Last active
June 13, 2018 23:15
-
-
Save hakanai/d7507c23f2396e33c4c18c0ac91b7433 to your computer and use it in GitHub Desktop.
APFS XAttr com.apple.system.Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| APFS XAttr com.apple.system.Security | |
| ==================================== | |
| Original command I ran: | |
| chmod +a 'group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit' file | |
| Resulting xattr: | |
| 01 2c c1 6d - kauth_filesec.fsec_magic | |
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - kauth_filesec.fsec_owner | |
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - kauth_filesec.fsec_group | |
| 00 00 00 01 - kauth_acl.acl_entrycount | |
| 00 00 00 00 - kauth_acl.acl_flags | |
| Repeated section here: | |
| { | |
| ab cd ef ab cd ef ab cd ef ab cd ef 00 00 00 14 - kauth_ace.ace_applicable - a GUID for who the rule applies to | |
| If == ab cd ef ab cd ef ab cd ef ab cd ef xx xx xx xx, | |
| then the xx xx xx xx is big endian int group ID. | |
| Several of these are considered "Well Known GUIDs": | |
| 00 00 00 0C = KAUTH_WKG_EVERYBODY | |
| FF FF FF FE = KAUTH_WKG_NOBODY | |
| 00 00 00 0A = KAUTH_WKG_OWNER | |
| 00 00 00 10 = KAUTH_WKG_GROUP | |
| But if you look in /etc/group, these groups are even in there. | |
| If it doesn't start with that, it's the GUID for a user. | |
| (Or maybe it's possible to have groups with GUIDs too?) | |
| 00 00 00 61 - kauth_ace.ace_flags: KAUTH_ACE_DIRECTORY_INHERIT + | |
| KAUTH_ACE_FILE_INHERIT + | |
| KAUTH_ACE_PERMIT | |
| #define KAUTH_ACE_KINDMASK 0xf | |
| #define KAUTH_ACE_PERMIT 1 | |
| #define KAUTH_ACE_DENY 2 | |
| #define KAUTH_ACE_AUDIT 3 | |
| #define KAUTH_ACE_ALARM 4 | |
| #define KAUTH_ACE_INHERITED (1<<4) | |
| #define KAUTH_ACE_FILE_INHERIT (1<<5) | |
| #define KAUTH_ACE_DIRECTORY_INHERIT (1<<6) | |
| #define KAUTH_ACE_LIMIT_INHERIT (1<<7) | |
| #define KAUTH_ACE_ONLY_INHERIT (1<<8) | |
| #define KAUTH_ACE_SUCCESS (1<<9) /* not implemented (AUDIT/ALARM) */ | |
| #define KAUTH_ACE_FAILURE (1<<10) /* not implemented (AUDIT/ALARM) */ | |
| #define KAUTH_ACE_GENERIC_ALL (1<<21) | |
| #define KAUTH_ACE_GENERIC_EXECUTE (1<<22) | |
| #define KAUTH_ACE_GENERIC_WRITE (1<<23) | |
| #define KAUTH_ACE_GENERIC_READ (1<<24) | |
| 00 00 0f ee - kauth_ace.ace_rights: KAUTH_VNODE_READ_SECURITY + | |
| KAUTH_VNODE_WRITE_EXTATTRIBUTES + | |
| KAUTH_VNODE_READ_EXTATTRIBUTES + | |
| KAUTH_VNODE_WRITE_ATTRIBUTES + | |
| KAUTH_VNODE_READ_ATTRIBUTES + | |
| KAUTH_VNODE_DELETE_CHILD + | |
| KAUTH_VNODE_APPEND_DATA + | |
| KAUTH_VNODE_EXECUTE + | |
| KAUTH_VNODE_WRITE_DATA + | |
| KAUTH_VNODE_READ_DATA | |
| (10 flags here plus 2 flags in ace_flags = | |
| the 12 flags we provided on the command-line) | |
| #define KAUTH_VNODE_READ_DATA (1<<1) | |
| #define KAUTH_VNODE_WRITE_DATA (1<<2) | |
| #define KAUTH_VNODE_EXECUTE (1<<3) | |
| #define KAUTH_VNODE_DELETE (1<<4) | |
| #define KAUTH_VNODE_APPEND_DATA (1<<5) | |
| #define KAUTH_VNODE_DELETE_CHILD (1<<6) | |
| #define KAUTH_VNODE_READ_ATTRIBUTES (1<<7) | |
| #define KAUTH_VNODE_WRITE_ATTRIBUTES (1<<8) | |
| #define KAUTH_VNODE_READ_EXTATTRIBUTES (1<<9) | |
| #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1<<10) | |
| #define KAUTH_VNODE_READ_SECURITY (1<<11) | |
| #define KAUTH_VNODE_WRITE_SECURITY (1<<12) | |
| #define KAUTH_VNODE_TAKE_OWNERSHIP (1<<13) | |
| #define KAUTH_VNODE_SYNCHRONIZE (1<<20) | |
| #define KAUTH_VNODE_LINKTARGET (1<<25) | |
| #define KAUTH_VNODE_CHECKIMMUTABLE (1<<26) | |
| #define KAUTH_VNODE_SEARCHBYANYONE (1<<29) | |
| #define KAUTH_VNODE_NOIMMUTABLE (1<<30) | |
| #define KAUTH_VNODE_ACCESS (1<<31) | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment