set default ACLs in the ~home hierarchy

You are not logged in. MacFixIt Forums » Forums » Special Topics » Mac OS X Tips & Hints » set default ACLs in the ~home hierarchy

Topic Options

#431754 - 02/06/08 06:31 AM set default ACLs in the ~home hierarchy
Hal Itosis MacWizard Registered: 08/23/99 Posts: 7032 Loc: 10.5.7 (build 9J61)	code: if z=`fsaclctl -p / 2>/dev/null`; then if grep -qs disabled <<< $z; \ then echo not enabled; else echo okay; fi; else echo not possible; fi okay It shouldn't happen, but sometimes ACLs get added where they don't belong: "Visibility of files from other accounts". By default (under 10.5.1 anyway), only(!) 38 folders have ACLs in any user's home hierarchy. Of course, having other ACLs on other items isn't necessarily a bad thing... as long as it's something either we -or some program we trust- did deliberately. The point here is: while we can easily wipe out every last ACL in our home by running chmod -R -N ~ ... there is no easy way to *restore* the defaults, which should be there in the first place. (Disk Utility's repair permissions won't do it). So, I've written and tested a script to help in this regard... code: $ homeACLtool Usage: /Users/halito/bin/homeACLtool -l \| -c \| -f \| -R \| -E \| -D -l list only those items in our home which come with ACLs by default. -c check default items and list any whose ACL deviates from the norm. -f find and list any non-default item with ACLs in our home folder. -R find and Remove all ACLs in our home found on non-default items. -E Erase every ACL entry within our entire home folder hierarchy. -D set Default ACLs in our home on the Default items (ignore others). N.B: This script manages ACLs only, not ownerships/permissions or flags. For example, homeACLtool -R will remove all ACLs in the home... except the 38 that should be there. If we want to see how many 'extra' ACLs are there (before removing them with -R), we'd run homeACLtool -f. Those two options (-f and -R) take care of (finding and removing) ACLs on "non-default" items. As for the default ACL items, we can list them with -l and check that they are all correct with -c. The -D option will apply the default ACLs on the default items (while simultaneously ignoring all other ACL items). Finally, the -E option wipes out the whole kit-'n'-caboodle (a ls chmod -R -N). If the reader is careful, the script could be customized. For example, adding a ~/Applications and/or a ~/bin directory to the "default" list. Or, possibly even extending the "group:everyone deny delete" default ACL. (The 'Drop Box' is in a class of its own, but also adjustable). Disclaimer 1: if some program or person has added an 'inherited' entry further upstream (i.e. above the user's home), its influence possibly won't be "corrected" by anything this script does. But that goes beyond our scope here, which is simply to deal with restoring default settings within the user's home. Disclaimer 2: though this script could be tweaked to play well with Tiger, I didn't put much effort toward that end. Tiger lacks certain folders like ~/Downloads, as well as other default user ~/Library subfolders (such as Compositions, Input Methods, etc). Thus, either those folders would need to be added on disk... or, those items removed from this script (in $ACLfolders) to obviate error messages. Plus, the 'group:everyone' part would need to be dealt with (one way or another), and on top of all that... ACLs are disabled by default in Tiger (client). So this script is biased/optimized just as it should be (i.e., Leopard-only... unless edited). Also note: as written, the script operates strictly upon the home (~) of the user logged into the shell. Therefore, it might not be the most convenient tool for a lab manager who wants to set it loose on many user accounts with one carriage return. Sorry... I think the script is long enough already, and I didn't intended it for anything other than individual-user purposes. Feel free to hack my code here as you wish. If it works out well, give me partial credit . . . if it doesn't, then I had nothing to do with it. [Anyway, special tools like that probably already exist, in server and/or workgroup manager.] -- Basic shell-script rules apply here: make it executable with chmod a+x, and place it somewhere in your $PATH (else, call the script by its full pathname... wherever that turns out to be). Give it any name you like (as long as no name-collision results). We rarely have to type more than 2 or 3 chars anyway, since tab-completion fills out the rest of the name. [i.e., just typing ho<tab> should work for most users.] Script appears in the next post... _________________________ Problems? # Have you <run fsck>? and/or <safe boot>? and/or <reset perms>?
Top

#431755 - 02/06/08 06:34 AM

homeACLtool [Re: Hal Itosis]

Hal Itosis Offline

MacWizard

Registered: 08/23/99
Posts: 7032
Loc: 10.5.7 (build 9J61)

code:

#!/bin/bash -
#homeACLtool: script to manage default ACLs inside the user's home (Mac OSX)
#(c)EF/-HI-2008.FEB.05
PATH=/bin:/usr/bin:/usr/sbin
export PATH
IFS=$'\n' #facilitates for-loops
blockKybd () { stty -echo igncr; }
allowKybd () { stty echo -igncr; }
PROGNAME=$(basename "$0")
USERNAME=$(basename ~)
EXITSTAT=0

exitScript ()
{
	trap '' INT QUIT ABRT TERM HUP
	[ -n "$1" ] && (( EXITSTAT+=$1 ))
	if [ $EXITSTAT -ne 0 ]; then s=
	   [ $EXITSTAT -ne 1 ] && s=s
	   echo -e "\e[37;41m $EXITSTAT error$s occurred \e[0m\a" >&2
	   [ $EXITSTAT -gt 125 ] && EXITSTAT=125
	fi
	exit $EXITSTAT
}

trap 'echo -ne "\e[0m"; allowKybd' EXIT
trap 'echo "$PROGNAME: ignoring HUP" >&2' HUP
trap 'echo "$PROGNAME: stopping on signal" >&2; exitScript' INT QUIT ABRT TERM

blockKybd

accumulateStatus () { (( EXITSTAT+=$? )); }
noErrorsHappened () { [ $EXITSTAT -eq 0 ]; }

# get ls to display flags in both Leopard and Tiger:
o=o; if [ "$(/bin/ls -od . )" != '.' ]; then o=O; fi

myLS=/bin/ls\ -leG${o}d

# :|:-----------------------------------:|:
# :|:---------=< homeACLtool >=---------:|:
# :V:-----------------------------------:V:

if [[ $1 ]] && [[ $1 != -l ]]; then
   if [ -r /usr/sbin/fsaclctl ] && z=`fsaclctl -p / 2>/dev/null`; then
      if grep -iqs disabled <<< $z; then
         echo -n 'Need to enable ACLs with ' >&2
         echo -e '\e[1msudo fsaclctl -p / -e\e[0m' >&2
         echo 'and restart, before this script becomes useful.' >&2
         exitScript 1 #ACLs disabled
      fi
   else
      echo 'cannot find fsaclctl' >&2
      exitScript 1 #ACLs impossible
   fi
fi

DropBoxACL=user:$USERNAME\ allow\ list,add_file,search,\
delete,add_subdirectory,delete_child,readattr,writeattr,\
readextattr,writeextattr,readsecurity,writesecurity,chown,\
file_inherit,directory_inherit

DropBoxDir=~/Public/Drop\ Box

DefaultACL=group:everyone\ deny\ delete

ACLfolders='~
	~/Desktop
	~/Documents
	~/Downloads
	~/Movies
	~/Music
	~/Pictures
	~/Public
	~/Sites
	~/Library
	~/Library/Application Support
	~/Library/Assistants
	~/Library/Audio/MIDI Drivers
	~/Library/Audio/Plug-Ins/Components
	~/Library/Audio/Plug-Ins/Digidesign
	~/Library/Audio/Plug-Ins/VST
	~/Library/Audio/Plug-Ins
	~/Library/Audio/Sounds/Alerts
	~/Library/Audio/Sounds/Banks
	~/Library/Audio/Sounds
	~/Library/Audio
	~/Library/ColorPickers
	~/Library/Compositions
	~/Library/Favorites
	~/Library/FontCollections
	~/Library/Fonts
	~/Library/iMovie/Plug-ins
	~/Library/iMovie/Sound Effects
	~/Library/iMovie
	~/Library/Input Methods
	~/Library/Internet Plug-Ins
	~/Library/Keyboard Layouts
	~/Library/Preferences
	~/Library/Printers
	~/Library/Screen Savers
	~/Library/Sounds
	~/Library/Voices
'
#	~/Applications
#	~/bin
#
# ^to customize, add more items above^

itemList () { sed 's: :\\\ :g' <<< "$ACLfolders"; }

doNONstandardACLs ()
{
	fullList=; s=; c=0; echo -ne ' looking for extra ACLs...\r' >&2
	fullList=`find -x ~ -not -type l -print0 | xargs -0 ls -ledT |
	   grep -B 1 -E '^ [01]: ' | sed '/:[0-9][0-9]/!d;
	      s:^.*\:[0-9][0-9] [0-9]\{4\} ::'`
	accumulateStatus
	echo -ne ' processing results...    \r' >&2
	if [[ $fullList ]]; then
	   for i in $fullList
	      do
	         for x in `itemList`
	            do
	               if [ $i = `eval echo $x` ]; then
	                  continue 2
	               fi
	            done
	         if [[ $i != $DropBoxDir ]]; then (( c+=1 ))
	            case $1 in
	               locate) printf '\e[7mACL extra:\e[0m                 \n'
	                       eval $myLS \"$i\"
	                       accumulateStatus
	                       ;;
	               change) chmod -N $i
	                       accumulateStatus
	                       printf '\e[7mACL removed:\e[0m               \n'
	                       eval $myLS \"$i\"
	                       accumulateStatus
	                       ;;
	            esac
	         fi
	      done
	   if [ $c -ne 0 ]; then [ $c -ne 1 ] && s=s
	      printf '\e[1;4m%sd %s additional item%s with ' "$1" "$c" "$s"
	      printf 'ACLs not defined in standard Mac OSX\e[0m\n'
	   elif noErrorsHappened; then
	      printf 'no ACLs found on any *non*-default items\n'
	   fi
	else
	   printf '\e[37;41m NOTICE: no ACLs were found in %s at all \e[0m\n' ~
	fi
}

s=; c=0
case $1 in
  -l) # list the default folders:
	eval $myLS `itemList`
	accumulateStatus
	eval $myLS \"$DropBoxDir\"
	accumulateStatus
	;;

  -c) # check default folders for proper ACLs:
	for x in `itemList`
	   do
	      y=`eval ls -lde $x | sed 1d`
	      accumulateStatus
	      if [ "$y" != " 0: $DefaultACL" ]; then (( c+=1 ))
	         printf '\e[7mACL error:\e[0m\n'
	         eval $myLS $x
	         accumulateStatus
	      fi
	   done
	y=`ls -lde $DropBoxDir | sed 1d`
	accumulateStatus
	if [ "$y" != " 0: $DropBoxACL" ]; then (( c+=1 ))
	   printf '\e[7mACL error:\e[0m\n'
	   eval $myLS \"$DropBoxDir\"
	   accumulateStatus
	fi
	if [ $c -ne 0 ]; then [ $c -ne 1 ] && s=s
	   printf '\e[1;4mspotted %s default item%s with entries' "$c" "$s"
	   printf ' different from standard Mac OSX\e[0m\n'
	elif noErrorsHappened; then
	   printf 'all ACLs on default items appear correct\n'
	fi
	;;

  -f) # list *non*-default items with ACLs:
	doNONstandardACLs 'locate'
	accumulateStatus
	;;

  -R) # remove ACLs from *non*default items:
	allowKybd
	echo -ne "> Allow $PROGNAME to remove ACLs from *non*-default items in " >&2
	echo -ne ~ '\b? (y/n [n]): \a' >&2
	read -t66; if [ "$REPLY" != y ]; then echo '^Canceled' >&2; exitScript; fi
	blockKybd
	doNONstandardACLs 'change'
	accumulateStatus
	;;

  -E) # erase all ACLs:
	allowKybd
	echo -ne 'Erasing ACLs will clear out \e[1mevery\e[0m ACL entry from ' >&2
	echo -ne "items in your home.\n> Allow $PROGNAME to erase all ACLs from " >&2
	echo -ne ~ '\b? (y/n [n]): \a' >&2
	read -t66; if [ "$REPLY" != y ]; then echo '^Canceled' >&2; exitScript; fi
	blockKybd
	chmod -R -N ~
	accumulateStatus
	if noErrorsHappened; then
	    printf '%s: every ACL erased from items in %s\n' "$PROGNAME" ~
	fi
	;;

  -D) # set default ACLs:
	allowKybd
	echo -ne "> Allow $PROGNAME to apply default ACLs on default items in " >&2
	echo -ne ~ '\b? (y/n [n]): ' >&2
	read -t66; if [ "$REPLY" != y ]; then echo '^Canceled' >&2; exitScript; fi
	blockKybd
	eval chmod -N `itemList`
	accumulateStatus
	chmod -N "$DropBoxDir"
	accumulateStatus
	eval chmod +a \""$DefaultACL"\" `itemList`
	accumulateStatus
	chmod +a "$DropBoxACL" "$DropBoxDir"
	accumulateStatus
	if noErrorsHappened; then
	   printf '%s: default ACLs restored to ' "$PROGNAME"
	   printf 'existing unlocked default items in %s\n' ~
	fi
	;;

   *)	cat <<-helpdoc >&2
	Usage: $0  -l | -c | -f | -R | -E | -D

	 -l   list only those items in our home which come with ACLs by default.
	 -c   check default items and list any whose ACL deviates from the norm.

	 -f   find and list any *non*-default item with ACLs in our home folder.
	 -R   find and Remove all ACLs in our home found on *non*-default items.

	 -E   Erase **every** ACL entry within our entire home folder hierarchy.
	 -D   set Default ACLs in our home on the Default items (ignore others).

	N.B: This script manages ACLs only, not ownerships/permissions or flags.
	helpdoc
	;;
esac
exitScript

-HI-

_________________________

Problems? # Have you <run fsck>? and/or <safe boot>? and/or <reset perms>?

Top

#431756 - 02/06/08 09:01 AM Re: homeACLtool [Re: Hal Itosis]
Andreas.. MacAuthor Registered: 12/29/00 Posts: 1756 Loc: UnKnown!	For those who want to reset their Home directory ACLs to default but are frightened by all that gobbledegookery… Reboot on your Leopard Install DVD (or on a copy you made on a hard drive) - don't worry nothing will be installed. Choose language -> 'Welcome' screen -> "Continue" button. You will now have a menubar. Choose "Reset Password" from the 'Utilities' menu - fear not - password will not be changed. Ignore all references to password. At the bottom of the panel use "Reset Home Directory Permissions and ACLs". *Job done!* Quit from 'Reset Password'. From that same 'Utilities' menu use "Startup Disk" to return to your internal drive. I have no idea how effective this will be for you but it has been made available by Apple. _________________________ Andreas G5 2.1GHz • Poking around in OS 10.5.4 • Working in OS 10.4.10
Top

#431757 - 02/06/08 11:53 AM Re: homeACLtool [Re: Andreas..]
Hal Itosis MacWizard Registered: 08/23/99 Posts: 7032 Loc: 10.5.7 (build 9J61)	A) good-gawd . . . they sure hid that secret well. (Is that new for Leopard? Why not right in Disk Utility?). B) it will not show all default ACLs that were incorrect (which could provide clues as to why/how it happened). C) it will not show what non-default ACLs were added (which could provide clues as to why/how it happened). D) or... in the event there are "extra" ACLs we want to keep, that method will always dump them. E) plus, it's not customizable (we can't add other "default" folders like ~/Applications... ~/bin... etc). F) it requires us to have our CD (which notebook/laptop users are wont to leave at home). G) it requires two!! reboots (you're talking 5 to 10 minutes to get back to the starting point, versus 15 or 20 seconds to reach "job done"). Give me a break Andreas... "gobbledegookery" indeed. [see bombich.com for far more complex examples.] -- But... thanks for revealing that "Easter Egg". Why hasn't anyone mentioned this before? EDIT: In reply to: I have no idea how effective this will be for you but it has been made available by Apple. Actually, it would be nice to know whether Apple's method only tweaks their items... or if it'll also zap all user items' ACLs throughout the entire home folder. Which is it? Is there a choice? Might be nice if you researched something and posted complete info... so users attempting to decide what to do can know exactly what to expect. _________________________ Problems? # Have you <run fsck>? and/or <safe boot>? and/or <reset perms>?
Top

#431758 - 02/08/08 06:09 AM Re: set default ACLs in the ~home hierarchy [Re: Hal Itosis]
Hal Itosis MacWizard Registered: 08/23/99 Posts: 7032 Loc: 10.5.7 (build 9J61)	Perhaps the title I chose for post #1 was somewhat limiting... so I just want to call attention to some points which weren't emphasized above: When considering the question of "how" to set default ACLs in the ~home hierarchy, one might also ask "when" and "why" and "whether or not" it's even actually necessary. Something which could help us with such answer- seeking and decision-making is... an intimate knowledge of the following: •A• Which default (Apple) items in my home currently have non-standard ACLs? •B• What other ("extra"/non-default) items in my home currently have any ACLs? The only way to answer those questions is to examine [all of] the items, and read the info about them. The easiest way (that I know of) to do both A and B is with my script. There is no GUI program in existence currently that will provide that particular information. [Though it wouldn't be difficult.] homeACLtool -c and homeACLtool -f will provide that information by simply _reading_ it off the disk. In other words, this script isn't limited to just when someone thinks they need to reset defaults, or feels like it based on a whim. Download and run it right now (using the -c and -f options) to see the state of all ACLs in your home currently. Whether for fun or to satisfy one's curiosity, or some quest for knowledge. The -c option finishes in less than 1 second. [Use 'time homeACLtool -c' to prove it.] The -f option could take as long as 20 seconds, depending on how many tens of thousands of items in any given home folder. No need to let "fear" (or jealousy or ignorance) to enter the equation. No need to use unflattering and derogatory and inappropriate terms to stigmatize something, simply because one lacks sufficient understanding. The beauty of having the full source (all 7K of it!) posted here is that: it's out in plain sight for the virtual world to view. I wholeheartedly invite any expert to provide valid criticism of my script. Bottom line: when it comes to user homes and ACLs, there's no such thing as any one "right" setting. There are a few default items to which Apple would set some default ACLs. But a user's account may develop other ACLs, whether it was done intentionally, for some personal purpose... or accidently, by some error. For those reasons, extra ACLs come (potentially) in two flavors: desirable and undesirable. In this script, I have tried to include enough flexibility to accommodate more than one scenario, while providing full status information about all ACLs in one's home. Call me crazy but, I think having the actual ACL lists to look at is useful. Why run totally blind when we can easily take 30 seconds to see what's there, and possibly learn something in the process? E.g., if both -c and -f turn up empty, then doing the DVD boot procedure suggested above won't alter a single ACL. Hope that helps. -HI- _________________________ Problems? # Have you <run fsck>? and/or <safe boot>? and/or <reset perms>?
Top

#431759 - 02/09/08 01:27 PM Re: set default ACLs in the ~home hierarchy [Re: Hal Itosis]
Andreas.. MacAuthor Registered: 12/29/00 Posts: 1756 Loc: UnKnown!	"No need to let "fear" (or jealousy or ignorance) to enter the equation. No need to use unflattering and derogatory and inappropriate terms to stigmatize something, simply because one lacks sufficient understanding." We do, though, have to acknowledge that there are those who just cannot cope, or cannot believe that they can cope, when they see any sort of 'code'. It was to them that I addressed my interjection. …and I too find it quite bizarre that that 'Easter Egg' was put in with "Reset Password". If it works (even if minimally) there why is it not included in Disk Utility's Repair Permissions? Watcha mean u don't know?! _________________________ Andreas G5 2.1GHz • Poking around in OS 10.5.4 • Working in OS 10.4.10
Top

#443592 - 06/17/08 02:30 PM

Re: set default ACLs in the ~home hierarchy [Re: Hal Itosis]

Hal Itosis Offline

MacWizard

Registered: 08/23/99
Posts: 7032
Loc: 10.5.7 (build 9J61)

Small tweaks: code is easier to read $;\)$ and output looks a bit better.

Code:

#!/bin/bash -
# homeACLtool  :::  script to manage default ACLs inside a user home (Mac OSX)
#(c)EF/-HI-2008.Feb.05 [rev:2008.Jun.14]
PATH=/bin:/usr/bin:/usr/sbin
export PATH
IFS=$'\n' # facilitates for-loops
blockKybd () { stty -echo igncr; }
allowKybd () { stty echo -igncr; }
PROG=$(basename "$0")
UZER=$(basename ~)
EXST=0

exit2sh ()
{
	trap '' INT QUIT ABRT TERM HUP
	[[ $1 ]] && (( EXST+=$1 ))
	if [ $EXST -ne 0 ]
	then
		s=s; [ $EXST -eq 1 ] && s=
		printf '\e[37;41m %d error%s occurred \e[0m\n' $EXST "$s" >&2
		[ $EXST -gt 125 ] && EXST=125
	fi
	exit $EXST
}

trap 'printf "\r$PROG: stopping on signal\n" >&2; exit2sh' INT QUIT ABRT TERM
trap 'printf "\e[0m" >&2; allowKybd' EXIT
blockKybd

accumulateStatus () { (( EXST+=$? )); }
noErrorsHappened () { [ $EXST -eq 0 ]; }

o=o; [ "$(ls -do)" != '.' ] && o=O
LsOpts=-deFGhkl${o}

# :|:-----------------------------------:|:
# :|:---------=< homeACLtool >=---------:|:
# :V:-----------------------------------:V:

if [[ $1 ]] && [[ $1 != -l ]]
then
	if [ -r /usr/sbin/fsaclctl ] && z=`fsaclctl -p / 2>/dev/null`
	then
		if echo $z |grep -iqs disabled
		then
			printf 'Need to enable ACLs with \e[1msudo' >&2
			printf ' fsaclctl -p / -e\e[0m\nand restart,' >&2
			printf ' before this script becomes useful.\n' >&2
			exit2sh 1 #ACLs disabled
		fi
	else
		printf 'cannot find fsaclctl\n' >&2
		exit2sh 1 #ACLs impossible
	fi
fi

DropBoxACL=user:$UZER\ allow\ list,add_file,search,\
delete,add_subdirectory,delete_child,readattr,writeattr,\
readextattr,writeextattr,readsecurity,writesecurity,chown,\
file_inherit,directory_inherit

DropBoxDir=~/Public/Drop\ Box

DefaultACL=group:everyone\ deny\ delete

ACLfolders='~
	~/Desktop
	~/Documents
	~/Downloads
	~/Movies
	~/Music
	~/Pictures
	~/Public
	~/Sites
	~/Library
	~/Library/Application Support
	~/Library/Assistants
	~/Library/Audio/MIDI Drivers
	~/Library/Audio/Plug-Ins/Components
	~/Library/Audio/Plug-Ins/Digidesign
	~/Library/Audio/Plug-Ins/VST
	~/Library/Audio/Plug-Ins
	~/Library/Audio/Sounds/Alerts
	~/Library/Audio/Sounds/Banks
	~/Library/Audio/Sounds
	~/Library/Audio
	~/Library/ColorPickers
	~/Library/Compositions
	~/Library/Favorites
	~/Library/FontCollections
	~/Library/Fonts
	~/Library/iMovie/Plug-ins
	~/Library/iMovie/Sound Effects
	~/Library/iMovie
	~/Library/Input Methods
	~/Library/Internet Plug-Ins
	~/Library/Keyboard Layouts
	~/Library/Preferences
	~/Library/Printers
	~/Library/Screen Savers
	~/Library/Sounds
	~/Library/Voices
'
#	~/Applications
#	~/bin
#
# ^to customize, add more items above^

itemList () { echo "$ACLfolders" |sed 's: :\\\ :g'; }

doNONstandardACLs ()
{
	local fullList= s=s c=0
	printf '\e[1;5m looking for extra ACLs...\e[0m\r' >&2
	fullList=$(find -x ~ -not -type l -print0 |xargs -0 ls -ldeT |
		grep -B 1 -E '^ 0: ' |sed '/:[0-9][0-9]/!d;
			s:^.*\:[0-9][0-9] [0-9]\{4\} ::')
	accumulateStatus
	printf '\e[2K\e[0m' >&2
	if [[ $fullList ]]
	then
		for i in $fullList
		do
			for x in `itemList`
			do
				if [ $i = `eval echo $x` ]
				then
					continue 2
				fi
			done
			if [[ $i != $DropBoxDir ]]
			then
				(( c+=1 ))
				case $1 in
				  locate)
					printf '\n\e[7mACL extra:\e[0m\n'
					ls $LsOpts "$i"
					accumulateStatus
					;;
				  change)
					chmod -N $i
					accumulateStatus
					printf '\n\e[7mACL removed:\e[0m\n'
					ls $LsOpts "$i"
					accumulateStatus
					;;
				esac
			fi
		done
		if [ $c -ne 0 ]
		then
			[ $c -eq 1 ] && s=
			printf '\n\e[1;4m%sd %s additional item%s with ' $1 $c "$s"
			printf 'ACLs not defined in standard Mac OSX\e[0m\n\n'

		elif noErrorsHappened
		then
			printf 'no ACLs found on any *non*-default items\n'
		fi
	else
		printf '\e[37;41m NOTICE: no ACLs were found in %s at all \e[0m\n' ~
	fi
}

s=s c=0
case $1 in
  -l) # list the default folders:
	eval ls $LsOpts `itemList`
	accumulateStatus
	ls $LsOpts "$DropBoxDir"
	accumulateStatus
	;;

  -c) # check default folders for proper ACLs:
	for x in `itemList`
	do
		y=`eval ls -lde $x |sed 1d`
		accumulateStatus
		if [ "$y" != " 0: $DefaultACL" ]
		then
			(( c+=1 ))
			printf '\n\e[7mACL error:\e[0m\n'
			eval ls $LsOpts "$x"
			accumulateStatus
		fi
	done
	y=`ls -lde $DropBoxDir |sed 1d`
	accumulateStatus
	if [ "$y" != " 0: $DropBoxACL" ]
	then
		(( c+=1 ))
		printf '\n\e[7mACL error:\e[0m\n'
		ls $LsOpts "$DropBoxDir"
		accumulateStatus
	fi
	if [ $c -ne 0 ]
	then
		[ $c -eq 1 ] && s=
		printf '\n\e[1;4mspotted %s default item%s with entries' $c "$s"
		printf ' different from standard Mac OSX\e[0m\n\n'

	elif noErrorsHappened
	then
		printf 'all ACLs on default items appear correct\n'
	fi
	;;

  -f) # list *non*-default items with ACLs:
	doNONstandardACLs 'locate'
	accumulateStatus
	;;

  -R) # remove ACLs from *non*default items:
	allowKybd
	printf "> Allow $PROG to remove ACLs from *non*-default items in " >&2
	printf ~ '\b? (y/n [n]): \a' >&2
	read -t66; [ "$REPLY" != y ] && echo '^Canceled' >&2 && exit2sh
	blockKybd
	doNONstandardACLs 'change'
	accumulateStatus
	;;

  -E) # erase all ACLs:
	allowKybd
	printf 'Erasing ACLs will clear out \e[1mevery\e[0m ACL entry from ' >&2
	printf "items in your home.\n> Allow $PROG to erase all ACLs from " >&2
	printf ~ '\b? (y/n [n]): \a' >&2
	read -t66; [ "$REPLY" != y ] && echo '^Canceled' >&2 && exit2sh
	blockKybd
	chmod -R -N ~
	accumulateStatus
	if noErrorsHappened
	then
		printf '%s: every ACL erased from items in %s\n' "$PROG" ~
	fi
	;;

  -D) # set default ACLs:
	allowKybd
	printf "> Allow $PROG to apply default ACLs on default items in " >&2
	printf ~ '\b? (y/n [n]): ' >&2
	read -t66; [ "$REPLY" != y ] && echo '^Canceled' >&2 && exit2sh
	blockKybd
	eval chmod -N `itemList`
	accumulateStatus
	chmod -N "$DropBoxDir"
	accumulateStatus
	eval chmod +a \""$DefaultACL"\" `itemList`
	accumulateStatus
	chmod +a "$DropBoxACL" "$DropBoxDir"
	accumulateStatus
	if noErrorsHappened
	then
		printf '%s: default ACLs restored to ' "$PROG"
		printf 'existing unlocked default items in %s\n' ~
	fi
	;;

   *)	printf 'Usage:\e[1m %s  -l\e[0m | \e[1m-c\e[0m | ' "$PROG" >&2
	printf '\e[1m-f\e[0m | \e[1m-R\e[0m | \e[1m-E\e[0m | \e[1m-D\e[0m\n\n' >&2
	cat <<-helpdoc >&2
	 -l   list only those items in our home which come with ACLs by default.
	 -c   check default items and list any whose ACL deviates from the norm.

	 -f   find and list any *non*-default item with ACLs in our home folder.
	 -R   find and Remove all ACLs in our home found on *non*-default items.

	 -E   Erase **every** ACL entry within our entire home folder hierarchy.
	 -D   set Default ACLs in our home on the Default items (ignore others).

	NB: this script manages ACLs only; not ownerships, POSIX perms or flags.
	helpdoc
	;;
esac
exit2sh

Top

#464575 - 03/15/09 03:06 PM

Re: set default ACLs in the ~home hierarchy [Re: Hal Itosis]

Hal Itosis Offline

MacWizard

Registered: 08/23/99
Posts: 7032
Loc: 10.5.7 (build 9J61)

Small tweaks... but one fix (in three places).
Here's a portion of diff, showing just the fix:

Code:

216c218
< 	printf ~ '\b? (y/n [n]): \a' >&2
---
> 	printf '%s? (y/n [n]): \a' ~ >&2
227c229
< 	printf ~ '\b? (y/n [n]): \a' >&2
---
> 	printf '%s? (y/n [n]): \a' ~ >&2
241c243
< 	printf ~ '\b? (y/n [n]): ' >&2
---
> 	printf '%s? (y/n [n]): ' ~ >&2

First printf: bad. Second printf: good. Sorry 'bout that. [no harm though.]

Script follows...

Code:

#!/bin/bash -
# homeACLtool  :::  script to manage default ACLs inside a user home (Mac OSX)
#(c)EF/-HI-2008.Feb.05 [rev:2009.Mar.15]
IFS=$'\n' # facilitates for-loops
PATH=/bin:/usr/bin:/usr/sbin
export PATH
blockKybd () { stty -echo igncr; }
allowKybd () { stty echo -igncr; }
PROG=$(basename "$0")
UZER=$(basename ~)
XCOD=0

exit2sh ()
{
	trap '' INT QUIT ABRT TERM HUP
	[[ $1 ]] && (( XCOD+=$1 ))
	if [ $XCOD -ne 0 ]
	then
		s=s; [ $XCOD -eq 1 ] && s=
		printf '\e[37;41m %d error%s occurred \e[0m\n' $XCOD "$s" >&2
		[ $XCOD -gt 125 ] && XCOD=125
	fi
	exit $XCOD
}

trap 'printf "\r\e[2K\e[0m$PROG: stopping on signal...\n" >&2;
	exit2sh' INT QUIT ABRT TERM
trap 'printf "\e[0m" >&2; allowKybd' EXIT
blockKybd

accumulateStatus () { (( XCOD+=$? )); }
noErrorsHappened () { [ $XCOD -eq 0 ]; }

# list flags in both Leopard & Tiger
o=o; [[ `/bin/ls -do` != . ]] && o=O
LsOpts=-bdeFGhl${o}

# :|:-----------------------------------:|:
# :|:---------=< homeACLtool >=---------:|:
# :V:-----------------------------------:V:

if [[ $1 ]] && [[ $1 != -l ]]
then
	if [ -r /usr/sbin/fsaclctl ] && z=`fsaclctl -p / 2>/dev/null`
	then
		if echo $z |grep -iqs disabled
		then
			printf 'Need to enable ACLs with \e[1msudo' >&2
			printf ' fsaclctl -p / -e\e[0m\nand restart,' >&2
			printf ' before this script becomes useful.\n' >&2
			exit2sh 1 #ACLs disabled
		fi
	else
		printf 'cannot find fsaclctl\n' >&2
		exit2sh 1 #ACLs impossible
	fi
fi

DropBoxACL=user:$UZER\ allow\ list,add_file,search,\
delete,add_subdirectory,delete_child,readattr,writeattr,\
readextattr,writeextattr,readsecurity,writesecurity,chown,\
file_inherit,directory_inherit

DropBoxDir=~/Public/Drop\ Box

DefaultACL=group:everyone\ deny\ delete

ACLfolders='~
	~/Desktop
	~/Documents
	~/Downloads
	~/Movies
	~/Music
	~/Pictures
	~/Public
	~/Sites
	~/Library
	~/Library/Application Support
	~/Library/Assistants
	~/Library/Audio/MIDI Drivers
	~/Library/Audio/Plug-Ins/Components
	~/Library/Audio/Plug-Ins/Digidesign
	~/Library/Audio/Plug-Ins/VST
	~/Library/Audio/Plug-Ins
	~/Library/Audio/Sounds/Alerts
	~/Library/Audio/Sounds/Banks
	~/Library/Audio/Sounds
	~/Library/Audio
	~/Library/ColorPickers
	~/Library/Compositions
	~/Library/Favorites
	~/Library/FontCollections
	~/Library/Fonts
	~/Library/iMovie/Plug-ins
	~/Library/iMovie/Sound Effects
	~/Library/iMovie
	~/Library/Input Methods
	~/Library/Internet Plug-Ins
	~/Library/Keyboard Layouts
	~/Library/Preferences
	~/Library/Printers
	~/Library/Screen Savers
	~/Library/Sounds
	~/Library/Voices
'
#	~/Applications
#	~/bin
#
# ^to customize, add more items above^

itemList () { echo "$ACLfolders" |sed 's: :\\\ :g'; }

doNONstandardACLs ()
{
	local fullList= s=s c=0
	printf '\e[1;5m looking for extra ACLs...\e[0m\r' >&2
	fullList=$(find -x ~ -not -type l -print0 |xargs -0 ls -ldeT |
		grep -B 1 '^ 0: ' |sed '/:[0-9][0-9]/!d;
			s:^.*\:[0-9][0-9] [0-9]\{4\} ::')
	accumulateStatus
	printf '\e[2K\e[0m' >&2
	if [[ $fullList ]]
	then
		for i in $fullList
		do
			for x in `itemList`
			do
				if [ $i = `eval echo $x` ]
				then
					continue 2
				fi
			done
			if [[ $i != $DropBoxDir ]]
			then
				(( c+=1 ))
				case $1 in
				  locate)
					printf '\n\e[7mACL extra:\e[0m\n'
					ls $LsOpts "$i"
					accumulateStatus
					;;
				  change)
					chmod -N $i
					accumulateStatus
					printf '\n\e[7mACL removed:\e[0m\n'
					ls $LsOpts "$i"
					accumulateStatus
					;;
				esac
			fi
		done
		if [ $c -ne 0 ]
		then
			[ $c -eq 1 ] && s=
			printf '\n\e[1;4m%sd %s additional item%s with ' $1 $c "$s"
			printf 'ACLs not defined in standard Mac OSX\e[0m\n\n'

		elif noErrorsHappened
		then
			printf 'no ACLs found on any *non*-default items\n'
		fi
	else
		printf '\e[37;41m NOTICE: no ACLs were found in %s at all \e[0m\n' ~
	fi
}

s=s c=0
case $1 in
  -l) # list the default folders:
	eval ls $LsOpts `itemList`
	accumulateStatus
	ls $LsOpts "$DropBoxDir"
	accumulateStatus
	;;

  -c) # check default folders for proper ACLs:
	for x in `itemList`
	do
		y=`eval ls -lde $x |sed 1d`
		accumulateStatus
		if [ "$y" != " 0: $DefaultACL" ]
		then
			(( c+=1 ))
			printf '\n\e[7mACL error:\e[0m\n'
			eval ls $LsOpts "$x"
			accumulateStatus
		fi
	done
	y=`ls -lde $DropBoxDir |sed 1d`
	accumulateStatus
	if [ "$y" != " 0: $DropBoxACL" ]
	then
		(( c+=1 ))
		printf '\n\e[7mACL error:\e[0m\n'
		ls $LsOpts "$DropBoxDir"
		accumulateStatus
	fi
	if [ $c -ne 0 ]
	then
		[ $c -eq 1 ] && s=
		printf '\n\e[1;4mspotted %s default item%s with entries' $c "$s"
		printf ' different from standard Mac OSX\e[0m\n\n'

	elif noErrorsHappened
	then
		printf 'all ACLs on default items appear correct\n'
	fi
	;;

  -f) # list *non*-default items with ACLs:
	doNONstandardACLs 'locate'
	accumulateStatus
	;;

  -R) # remove ACLs from *non*default items:
	allowKybd
	printf "> Allow $PROG to remove ACLs from *non*-default items in " >&2
	printf '%s? (y/n [n]): \a' ~ >&2
	read -t66; [ "$REPLY" != y ] && echo '^Canceled' >&2 && exit2sh
	blockKybd
	doNONstandardACLs 'change'
	accumulateStatus
	;;

  -E) # erase all ACLs:
	allowKybd
	printf 'Erasing ACLs will clear out \e[1mevery\e[0m ACL entry from ' >&2
	printf "items in your home.\n> Allow $PROG to erase all ACLs from " >&2
	printf '%s? (y/n [n]): \a' ~ >&2
	read -t66; [ "$REPLY" != y ] && echo '^Canceled' >&2 && exit2sh
	blockKybd
	chmod -R -N ~
	accumulateStatus
	if noErrorsHappened
	then
		printf '%s: every ACL erased from items in %s\n' "$PROG" ~
	fi
	;;

  -D) # set default ACLs:
	allowKybd
	printf "> Allow $PROG to apply default ACLs on default items in " >&2
	printf '%s? (y/n [n]): ' ~ >&2
	read -t66; [ "$REPLY" != y ] && echo '^Canceled' >&2 && exit2sh
	blockKybd
	eval chmod -N `itemList`
	accumulateStatus
	chmod -N "$DropBoxDir"
	accumulateStatus
	eval chmod +a \""$DefaultACL"\" `itemList`
	accumulateStatus
	chmod +a "$DropBoxACL" "$DropBoxDir"
	accumulateStatus
	if noErrorsHappened
	then
		printf '%s: default ACLs restored to ' "$PROG"
		printf 'existing unlocked default items in %s\n' ~
	fi
	;;

   *)	printf 'Usage:\e[1m %s  -l\e[0m | \e[1m-c\e[0m | ' "$PROG" >&2
	printf '\e[1m-f\e[0m | \e[1m-R\e[0m | \e[1m-E\e[0m | \e[1m-D\e[0m\n\n' >&2
	cat <<-helpdoc >&2
	 -l   list only those items in our home which come with ACLs by default.
	 -c   check default items and list any whose ACL deviates from the norm.

	 -f   find and list any *non*-default item with ACLs in our home folder.
	 -R   find and Remove all ACLs in our home found on *non*-default items.

	 -E   Erase **every** ACL entry within our entire home folder hierarchy.
	 -D   set Default ACLs in our home on the Default items (ignore others).

	NB: this script manages ACLs only; not ownerships, POSIX perms or flags.
	helpdoc
	;;
esac
exit2sh

-HI-

Top

Previous Topic

Index

Next Topic

Hop to:

Moderator: dkmarsh, MacManiac

VersionTracker: Software Updates and Downloads | iPhone Atlas: iPhone Help, News, Tutorials, and Tips