[CalendarServer-users] Client library and admin tool

Scott Buchanan dscottbuch at mac.com
Wed Apr 2 19:44:10 PDT 2008


I tried is a get the following, with no change to the acls

Add ACL before [1 - 6] or cancel [q]: 1
Principal Type:
   1. Principal path
   2. All
   3. Authenticated
   4. Unauthenticated
   5. Property
Select type: 1
Enter principal path: /principals/groups/4dsvn
Invert principal [y/n]: n
Grant or Deny privileges [g/d]: d
   a. {DAV}read
   b. {DAV}write
   c. {DAV}write-properties
   d. {DAV}write-content
   e. {DAV}read-acl
   f. {DAV}read-current-user-privilege-set
   g. {DAV}write-acl
   h. {DAV}bind
   i. {DAV}unbind
   j. {DAV}all
   k. {CALDAV}read-free-busy
   l. {CALDAV}schedule
   q. quit without changes
Select multiple items: i
Ignoring error

note that 4dsvn is the software group.

On Apr 2, 2008, at 6:44 PM, Scott Buchanan wrote:

> Cyrus,
> That makes sense (I've done enough ACL's to at least get the  
> principle).  It would be nice to find a tutorial with, or without,  
> the GUI.
> On Apr 2, 2008, at 6:31 PM, Cyrus Daboo wrote:
>> Hi Scott,
>> --On April 2, 2008 5:50:14 PM -0700 Scott Buchanan <dscottbuch at mac.com 
>> > wrote:
>>> I've installed the CS on a Tiger server and everything is  
>>> working.  I
>>> want to use the calendars for the groups (our SW group for  
>>> example) and
>>> this works fine BUT I don't want individuals of the group to be  
>>> able to
>>> delete the entire calendar which is very easy to do by mistake  
>>> from iCal
>>> for example.  They need to be able to add and edit events, but not  
>>> the
>>> whole calendar.
>>> The only way I can see to do this is to somehow edit the acl for the
>>> .../swgroup/calendar/  directory so that it can not be deleted but  
>>> I'm
>>> not enough of an expert on ACL's in general, and DAV acls in  
>>> particular.
>> Ok, this is one of the more complex parts of WebDAV ACLs.
>> Bottom line is you need to deny the DAV:unbind privilege on the  
>> parent of the calendar. That will prevent the specified users from  
>> deleting anything within that parent collection.
>> Something like this would work:
>> 1. Start the shell:
>>> ./runshell.py --server=... --user=... --password=...
>> 2. Navigate to the parent directory of the calendars you want to  
>> "protect":
>> / > cd /calendars/groups/testgroup
>> 3. Run the ACL interactive mode:
>> /calendars/groups/testgroup > acl -i
>> 4. Use the add command:
>> ACL > add
>> 5. You will then get a list of existing privileges. You will  
>> probably want to insert the the one to block deletes above all the  
>> existing ones as the order of privileges counts when determining  
>> access. So enter 1:
>> Add ACL before [1 - 7] or cancel [q]: 1
>> 6. You will then get prompted for a "principal type". This  
>> determines who the new privilege will apply to. In this case we  
>> want it to apply to everyone in a specific group, so enter 1:
>> Select type: 1
>> 7. You will then get prompted to enter the principal path, so enter  
>> the path to the group you want to "block":
>> Enter principal path: /principals/groups/swgroup
>> 8. In WebDAV you can have the privilege apply to the specified  
>> principal or apply to all principals that do not match that  
>> (invert). In this case we want the former so enter n:
>> Invert principal [y/n]: n
>> 9. Next the prompt is for whether a privilege is being granted or  
>> denied. In this case we want deny, so enter d:
>> Grant or Deny privileges [g/d]: d
>> 10. Then the prompt will be list of all the privileges that can be  
>> denied. In this case you want DAV:unbind so enter i:
>> Select multiple items: i
>> 11. At that point the shell tool should write out the new  
>> privileges. Use the list command to verify it is there. Then, as a  
>> member of the group try to delete a calendar. Hopefully you won't  
>> be able to!
>> As you can see there are a lot of steps involved in managing ACLs  
>> and you do need to understand how the order and sets of privileges  
>> and invert, grant/deny etc all work.
>> Of course one could write a GUI for this that would just give a set  
>> of checkboxes to check off and it would look at lot easier than the  
>> command line approach.
>> -- 
>> Cyrus Daboo
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo/calendarserver-users

More information about the calendarserver-users mailing list