Effective Access Controlwith Directories, Services, and Share Points

Macworld 2009: IT845

Download Session Presentations http://macpres09.shownets.net

Q&A – MacIT® Conference

We are using Google Moderator to take questions for this session.

1. Go to http://tinyurl.com/633v6e

2. Pick the topic that matches this session

3. Sign in using a Google AccountUser Name: macworldexpo09Password: macworld09

4. Submit the questions you want to ask

5. Vote on others’ questions you want answered

Hello.

Access Control

AFPNFS

ACLsPOSIX

Share Points

SACLs

UsersGroups

SMB

Spotlight

Permissions

Authentication

OwnershipAuthorizationSecurity

XATTRs

ACEs DNS

LDAP

WHO Needs Access?

WHAT?

HOW?

Users & Groups

Mac OS X Users

Standard

Administrator

Managed with Parental Controls

Sharing

Guest

Root (System Administrator)

Local or Directory

Groups

Ownership & Permissions

Ownership

OwnerGroupOther or World

File Permissions

Folder Permissions

POSIXFolder

File

OwnerGroupOther or World

Permissions

Ownership

OwnerGroup

Command Line AdminPOSIX Permissions

Locked Files

Command Line AdminLocked Files

See chflags man page for more

External Volumes

Access Control Lists(ACLs)

ACLs - OS X

Limited ACLs via Finder

ACLs - OS X Server

OS X ACLs

Access Control Entries (ACEs)

• User

• Type

• Permission

• Inheritance

OS X ACLs

User - Local or Network User or Group

Type - Allow or Deny

OS X ACLs

17 options in each ACE

ACE Inheritance

ACE Inheritance

ACE Inheritance

ACE Inheritance

ACE Inheritance

ACE Inheritance

Inherited vs. Explicit ACEs

ACE Precedence

ACEs evaluated from top to bottom

Allow ACEs are cumulative

Deny ACEs

Deny ACEs override all

POSIX and ACLs

POSIX and ACLs coexist

ACLs evaluated first

POSIX permissions used if no ACE matched

Deny ACEs STILL override

Propagation

Commonly misunderstood

Occurs upon file or folder creation

Occurs when Administrator forces it

Does NOT occur when Inheritance is set

Inspection

Effective Permissions Inspector (EPI)

Command Line AdminACLs

Command Line AdminACLs

ACL Considerations

Windows Compatible

ACL Considerations

Stored as Extended Attributes

Can be enabled/disabled on the fly

ACL Considerations

Extended Attribute aware tools

Command Line AdminOther Extended Attribute aware tools

Other Extended Attribute aware tools

Command Line Admin

Standards are good

Map shares to those who share

Apply ACLs Gradually

Deny ACLs are a last resort

Propagate Regularly

Who - Users & Groups

What - Ownership & Permissions

HOW?

Local Folder Sharing

Local Folder Sharing

Local Folder Sharing

The Shared Folder

The Sticky Bit

Command Line AdminSticky Bit

OS X Network File Sharing

OS X Network File Sharing

OS X Network File Sharing

OS X Network File Sharing

FileVault

OS X Server Share Points

Protocol Options

Protocol Options

Spotlight

WebDAV

OS X ServerStandard Configuration

OS X ServerStandard Configuration

OS X ServerStandard Configuration

Share Server Performance Tips

One dedicated share server for every 150 remote home directory users

No more than 300 PHDs/server

Monitor Spotlight Indexing on share servers

Use MCXRedirector for ~/Library/Caches

Protocol Ports

*From Mac OS X Server File Services Administration for Version 10.5 Leopard

Protocol Security

*From Mac OS X Server File Services Administration for Version 10.5 Leopard

Service ACLs

Service ACLs

Service ACLs != Firewall

Services Access

Limited Administration

Server Admin

Workgroup Manager

Service ACLs

OS X ServerStandard Configuration

Other ACLs - DNS

Other ACLs - LDAP

Airport ACLs

Expanding OS X ACLs

Sandbox on OS X Client

Expanding OS X ACLs

Additional Resources

• http://www.apple.com/server/macosx/resources/Mac OS X Server Resources

• http://images.apple.com/server/macosx/docs/File_Services_Admin_v10.5.pdfMac OS X Server File Services Administration

• http://discussions.apple.com/forum.jspa?forumID=1233Apple Discussions Forum - Mac OS X Server v10.5 Leopard > File Sharing

More Additional Resources

• http://www.afp548.com/article.php?story=MCXRedirectorLeopard's Built-in Network Home Folder Redirector

• http://www.bombich.com/mactips/scripts.htmlBombich’s Service Access Control Lists Utility

• http://www.mikey-san.net/sandbox/Sandbox 2 - Access control lists for Mac OS X Client

Who, What & How

Thanks.

Download Session Presentations http://macpres09.shownets.net