How do I copy ACLs on Mac OS X?

chmod mac-osx access-control-list

Most unix derivates can copy ACLs from one file to another with:

getfacl filename1 | setfacl -f - filename2

Unfortunately Mac OS X does not have the getfacl and setfacl commands, as they have rolled ACL handling into chmod. chmod -E accepts a list of ACLs on stdin, but I haven't found a command that will spit out ACLs in a suitable format on stdout. The best I have come up with is:

ls -led filename1 | tail +2 | sed 's/^ *[0-9][0-9]*: *//' | chmod -E filename2

Is there a more robust solution?

Bonus question: is there a nice way to do it in Python, without using any modules that aren't shipped with 10.6?


Solution 1:

ls -e Print the Access Control List (ACL) associated with the file, if present, in long (-l) output.

this gives a result such as...

drwxr-xr-x@ 19 localadmin   646B Aug  4 00:21  APPBUNDLE
0: user:localadmin allow add_file,add_subdirectory,writeattr,writeextattr,writesecurity
                   ⬆    ⇧                      ⇶                                     ⬆

Personally, I have "exports" in my ~/.bash_profile 

export FILE_ALL="read,write,append,execute,delete,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"
export DIR_ALL="list,search,add_file,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown"

that make such a chmod possible...

sudo chmod +a "allow localadmin $DIR_ALL" /APPBUNDLE

From the chmod man page, there is this bit of info... that hints that it may indeed be possible to do something like you describe..

"ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions. In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specqify the type of name."

chmod -E Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If the information parses correctly, the existing information is replaced.

Also, I'll give a shout out to BatchMod, an oldie, but a goodie for ACL's, as well as TinkerToolSystem.

Solution 2:

Maybe have a look at https://github.com/jvscode/getfacl.

Related

Remote restart into safe mode? (windows)
How to configure PHP CLI on linux ubuntu to run as www-data?
How to grant temporary access to server?
Setting up a transparent SSL proxy
How to remove or uninstall an orphaned service?
Can I use the same wildcard certification for *.domain.com and domain.com
Examples of falsified (or currently open) longstanding conjectures leading to large bodies of incorrect results.
Difference between "for any" and "for all"?
Could these polynomials be identified?
Are Clifford algebras and differential forms equivalent frameworks for differential geometry?
LU Decomposition vs. Cholesky Decomposition
How to create mazes on the hyperbolic plane?