==== ACL's ====

<code bash>
# Show ACL permissions
$ ls -le .
[...]
-rw-r--r--+ 1 john users  175  5 Jun 00:23 foo
0: user:dave allow write


</code>

Permissions include the usual read, write, delete, add_file, and add_subdirectory as well as more exotic ones like {read,write}extattr, {read,write}writesecurity and chown. (Read up chmod‘s man page what these are for.)

There are, however, two more important ones to notice, namely file_inherit and directory_inherit. These two let you spread your permissions nicely to sub objects and thus let you for example set up a directory, in which a pool of users is allowed to access, modify and delete each other’s files:

<code bash>
$ chmod +a 'john allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' /data
$ chmod +a 'dave allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' /data
</code>

The above example gives john and dave inherited read, write and delete permissions to all file objects underneath /data.

Since ACLs are executed in order, they can also be set in an ordered manner. chmod has the +a# option for that, where # is the position into which the ACL should be added. Similarily, existing ACLs can be edited with =a#, where again # marks the position of the ACL to edit, and deleted with -a#.

Finally, if one wants to get rid of all ACLs of a specific node, chmod -N <path> will do the job.

Thats it, have fun playing with ACLs on Mac OS X!


==== Start screen share ====
<code>
# Start
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw mypasswd -restart -agent -privs -all

# Stop
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
</code>

==== List out users home directories ====
<code bash>
#!/bin/bash

IFS='
'
echo "UID     Name        Home"
echo "---------------------------------"

for x in $(dscl localhost list /Local/Default/Users | grep -v "^_"); do
	[ "$x" == "root" ] && continue;
	[ "$x" == "daemon" ] && continue;
	[ "$x" == "nobody" ] && continue;
	[ "$x" == "guest" ] && continue;

	NAME=$(dscl localhost read /Local/Default/Users/$x RealName | tail -1 | sed 's/RealName: //g')
	HOME=$(dscl localhost read /Local/Default/Users/$x NFSHomeDirectory | awk -F: {'print $2'} | sed 's/^ //g')
	echo "$x  $NAME  $HOME"
done
</code>

==== Add MacOS to domain, CLI version ====

Script [[ sysadmin:macos:macad.sh ]]
<code bash>
# Config LDAP to use point to domain
sudo dsconfigad -f -a pc-int-65 -ou "ou=Desktops,DC=mcs,DC=usyd,DC=edu,DC=au" -domain mcs.usyd.edu.au -u pfowler 

# Create search path for users
sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -append / CSPSearchPath /Active\ Directory/All\ Domains

# Create search path for contacts
sudo dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
sudo dscl /Search/Contacts -append / CSPSearchPath /Active\ Directory/All\ Domains

# Set AD to enabled:
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"

# Add the local user to the admin group
dscl . append /Groups/admin GroupMembership username

</code>