Home » Learning Curve
ACE ProtectionAn afterthought. Be safe.
Apple took some pains to make sure your root level is secure. You should do the same in your home.
This is what your root should look like on Mojave, using ACL.
The directories with names in bold - /Applications, /Library, /System - are all protected.
They're all marked with an access control entry (ACE) to deny deletion for the group 'everyone'.
That's it. (There's good reason for this precaution of course.)
But you should do the same for your own home area - unless you've got nothing against suddenly losing your desktop, your documents, your movies, your music, and your pictures through a slight mishap.
This is mostly easier done than said. Simply navigate to your own home directory and 'ACL' away.
Access Control Lists, Access Control Entries
An access control list is collection of access control entries. On some systems, they're ordered: the file management entity in the system will evaluate the entries in the order they're given, stopping as soon it as gets a definitive answer to the question 'allow or deny?'
Access control entries normally supersede ordinary file permissions and cover a wide range of filesystem operations as seen in the second graphic above: append to files, change ownership, delete files, delete their children, 'execute' - run a file or 'enter' a directory; read files; read permissions, extended attributes, security settings; write to files, permissions, extended attributes, and security settings. Access control entries can also be inherited in a number of ways.
Apple previously used other methods to protect things at root level; today the access control list is their preferred method.
See Also
ACL: Access Control
|