Take Control of Permissions in OS X
Editor’s Note: The following article is an excerpt from Take Control of Permissions in Mac OS X, a $10 electronic book available for download from TidBits Electronic Publishing. The 90-page ebook contains complete details on working with permissions from the command line, an explanation of ownership on external disks, information on what Repair Permissions does, and fixes for common permissions problems. This excerpt focuses on a brief overview of permissions followed by instructions on setting permissions through either the Finder’s Info window or third-party tools.
Every item on your computer—be it a file, folder, or disk—belongs to, or is owned by, an account. For instance, when you create a new file, that new file is owned by your user account. If another user, logged into her own account, creates a file, that file will be owned by her user account. In addition to being owned by a particular user account, every item on your computer carries with it a set of permissions that control which user accounts can access it and what kind of access they have.
That, in a nutshell, is the purpose of permissions: They control who can do what to which files, folders, and disks.
Permissions, combined with accounts and ownership, are exceedingly useful for a number of reasons, including:
• Security: Permissions are a critical component in the security model of all Unix-based operating systems, including Mac OS X. For instance, if a standard user account is compromised in some way by a malicious attacker, the attacker should not be able to alter critical system files because the permissions on those files disallow tampering by non-administrator accounts.
• Privacy: Permissions on your private files and folders can be set so that user accounts other than your own have limited access or no access at all.
• Controlled sharing: Because permissions are powerful and flexible, you can exercise a significant degree of control over which users can access items you choose to share and what those users can do with the shared items.
• System integrity: Permissions prevent non-administrator accounts from damaging the system by altering important system items, and they prevent users from tampering with other users’ items.
The anatomy of permissions
Every item on your computer is owned by an account and carries a set of permissions. These permissions control the access that each of three classes—owner, group, and other—has to an item.
Here’s a quick explanation of what I mean by owner, group, and other:
• Owner: The owner is the user account that owns an item, such as a file, folder, or disk. Every item is owned by an account. (Traditionally in Unix, this is known as the user class, and Unix commands abbreviate it with a u.)
• Group: In addition to being owned by a user account, every item is also owned by a group . A group is a set of user accounts conceptually clumped together so permissions can apply to its members collectively. Mac OS X provides a number of default groups, and you can create additional groups.
• Other: Everyone else! Other refers to all user accounts on the system other than the owner and members of the group. You will see this type referred to as “others” (in the Finder’s Info window) and “world” (by other tools).
Permissions for an item say whether owner, group, and other have three permissions:
Effect of Permissions on Files and Folders
|Permission||Effect on Files||Effect on Folders|
|Read||File can be viewed or copied.||A list of items contained in a folder can be viewed if the execute permission is also enabled. Note that the contents of some enclosed items can be viewed even if the read permission is disabled.|
|Write||File can be modified or deleted.||Items can be added to, or removed from, the folder.|
|Execute||File can be run (launched). A common example of a “runnable” file is a Unix shell script. Note that while Unix applications use the execute permission, Mac OS X applications ignore it.||Also known as searchable when applied to folders, the execute permission allows the listing of the folder’ contents provided the read permission is also enabled.|
So, if you mix owner, group, and other with read, write, and execute, you can see that permissions answer the following three sets of questions:
The following example looks more deeply at permissions and explains how to use Terminal to check the permissions on a file. I go into a fair amount of detail so you can apply the principles just discussed in a real-world example:
In this example, I use the ls command on a file called “foo:”
The touch command changes an item’s access and modification times, but if the file you touch doesn’t exist, touch will create it. Because of this convenient side effect, touch is a fast way of creating a new file if you happen to be at the Unix prompt in Terminal.
ls -l foo
This reveals the ownership and permissions of our new file. The output of
ls -l foois:
-rw-r--r-- 1 btanaka staff 0 2 Apr 08:25 foo.
Here’s an explanation of the individual parts of the output:
-rw-r--r--: These characters are the permissions (or, more technically, the file mode) section of the ls output. The permissions appear in three groups of three corresponding to the three owner classes (just as I discussed earlier). The first set,
rw-, specifies that the owner can read and write, but not execute. If the owner were allowed to execute, then the permissions would read
xis the symbol for execute.) The second set,
r--, applies to the group, and specifies that the group can only read. The third set,
r--, specifies that all other accounts have read-only permission.
btanaka: The owner. In this example, my user account, btanaka , owns the file. On your computer, your account will be the owner. Again, the permissions that apply to this user are
rw-, meaning my account can read and write, but not execute.
staff: The group. In this example, the group
staffowns the file. Again, permissions for the group owner are
r--, meaning group members can read only.
0: The file’s size in bytes.
2 Apr 08:25: The date and time of last modification.
foo: The file’s name.
Any individual permission can be changed. For instance, you can allow everyone on the system to alter the file simply by granting write permission to other. (This is known as making the file world writeable . Files can, obviously, also be world-readable .)
As you see, there are nine basic permission settings, each of which can be turned on or off. That’s a total of 512 possible combinations!
Because the same combinations are used over and over, Apple wisely provides an extremely easy way of using the most common combinations. The convenient combinations provided by Apple are:
Any one of these four pre-defined settings can be applied to each of the three owner types via the Info window of the Finder.
Choose a method of setting permissions
You can set permissions in Mac OS X in more than one way. Namely, you can use:
Each method has relative advantages and disadvantages, outlined below.
Methods of Setting Permissions
|Info window||Easier and more intuitive than Unix commands.||Limited capabilities. Not as powerful or flexible as Unix commands.|
|Third-party tools||More features than the Info window.||Not present by default. May require additional expense.|
|Unix commands||More powerful and flexible than the Info window. May be faster if you are familiar with Unix.||Less intuitive than the Info window.|
Because the vast majority of users will get by just fine with the easier graphically based methods, I cover the Info window and third-party tools next; advanced Unix commands appear elsewhere in this ebook.
Figure 1: Ownership and permissions for a typical file as viewed in the Info window.
Set permissions using the Info window
For simple tasks, set permissions using the Finder’s Info window. The Info window does not provide the degree of control that Unix commands do. You cannot, for instance, manipulate individual Unix permissions. However, setting permissions via the Info window is quite easy, and is perfectly adequate for most day-to-day situations.
Set permissions with the Info window by following these steps:
• Set access permissions: Choose your access permissions from the You Can pop-up menu. The menu item will be dimmed if you lack sufficient permissions to change the item.
• Set owner permissions: Click the Details triangle to change permissions for owner, group, and others ( as shown in Figure 2 below).
A lock icon beside an item indicates that such a change requires administrator level privilege. Click the lock icon and provide the user name and password of an administrator account when prompted.
Unix Equivalents of Info Window Access Settings
|Setting||Effect on Files||Effect on Folders|
|Read & Write||rw-||rwx|
|Write Only (Drop Box)||Not applicable||-wx|
Set permissions using third-party tools
The Info window is adequate for most day-to-day, basic permissions editing. However, it has a limited feature set and cannot handle many permissions-related tasks. Fortunately, several third-party tools perform these missing tasks. I cover three popular ones here: FileXaminer, Super Get Info, and XRay.
All three tools do what the Info window does and more, and provide finer control over permissions. The interfaces and features—at least as far as permissions are concerned—are very similar, and they all provide good help documentation and contextual menus.
The $10 FileXaminer from Gideon Softworks has several advantages over the Info window. A partial list of its permissions-related features includes:
• Batch edit: You can change permissions (and other settings) on multiple items simultaneously.
• Manage groups: This feature simplifies the management of Unix groups considerably. (At the time of this writing, the current version of FileXaminer did not manage groups in Tiger reliably, though it works fine in Panther. Hopefully the problem has been resolved by the time you read this.)
• Manipulate the Set UID, Set GID, and Sticky Bit: I cover these advanced file attributes elsewhere in this ebook.
• Change ownership recursively: While the Info window will allow you to apply permission changes to items enclosed within a folder, it will not allow you to apply ownership changes to all items enclosed within a folder. FileXaminer will.
• View the Unix command equivalent: When you set permissions, FileXaminer displays the syntax for the equivalent chmod command.
Figure 3: Ownership and permissions in FileXaminer. Note that you can set all the basic permissions settings individually.
• Set individual Unix permissions: The Info window allows you to set only predefined combinations of Unix permissions. You cannot change the individual permissions one by one. FileXaminer, while also providing preset combinations, allows you to set Unix permissions individually (see Figure 3 on the right).
In addition to permissions-related tasks, FileXaminer handles many other tasks, such as changing the modification and creation dates of items, editing icons, editing configuration text files as root, and copying paths of selected items to the clipboard.
You can set permissions with FileXaminer in many ways; here are the steps for changing basic permissions on a single item:
• Use the Owner/Group pop-up menus to change the user owner or group owner.
• Use the grid of checkboxes to set permissions, or choose from among the options in the Presets pop-up menu.
Super Get Info
Figure 4: Ownership and permissions as seen in Super Get Info. You can set all the basic permissions settings individually.
Super Get Info costs $20 and comes from Bare Bones Software, makers of BBEdit (See Figure 4 on the right).
In addition to the capabilities of the Info window, features of Super Get Info include:
• Multiple Super Get Info windows: In versions of Mac OS X before Tiger, if you select multiple items in the Finder and then choose Get Info, you will get one Info window. If you open multiple items with Super Get Info, you get a Super Get Info window for each item, thus allowing you to change ownership and permissions settings individually.
• Set individual Unix permissions: The Info window allows you to set only predefined combinations of Unix permissions, but Super Get Info allows you to set Unix permissions individually.
The sgi command line tool is an interesting additional item. Optionally installable, it allows you to open files in Super Get Info directly from the Mac OS X command line.
To set permissions with Super Get Info, simply follow these steps:
• Use the pop-up menus to choose Owner and Group.
• Use the grid of checkboxes to set permissions.
The $10 XRay is the brainchild of Rainer Brokerhoff (see Figure 5).
Figure 5: The XRay interface for changing ownership and permissions lets you set all the basic permissions settings individually, and it displays the Unix equivalents.
Like FileXaminer and Super Get Info, XRay augments the function of the Info window in a number of ways, including:
• Set individual Unix permissions: The Info window allows you to set only predefined combinations of Unix permissions. You cannot change the individual permissions one by one. XRay allows you to set Unix permissions individually.
• Change obscure attributes: Not only can you set the set UID, set GID, and sticky bit, you can also set attributes, such as immutability, ordinarily only accessible via the Unix chflags command.
• View Unix command equivalent: When you set permissions, XRay displays the syntax for the equivalent chmod command. I talk about chmod in Change Permissions with chmod.
To set permissions with XRay, follow these steps:
• Use the pop-up menus to choose owner and group.
• Use the grid of checkboxes to set permissions.
I talk about chmod in “Change Permissions with chmod” in the full ebook.
[ Brian Tanaka provides Unix and open source technologies consulting. His writing has appeared in Linux Journal and Sysadmin Magazine ; his latest is Take Control of Permissions in Mac OS X ( TidBits Electronic Publishing, 2005). ]