# Show ACL permissions
$ ls -le .
[...]
-rw-r--r--+ 1 john users  175  5 Jun 00:23 foo
0: user:dave allow write

Permissions include the usual read, write, delete, add_file, and add_subdirectory as well as more exotic ones like {read,write}extattr, {read,write}writesecurity and chown. (Read up chmod‘s man page what these are for.)

There are, however, two more important ones to notice, namely file_inherit and directory_inherit. These two let you spread your permissions nicely to sub objects and thus let you for example set up a directory, in which a pool of users is allowed to access, modify and delete each other’s files:

$ chmod +a 'john allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' /data
$ chmod +a 'dave allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' /data

The above example gives john and dave inherited read, write and delete permissions to all file objects underneath /data.

Since ACLs are executed in order, they can also be set in an ordered manner. chmod has the +a# option for that, where # is the position into which the ACL should be added. Similarily, existing ACLs can be edited with =a#, where again # marks the position of the ACL to edit, and deleted with -a#.

Finally, if one wants to get rid of all ACLs of a specific node, chmod -N <path> will do the job.

Thats it, have fun playing with ACLs on Mac OS X!

# Start
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw mypasswd -restart -agent -privs -all

# Stop
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off

#!/bin/bash
 
IFS='
'
echo "UID     Name        Home"
echo "---------------------------------"
 
for x in $(dscl localhost list /Local/Default/Users | grep -v "^_"); do
	[ "$x" == "root" ] && continue;
	[ "$x" == "daemon" ] && continue;
	[ "$x" == "nobody" ] && continue;
	[ "$x" == "guest" ] && continue;
 
	NAME=$(dscl localhost read /Local/Default/Users/$x RealName | tail -1 | sed 's/RealName: //g')
	HOME=$(dscl localhost read /Local/Default/Users/$x NFSHomeDirectory | awk -F: {'print $2'} | sed 's/^ //g')
	echo "$x  $NAME  $HOME"
done

Script macad.sh

# Config LDAP to use point to domain
sudo dsconfigad -f -a pc-int-65 -ou "ou=Desktops,DC=mcs,DC=usyd,DC=edu,DC=au" -domain mcs.usyd.edu.au -u pfowler 
 
# Create search path for users
sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -append / CSPSearchPath /Active\ Directory/All\ Domains
 
# Create search path for contacts
sudo dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
sudo dscl /Search/Contacts -append / CSPSearchPath /Active\ Directory/All\ Domains
 
# Set AD to enabled:
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
 
# Add the local user to the admin group
dscl . append /Groups/admin GroupMembership username