Effective Access Controlwith Directories, Services, and Share Points
Macworld 2009: IT845
Download Session Presentations http://macpres09.shownets.net
Q&A – MacIT® Conference
We are using Google Moderator to take questions for this session.
1. Go to http://tinyurl.com/633v6e
2. Pick the topic that matches this session
3. Sign in using a Google AccountUser Name: macworldexpo09Password: macworld09
4. Submit the questions you want to ask
5. Vote on others’ questions you want answered
AFPNFS
ACLsPOSIX
Share Points
SACLs
UsersGroups
SMB
Spotlight
Permissions
Authentication
OwnershipAuthorizationSecurity
XATTRs
ACEs DNS
LDAP
Mac OS X Users
Standard
Administrator
Managed with Parental Controls
Sharing
Guest
Root (System Administrator)
Local or Directory
Ownership & Permissions
Ownership
OwnerGroupOther or World
Folder Permissions
POSIXFolder
File
OwnerGroupOther or World
Permissions
Ownership
OwnerGroup
Command Line AdminPOSIX Permissions
Command Line AdminLocked Files
See chflags man page for more
Access Control Lists(ACLs)
ACLs - OS X
Limited ACLs via Finder
ACLs - OS X Server
OS X ACLs
Access Control Entries (ACEs)
• User
• Type
• Permission
• Inheritance
OS X ACLs
User - Local or Network User or Group
Type - Allow or Deny
OS X ACLs
17 options in each ACE
Inherited vs. Explicit ACEs
ACE Precedence
ACEs evaluated from top to bottom
Allow ACEs are cumulative
Deny ACEs
Deny ACEs override all
POSIX and ACLs
POSIX and ACLs coexist
ACLs evaluated first
POSIX permissions used if no ACE matched
Deny ACEs STILL override
Propagation
Commonly misunderstood
Occurs upon file or folder creation
Occurs when Administrator forces it
Does NOT occur when Inheritance is set
Inspection
Effective Permissions Inspector (EPI)
Command Line AdminACLs
Command Line AdminACLs
ACL Considerations
Windows Compatible
ACL Considerations
Stored as Extended Attributes
Can be enabled/disabled on the fly
ACL Considerations
Extended Attribute aware tools
Command Line AdminOther Extended Attribute aware tools
Other Extended Attribute aware tools
Command Line Admin
Standards are good
Map shares to those who share
Apply ACLs Gradually
Deny ACLs are a last resort
Propagate Regularly
Who - Users & Groups
What - Ownership & Permissions
Local Folder Sharing
Local Folder Sharing
Local Folder Sharing
The Shared Folder
The Sticky Bit
Command Line AdminSticky Bit
OS X Network File Sharing
OS X Network File Sharing
OS X Network File Sharing
OS X Network File Sharing
OS X Server Share Points
OS X ServerStandard Configuration
OS X ServerStandard Configuration
OS X ServerStandard Configuration
Share Server Performance Tips
One dedicated share server for every 150 remote home directory users
No more than 300 PHDs/server
Monitor Spotlight Indexing on share servers
Use MCXRedirector for ~/Library/Caches
Protocol Ports
*From Mac OS X Server File Services Administration for Version 10.5 Leopard
Protocol Security
*From Mac OS X Server File Services Administration for Version 10.5 Leopard
Service ACLs != Firewall
Limited Administration
Server Admin
Workgroup Manager
Service ACLs
OS X ServerStandard Configuration
Other ACLs - LDAP
Expanding OS X ACLs
Sandbox on OS X Client
Expanding OS X ACLs
Additional Resources
• http://www.apple.com/server/macosx/resources/Mac OS X Server Resources
• http://images.apple.com/server/macosx/docs/File_Services_Admin_v10.5.pdfMac OS X Server File Services Administration
• http://discussions.apple.com/forum.jspa?forumID=1233Apple Discussions Forum - Mac OS X Server v10.5 Leopard > File Sharing
More Additional Resources
• http://www.afp548.com/article.php?story=MCXRedirectorLeopard's Built-in Network Home Folder Redirector
• http://www.bombich.com/mactips/scripts.htmlBombich’s Service Access Control Lists Utility
• http://www.mikey-san.net/sandbox/Sandbox 2 - Access control lists for Mac OS X Client
Download Session Presentations http://macpres09.shownets.net