Insights - Mac OS X - ACLs and Resource forks are xattrs?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Insights - Mac OS X - ACLs and Resource forks are xattrs?

mkv22-2
Dear All,

I have had this suspicion for a while now and it seems to be right.  
It could be very useful and may simplify many compatibility issues  
with Mac OS X (HFS+) and other file systems.

As in earlier versions of Mac OS X, files prefixed with "._" contain  
all of the metadata for their un-prefixed partner that the native  
volume format cannot contain in a single file: resource forks, flags,  
dates, and now in Tiger, extended attributes.  -- from http://
arstechnica.com/reviews/os/macosx-10.4.ars/7
        I have known the above but then did not suspect ACLs to be stored  
along with xattr/ rsrc forks (But I doubted it as pylibacl had  
problems with Mac OS X Tiger ACLs) - This post confirms it: http://
list.cashcow.dk/users/0229.html --
Each file is also associated with a set of extended attributes, that can
be accessed using the xattr system calls. These system calls are found
in other BSD systems as well, but not in FreeBSD. The extended
attributes can be used to store extra keywords that you can search for
using the Spotlight GUI (or mdfind commands). *** They also store ACL
information. ***

Since py-xattr does work in Mac OS X python (from undefined.org/
python/), I have also submitted a fink package for the same, it  
should simplify ACL/ rsrc fork / metadata mangement in Mac OS X  
Tiger, at least.

man:chmod (Tiger OS X 10.4) - It does not use setfacl (known fact  
though):
ACL MANIPULATION OPTIONS

      ACLs are manipulated using extensions to the symbolic mode  
grammar.  Each
      file has one ACL, containing an ordered list of entries.  Each  
entry
      refers to a user or group, and grants or denies a set of  
permissions.

      The following permissions are applicable to all filesystem  
objects:
            delete  Delete the item.  Deletion may be granted by  
either this
                    permission on an object or the delete_child right  
on the
                    containing directory.
            readattr
                    Read an objects basic attributes.  This is  
implicitly
                    granted if the object can be looked up and not  
explicitly
                    denied.
            writeattr
                    Write an object's basic attributes.
            readextattr
                    Read extended attributes.
            writeextattr
                    Write extended attributes.
            readsecurity
                    Read an object's extended security information  
(ACL).
            writesecurity
                    Write an object's security information  
(ownership, mode,
                    ACL).
            chown   Change an object's ownership.

      The following permissions are applicable to directories:
            list    List entries.
            search  Look up files by name.
            add_file
                    Add a file.
            add_subdirectory
                    Add a subdirectory.
            delete_child
                    Delete a contained object.  See the file delete  
permission
                    above.

      The following permissions are applicable to non-directory  
filesystem
      objects:
            read    Open for reading.
            write   Open for writing.
            append  Open for writing, but in a fashion that only  
allows writes
                    into areas of the file not previously written.
            execute
                    Execute the file as a script or program.

      ACL inheritance is controlled with the following permissions  
words, which
      may only be applied to directories:
            file_inherit
                    Inherit to files.
            directory_inherit
                    Inherit to directories.
            limit_inherit
                    This flag is only relevant to entries inherited  
by subdi-
                    rectories; it causes the directory_inherit flag  
to be
                    cleared in the entry that is inherited,  
preventing further
                    nested subdirectories from also inheriting the  
entry.
            only_inherit
                    The entry is inherited by created items but not  
considered
                    when processing the ACL.

      The ACL manipulation options are as follows:

      +a      The +a mode parses a new ACL entry from the next  
argument on the
              commandline and inserts it into the canonical location  
in the
              ACL. If the supplied entry refers to an identity  
already listed,
              the two entries are combined.

              Examples
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
               # chmod +a "admin allow write" file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: admin allow write
               # chmod +a "guest deny read" file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: admin allow write
               # chmod +a "admin allow delete" file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: admin allow write,delete

              The +a mode strives to maintain correct canonical form  
for the
              ACL.
                               local deny
                               local allow
                               inherited deny
                               inherited allow

              By default, chmod adds entries to the top of the local  
deny and
              local allow lists. Inherited entries are added by using  
the +ai
              mode.

              Examples
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: admin allow write,delete
                 3: juser inherited deny delete
                 4: admin inherited allow delete
                 5: backup inherited deny read
                 6: admin inherited allow write-security
               # chmod +ai "others allow write" file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: admin allow write,delete
                 3: juser inherited deny delete
                 4: others inherited allow read
                 5: admin inherited allow delete
                 6: backup inherited deny read
                 7: admin inherited allow write-security

      +a#     When a specific ordering is required, the exact  
location at which
              an entry will be inserted is specified with the +a# mode.

              Examples
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: admin allow write
               # chmod +a# 2 "others deny read" file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: others deny read
                 3: admin allow write

              The +ai# mode may be used to insert inherited entries  
at a spe-
              cific location. Note that these modes allow non-
canonical ACL
              ordering to be constructed.

      -a      The -a mode is used to delete ACL entries. All entries  
exactly
              matching the supplied entry will be deleted. If the  
entry lists a
              subset of rights granted by an entry, only the rights  
listed are
              removed. Entries may also be deleted by index using the  
-a# mode.

              Examples
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: guest deny read
                 2: admin allow write,delete
               # chmod -a# 1 file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: admin allow write,delete
               # chmod -a "admin allow write" file1
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: admin allow delete

              Inheritance is not considered when processing the -a  
mode; rights
              and entries will be removed regardless of their  
inherited state.

      =a#     Individual entries are rewritten using the =a# mode.

              Examples
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: admin allow delete
               # chmod =a# 1 "admin allow write,chown"
               # ls -le
               -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                 owner: juser
                 1: admin allow write,chown

              This mode may not be used to add new entries.

      -E      Reads the ACL information from stdin, as a sequential  
list of
              ACEs, separated by newlines.  If the information parses  
cor-
              rectly, the existing information is replaced.

      -C      Returns false if any of the named files have ACLs in  
non-canoni-
              cal order.

      -i      Removes the 'inherited' bit from all entries in the  
named file(s)
              ACLs.

      -I      Removes all inherited entries from the named file(s) ACL
(s).


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki