Take Control of Permissions in OS X
Editor’s Note: The following article is an excerpt from Take Control of Permissions in Mac OS X, a $10 electronic book available for download from TidBits Electronic Publishing. The 90-page ebook contains complete details on working with permissions from the command line, an explanation of ownership on external disks, information on what Repair Permissions does, and fixes for common permissions problems. This excerpt focuses on a brief overview of permissions followed by instructions on setting permissions through either the Finder’s Info window or third-party tools.
Every item on your computer—be it a file, folder, or disk—belongs to, or is owned by, an account. For instance, when you create a new file, that new file is owned by your user account. If another user, logged into her own account, creates a file, that file will be owned by her user account. In addition to being owned by a particular user account, every item on your computer carries with it a set of permissions that control which user accounts can access it and what kind of access they have.
That, in a nutshell, is the purpose of permissions: They control who can do what to which files, folders, and disks.
Permissions, combined with accounts and ownership, are exceedingly useful for a number of reasons, including:
• Security: Permissions are a critical component in the security model of all Unix-based operating systems, including Mac OS X. For instance, if a standard user account is compromised in some way by a malicious attacker, the attacker should not be able to alter critical system files because the permissions on those files disallow tampering by non-administrator accounts.
• Privacy: Permissions on your private files and folders can be set so that user accounts other than your own have limited access or no access at all.
• Controlled sharing: Because permissions are powerful and flexible, you can exercise a significant degree of control over which users can access items you choose to share and what those users can do with the shared items.
• System integrity: Permissions prevent non-administrator accounts from damaging the system by altering important system items, and they prevent users from tampering with other users’ items.
The anatomy of permissions
Every item on your computer is owned by an account and carries a set of permissions. These permissions control the access that each of three classes—owner, group, and other—has to an item.
Here’s a quick explanation of what I mean by owner, group, and other:
• Owner: The owner is the user account that owns an item, such as a file, folder, or disk. Every item is owned by an account. (Traditionally in Unix, this is known as the user class, and Unix commands abbreviate it with a u.)
• Group: In addition to being owned by a user account, every item is also owned by a group . A group is a set of user accounts conceptually clumped together so permissions can apply to its members collectively. Mac OS X provides a number of default groups, and you can create additional groups.
• Other: Everyone else! Other refers to all user accounts on the system other than the owner and members of the group. You will see this type referred to as “others” (in the Finder’s Info window) and “world” (by other tools).
Permissions for an item say whether owner, group, and other have three permissions:
Effect of Permissions on Files and Folders
|Permission||Effect on Files||Effect on Folders|
|Read||File can be viewed or copied.||A list of items contained in a folder can be viewed if the execute permission is also enabled. Note that the contents of some enclosed items can be viewed even if the read permission is disabled.|
|Write||File can be modified or deleted.||Items can be added to, or removed from, the folder.|
|Execute||File can be run (launched). A common example of a “runnable” file is a Unix shell script. Note that while Unix applications use the execute permission, Mac OS X applications ignore it.||Also known as searchable when applied to folders, the execute permission allows the listing of the folder’ contents provided the read permission is also enabled.|
So, if you mix owner, group, and other with read, write, and execute, you can see that permissions answer the following three sets of questions:
The following example looks more deeply at permissions and explains how to use Terminal to check the permissions on a file. I go into a fair amount of detail so you can apply the principles just discussed in a real-world example:
In this example, I use the ls command on a file called “foo:”
The touch command changes an item’s access and modification times, but if the file you touch doesn’t exist, touch will create it. Because of this convenient side effect, touch is a fast way of creating a new file if you happen to be at the Unix prompt in Terminal.
ls -l foo
This reveals the ownership and permissions of our new file. The output of
ls -l foois:
-rw-r--r-- 1 btanaka staff 0 2 Apr 08:25 foo.
Here’s an explanation of the individual parts of the output:
-rw-r--r--: These characters are the permissions (or, more technically, the file mode) section of the ls output. The permissions appear in three groups of three corresponding to the three owner classes (just as I discussed earlier). The first set,
rw-, specifies that the owner can read and write, but not execute. If the owner were allowed to execute, then the permissions would read
xis the symbol for execute.) The second set,
r--, applies to the group, and specifies that the group can only read. The third set,
r--, specifies that all other accounts have read-only permission.
btanaka: The owner. In this example, my user account, btanaka , owns the file. On your computer, your account will be the owner. Again, the permissions that apply to this user are
rw-, meaning my account can read and write, but not execute.
staff: The group. In this example, the group
staffowns the file. Again, permissions for the group owner are
r--, meaning group members can read only.
0: The file’s size in bytes.
2 Apr 08:25: The date and time of last modification.
foo: The file’s name.
Any individual permission can be changed. For instance, you can allow everyone on the system to alter the file simply by granting write permission to other. (This is known as making the file world writeable . Files can, obviously, also be world-readable .)