Macworld 2009

1. Effective Access Control
with Directories, Services, and Share Points
Macworld 2009: IT845

2. Download Session Presentations
http://macpres09.shownets.net

3. Q&A – MacIT® Conference
We are using Google Moderator to take questions for
this session.
1. Go to http://tinyurl.com/633v6e
2. Pick the topic that matches this session
3. Sign in using a Google Account
User Name: macworldexpo09
Password: macworld09
4. Submit the questions you want to ask
5. Vote on others’ questions you want answered

4. Hello.

6. Access Control

7. Spotlight LDAP
NFS
Authentication AFP
Authorization Ownership
Security SMB
Users Permissions
Groups
XATTRs
ACLs SACLs
POSIX
ACEs Share Points DNS

9. WHO Needs Access?

10. WHAT?

11. HOW?

12. Users & Groups

13. Mac OS X Users
Standard
Administrator
Managed with Parental Controls
Sharing
Guest
Root (System Administrator)

14. Local or Directory

15. Groups

16. Ownership & Permissions

17. Ownership
Owner
Group
Other or World

18. File Permissions

19. Folder Permissions

20. POSIX
Ownership Folder
Owner
Group
File
Permissions
Owner
Group
Other or World

21. Command Line Admin
POSIX Permissions

22. Locked Files

23. Command Line Admin
Locked Files
See chflags man page for more

24. External Volumes

27. Access Control Lists
(ACLs)

28. ACLs - OS X
Limited ACLs via Finder

29. ACLs - OS X Server

30. OS X ACLs
• User
Access Control Entries (ACEs)
• Type
• Permission
• Inheritance

31. OS X ACLs
User - Local or Network User or Group
Type - Allow or Deny

32. OS X ACLs
17 options in each ACE

33. ACE Inheritance

34. ACE Inheritance

35. ACE Inheritance

36. ACE Inheritance

37. ACE Inheritance

38. ACE Inheritance

39. Inherited vs. Explicit ACEs

40. ACE Precedence
ACEs evaluated from top to bottom
Allow ACEs are cumulative

41. Deny ACEs
Deny ACEs override all

42. POSIX and ACLs
POSIX and ACLs coexist
ACLs evaluated first
POSIX permissions used if no ACE matched
Deny ACEs STILL override

43. Propagation
Commonly misunderstood
Occurs upon file or folder creation
Occurs when Administrator forces it
Does NOT occur when Inheritance is set

44. Inspection
Effective Permissions Inspector
(EPI)

45. Command Line Admin
ACLs

46. Command Line Admin
ACLs

47. ACL Considerations
Windows Compatible

48. ACL Considerations
Stored as Extended Attributes
Can be enabled/disabled on the fly

49. ACL Considerations
Extended Attribute aware tools

50. Command Line Admin
Other Extended Attribute aware tools

51. Command Line Admin
Other Extended Attribute aware tools

52. Standards are good

53. Map shares to those who share

54. Apply ACLs Gradually

55. Deny ACLs are a last resort

56. Propagate Regularly

57. Who - Users & Groups
What - Ownership & Permissions

58. HOW?

59. Local Folder Sharing

60. Local Folder Sharing

61. Local Folder Sharing

62. The Shared Folder
The Sticky Bit

63. Command Line Admin
Sticky Bit

64. OS X Network File Sharing

65. OS X Network File Sharing

66. OS X Network File Sharing

67. OS X Network File Sharing

68. FileVault

69. OS X Server Share Points

70. Protocol Options

71. Protocol Options

72. Spotlight

73. WebDAV

74. OS X Server
Standard Configuration

75. OS X Server
Standard Configuration

76. OS X Server
Standard Configuration

77. Share Server Performance Tips
One dedicated share server for every 150
remote home directory users
No more than 300 PHDs/server
Monitor Spotlight Indexing on share servers
Use MCXRedirector for ~/Library/Caches

78. Protocol Ports
*From Mac OS X Server File Services Administration for Version 10.5 Leopard

79. Protocol Security
*From Mac OS X Server File Services Administration for Version 10.5 Leopard

80. Service ACLs

81. Service ACLs

82. Service ACLs != Firewall

83. Services Access

84. Limited Administration

85. Service ACLs
Server Admin
Workgroup Manager

86. OS X Server
Standard Configuration

87. Other ACLs - DNS

88. Other ACLs - LDAP

89. Airport ACLs

90. Expanding OS X ACLs
Sandbox on OS X Client

91. Expanding OS X ACLs

92. Additional Resources
• http://www.apple.com/server/macosx/resources/
Mac OS X Server Resources
• http://images.apple.com/server/macosx/docs/
File_Services_Admin_v10.5.pdf
Mac OS X Server File Services Administration
• http://discussions.apple.com/forum.jspa?forumID=1233
Apple Discussions Forum - Mac OS X Server v10.5
Leopard > File Sharing

93. More Additional Resources
• http://www.afp548.com/article.php?
story=MCXRedirector
Leopard's Built-in Network Home Folder Redirector
• http://www.bombich.com/mactips/scripts.html
Bombich’s Service Access Control Lists Utility
• http://www.mikey-san.net/sandbox/
Sandbox 2 - Access control lists for Mac OS X Client

97. Who, What & How

101. Thanks.

102. Download Session Presentations
http://macpres09.shownets.net