Tuesday, November 15, 2011

OS X Service ACLs com.apple.access_*

To place ACLs on OS X services, you can create groups like this:
sudo dseditgroup -o create -t group com.apple.access_loginwindow
sudo dseditgroup -o edit -a auser -t user com.apple.access_loginwindow
which in this case will limit who can login at the console (i.e. loginwindow) to just the user 'auser'. You can check the membership with:
$ dscl . -read /Groups/com.apple.access_loginwindow
AppleMetaNodeLocation: /Local/Default
GroupMembership: auser
PrimaryGroupID: 504
RecordName: com.apple.access_loginwindow
RecordType: dsRecTypeStandard:Groups

Similar groups will control access to other services such as com.apple.access_ssh, com.apple.access_screensharing.

No comments: