation. If you don't need to complicate your life as a systems administrator don't complicate your life as a systems administrator. No one needs more work. Use the effective permission specter when you're doing your file system ACL's leave it open. The whole time and drop a member of the group that you're thinking about adding at that point in time in there.
It tells you what group it is. It tells you what folder it's looking at it will save your mind from just rotting and rolling out of your ear, because you don't want to sit there and gas that well I gave them traverse. And I gave them read attributes, but not extended attributes. And oh why isn't this working? You can just look at the EPI and you can see why it's not working. And you can go oh, he needs that checkbox, and you can go back to the allow or the denying and add or remove a checkbox.
At Mac OS X are workstation version now, now is easy SACL's. They're just in system preferences. It allows us a lot more control over it so we can go through and very quickly go in and control who can access what. And the ways different people can come into that machine from remotely. And that's a very important part of any network security plan is controlling who can get into what and how