[CalendarServer-users] Client library and admin tool

Scott Buchanan dscottbuch at mac.com
Fri Apr 4 07:22:09 PDT 2008 

Hi again,

Any idea why the ACL doesn't change and why the error (Ignoring  
error)?  Also, is there any way with runshell.py to increase the  
reporting?

thanks,
On Apr 2, 2008, at 7:44 PM, Scott Buchanan wrote:

> OK,
>
> I tried is a get the following, with no change to the acls
>
> Add ACL before [1 - 6] or cancel [q]: 1
> Principal Type:
>  1. Principal path
>  2. All
>  3. Authenticated
>  4. Unauthenticated
>  5. Property
> Select type: 1
> Enter principal path: /principals/groups/4dsvn
> Invert principal [y/n]: n
> Grant or Deny privileges [g/d]: d
> Privileges:
>  a. {DAV}read
>  b. {DAV}write
>  c. {DAV}write-properties
>  d. {DAV}write-content
>  e. {DAV}read-acl
>  f. {DAV}read-current-user-privilege-set
>  g. {DAV}write-acl
>  h. {DAV}bind
>  i. {DAV}unbind
>  j. {DAV}all
>  k. {CALDAV}read-free-busy
>  l. {CALDAV}schedule
>  q. quit without changes
> Select multiple items: i
> Ignoring error
> ACL >
>
> note that 4dsvn is the software group.
>
> On Apr 2, 2008, at 6:44 PM, Scott Buchanan wrote:
>
>> Cyrus,
>>
>> That makes sense (I've done enough ACL's to at least get the  
>> principle).  It would be nice to find a tutorial with, or without,  
>> the GUI.
>>
>> On Apr 2, 2008, at 6:31 PM, Cyrus Daboo wrote:
>>
>>> Hi Scott,
>>>
>>> --On April 2, 2008 5:50:14 PM -0700 Scott Buchanan <dscottbuch at mac.com 
>>> > wrote:
>>>
>>>> I've installed the CS on a Tiger server and everything is  
>>>> working.  I
>>>> want to use the calendars for the groups (our SW group for  
>>>> example) and
>>>> this works fine BUT I don't want individuals of the group to be  
>>>> able to
>>>> delete the entire calendar which is very easy to do by mistake  
>>>> from iCal
>>>> for example.  They need to be able to add and edit events, but  
>>>> not the
>>>> whole calendar.
>>>>
>>>> The only way I can see to do this is to somehow edit the acl for  
>>>> the
>>>> .../swgroup/calendar/  directory so that it can not be deleted  
>>>> but I'm
>>>> not enough of an expert on ACL's in general, and DAV acls in  
>>>> particular.
>>>
>>> Ok, this is one of the more complex parts of WebDAV ACLs.
>>>
>>> Bottom line is you need to deny the DAV:unbind privilege on the  
>>> parent of the calendar. That will prevent the specified users from  
>>> deleting anything within that parent collection.
>>>
>>> Something like this would work:
>>>
>>> 1. Start the shell:
>>>
>>>> ./runshell.py --server=... --user=... --password=...
>>>
>>> 2. Navigate to the parent directory of the calendars you want to  
>>> "protect":
>>>
>>> / > cd /calendars/groups/testgroup
>>>
>>> 3. Run the ACL interactive mode:
>>>
>>> /calendars/groups/testgroup > acl -i
>>>
>>> 4. Use the add command:
>>>
>>> ACL > add
>>>
>>> 5. You will then get a list of existing privileges. You will  
>>> probably want to insert the the one to block deletes above all the  
>>> existing ones as the order of privileges counts when determining  
>>> access. So enter 1:
>>>
>>> Add ACL before [1 - 7] or cancel [q]: 1
>>>
>>> 6. You will then get prompted for a "principal type". This  
>>> determines who the new privilege will apply to. In this case we  
>>> want it to apply to everyone in a specific group, so enter 1:
>>>
>>> Select type: 1
>>>
>>> 7. You will then get prompted to enter the principal path, so  
>>> enter the path to the group you want to "block":
>>>
>>> Enter principal path: /principals/groups/swgroup
>>>
>>> 8. In WebDAV you can have the privilege apply to the specified  
>>> principal or apply to all principals that do not match that  
>>> (invert). In this case we want the former so enter n:
>>>
>>> Invert principal [y/n]: n
>>>
>>> 9. Next the prompt is for whether a privilege is being granted or  
>>> denied. In this case we want deny, so enter d:
>>>
>>> Grant or Deny privileges [g/d]: d
>>>
>>> 10. Then the prompt will be list of all the privileges that can be  
>>> denied. In this case you want DAV:unbind so enter i:
>>>
>>> Select multiple items: i
>>>
>>> 11. At that point the shell tool should write out the new  
>>> privileges. Use the list command to verify it is there. Then, as a  
>>> member of the group try to delete a calendar. Hopefully you won't  
>>> be able to!
>>>
>>> As you can see there are a lot of steps involved in managing ACLs  
>>> and you do need to understand how the order and sets of privileges  
>>> and invert, grant/deny etc all work.
>>>
>>> Of course one could write a GUI for this that would just give a  
>>> set of checkboxes to check off and it would look at lot easier  
>>> than the command line approach.
>>>
>>> -- 
>>> Cyrus Daboo
>>>
>>
>> _______________________________________________
>> calendarserver-users mailing list
>> calendarserver-users at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo/calendarserver-users
>

More information about the calendarserver-users mailing list