To create an account in the Users folder
dscl / -create /Users/addfromcli
Create and set the shell property to bash.
dscl / -create /Users/addfromcli UserShell /bin/bash
Create and set the user’s full name. (Displayed in some of the panels/login screen)
dscl / -create /Users/addfromcli RealName "Added From Cli"
Create and set the user’s ID. (this is the unique id, you need to find out what id your last user create was and add one)
dscl / -create /Users/addfromcli UniqueID 503
Create and set the user’s group ID property. (This can be your default group)
dscl / -create /Users/addfromcli PrimaryGroupID 1000
Create and set the user home directory.
dscl / -create /Users/addfromcli NFSHomeDirectory /Local/Users/addfromcli
Set the password. (dont use password as a password)
dscl / -passwd /Users/addfromcli PASSWORD
Some more details can be found on OS X Daily
Apple hides anything it considers a "system" user or group from the GUI. There's probably some way to disable that, but I generally use the command line for system-related stuff.
The command line version comes in two flavors: there is a basic permissions structure with a single owner, a singe group, and everyone else, then there are POSIX ACLs. Interestingly, Apple took the route of modifying chmod
to support ACLs instead of shipping the standard getfacl
and setfacl
tools.
$ sudo chmod +a 'group:_www allow add_file,add_subdirectory,list,search,delete_child' /webroot
You may also want the file_inherit
and directory_inherit
permissions to apply the ACL to created files/directories. See chmod(1)
for more details.
The -a
option to chmod
removes ACL entries.
Best Answer
Yes, you can do it, but it's a bit complicated. Permissions on macOS are rather complex; the Finder hides most of the complexity, but at the command line it's fully exposed and you have to deal with it.
Really short answer: use
chmod +a
to add access control entries,ls -le
to view them, andman chmod
andman ls
for details.Medium-length answer: to add (or remove) Read only access for the group mygroup to the folder at /path/to/folder:
For a file, Read only access would be:
To add Read & Write access:
and for a file:
To examine these ACL and check your work:
Advanced usage you can call
chmod =a#
will rewrite the numbered rule instead of add or remove granularly the permissions.To just remove an entry of the ACL
chmod -a#
wipes that entire entry like the - control does in the GUI.Long answer: macOS has two different types of file permissions: standard POSIX (unix-like) permissions, and access control lists (ACLs) consisting of one or more access control entries (ACEs). All files and folders have POSIX permissions, consisting of one user (the owner), one group, and everyone else, and for each of those some combination of read, write, and execute (don't ask) access. They can (but usually don't) have a list of ACEs that allow (or deny, but don't worry about that) access to additional users and/or groups, and have much more detailed control over what access is being allowed (/denied).
The Finder hides the distinction between POSIX permissions and ACEs, but anytime you have more than one user or group, the additional ones are ACEs. So to add access for another group, you need to add an ACE.
chmod +a
does this. You also need to specify a full list of types of read and/or write (or other) access are being granted. The Finder's idea of "Read only" access corresponds toread,readattr,readextattr,readsecurity
, and its "Read & Write" access corresponds toread,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity
.