Take command of permissions

The command line may not be the most intuitive way to control your Mac, but often it’s the fastest—especially when it comes to permissions. These behind-the-scenes settings determine whether you’re allowed to open, change, or delete files and folders. You can use the Finder’s Get Info command (command-I) to view a file’s permissions—but you won’t see all the settings Unix provides, and every now and then you might want to.

When Terminal saves time

Suppose, for example, that you’re a teacher in charge of a computer lab containing 25 Macs. On each computer, you’ve created standard accounts for 5 students, for a total of 125 student accounts. Soon after the students start using the lab, you notice a bit more giggling and frantic typing than you’d expect from students researching Depression-era economics. You nonchalantly stroll to the end of the room and do a quick about-face at one of the desks.

Aha—iChat! Horribly depressed by the comments you read there regarding your fashion sense, you vow to keep students from using that application ever again. You have several options. You could delete iChat from every Mac’s Applications folder. Unfortunately, the computer club meets in your classroom after school, and its members routinely use iChat to communicate. You could set up Parental Controls (see Kid-Proof Your Mac ) for each account … but you’ll have to repeat the task 124 times.

Or you could go to a Mac, fire up Terminal (/Applications/Utilities), and type a quick command to turn off iChat’s execute permissions for standard account holders. (The computer club’s members all have administrator accounts.) And you’ll have to repeat this job only 24 times.

A peek inside permissions

To view iChat’s ownership and permissions information with Terminal, use the

command, like this:

ls -l /Applications/iChat.app/Contents/ MacOS


flag produces a long list —an expanded display showing extra information about each item in the directory (in this case, its single iChat file). Terminal’s response will include something like this:

	total 4400
	-rwxrwxr-x 1 root admin 2252792 Mar 20 21:07 iChat


? You’re seeing Unix shorthand for the application’s permissions, listed in what are supposed to be helpful columns (see screenshot).

Crack the Code Here’s one line of what the ls -al command produces. The letters in the file-mode column aren’t just random—the three distinct sets of information here tell you who’s allowed to do what.

• Type The first character of the line indicates the file type—usually

for a directory,
for a symbolic link (the Unix version of an alias), or, as in this case, a hyphen (
) for a file.

• File Mode Rammed together with the file type is a string of nine characters (in this case,

). It indicates, in a coded format, the actual access permissions for that item (see “Decode File-Mode Code” below).

• Owner Terminal’s response also identifies the account name of whoever owns this file or directory, which is usually whoever created it;

means that OS X itself owns it. That’s why even administrators generally aren’t allowed to delete directories with root ownership. (In the Finder’s Get Info windows, you may see ownership listed as System. That’s Apple’s kinder, gentler term for root.)

• Group After the owner comes the name of the group that owns this file or directory. The

group contains all administrators.

• Path Name At the end of the line (following the file’s size and date) comes the path of this file or directory, relative to the listed directory.

Masterminding your plan

Now, back to the task of keeping iChat from launching. As you look at iChat’s permissions, the

in every user category tells you that anyone can run the program. Your mission, should you choose to accept it, is to change these settings so that one class of account holder (admin) can run iChat, but another class (standard) can’t.

As you’ve seen, every file’s set of permissions identifies both an owner and a group. The group that owns the iChat file is admin. As you would expect, the admin class of users is part of the admin group, so administrators and anyone else in the admin group will have no trouble running the program.

As far as permissions are concerned, standard account holders fall into the “everyone else” category. To complete your task, you just need to turn off iChat’s execute permissions for everyone else. Doing so allows only the file’s owner (root) and members of its group (admin) to execute the file (that is, to open the program). All other account holders—that is, people in the standard group—are out of luck. They’ll actually have to pay attention in class.

Putting it together with chmod

The Unix command for changing file modes (permissions) is

(short for change mode ). Here’s the command you’d use on the iChat file:

chmod o-x /Applications/iChat.app/Con tents/MacOS/iChat

And here’s how it works. The command line begins, naturally, with the

command itself, and ends with the path name of the iChat file.

In between are three characters that make up the three parts of a mode-change clause:

. The first character,
, represents the class of user that the change affects. In this spot, you can type
to symbolize the file’s owner,
for its group,
for other (everyone else), or
to indicate all three classes at once.

The second character represents the operation to perform, which in most cases is either to add a permission using the plus sign (

) or to remove one using the hyphen (
). The final character specifies which permission to change:
for read,
for write, or
for execute.

So the complete

command provided above says, “Remove the execute permissions for others,” which is precisely what you want to do.

Get Permission If you actually try the

command described above, however, you’ll get an error message (“Operation not permitted”). Only the owner of an item can change its permissions, and you’re not iChat’s owner.

So how do you solve the problem? Use the

command. Technically,
is short for superuser do, and it allows you to execute any command as though you’d logged in with the root (superuser) account. If you have the root account—or can simulate one using sudo—you can override any permissions settings, including the ones (like iChat’s) that prevent you from changing items in the Applications directory.

Finally, you’re ready to change the permissions of that infernal iChat application file. To use

, you must preface an entire command line with
followed by a space. Type this:

sudo chmod o-x /Applications/iChat.app/ Contents/MacOS/iChat

This command breaks down as follows:


: “Give me the power to do whatever I want.”


: “Change the file mode … ”


: “ … in this way: remove execute permission for others … ”


/Applications/iChat.app/Contents/ MacOS/iChat
: “ … from the file called iChat, which is inside the Applications/iChat.app/Contents/ MacOS folder.”


will ask for your administrator password, just to confirm that you’re not some seventh-grader up to no good. Now whenever anyone who isn’t an administrator tries to open iChat, its icon will bounce just once in the Dock—nothing more. To restore iChat’s original permissions, use the same command, but replace the hyphen with a plus sign, like this:

sudo chmod o+x /Applications/iChat.app/ Contents/MacOS/iChat

Note that whenever OS X’s Repair Permissions function runs (either automatically, which happens each time you install a Mac OS X update, or manually, via Disk Utility), iChat returns to its original permissions settings. You have to rerun the command.

Decode file-mode code

You don’t need a secret decoder ring to understand Unix permissions, but you do need to familiarize yourself with file-mode code . You’ll see this coded nine-character file-mode section whenever you use Terminal to uncover a file’s permissions.

The code’s three subcolumns correspond to three categories of people: owner, group, and everybody else. Within each sequence, three characters describe the read (

), write (
), and execute (
) permissions this person or group has for this file or directory. A hyphen (
) means “This person isn’t allowed this kind of access.”

By the Book This article was adapted from Mac OS X: The Missing Manual, Tiger Edition , by David Pogue (reprinted by permission of O’Reilly Media, 2005).

Read Access Read access to a file means that someone can open and read it. (In the case of a program like iChat, the system needs to read the file on your behalf in order to run it.) Read access to a directory (folder), on the other hand, just means that someone using Terminal can see a list of its contents using a command such as


Write Access Write access to a file means that someone can modify and save changes to it. Write access to a directory means that someone can add, remove, and rename any item the folder contains (but not necessarily the items within subdirectories).

Execute Access Execute access, when applied to an application, means that someone can run that particular program. (In fact, Unix distinguishes applications from ordinary files by checking the status of this setting.)

[ Contributing Editor David Pogue is the weekly technology columnist for the New York Times. Chris Stone is a coauthor of Mac OS X Panther in a Nutshell (O’Reilly, 2004). ]

Shop ▾
arrow up Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Subscribe to the Help Desk Newsletter