Take Control of Permissions in OS X

Editor’s Note: The following article is an excerpt from Take Control of Permissions in Mac OS X, a $10 electronic book available for download from TidBits Electronic Publishing. The 90-page ebook contains complete details on working with permissions from the command line, an explanation of ownership on external disks, information on what Repair Permissions does, and fixes for common permissions problems. This excerpt focuses on a brief overview of permissions followed by instructions on setting permissions through either the Finder’s Info window or third-party tools.

Every item on your computer—be it a file, folder, or disk—belongs to, or is owned by, an account. For instance, when you create a new file, that new file is owned by your user account. If another user, logged into her own account, creates a file, that file will be owned by her user account. In addition to being owned by a particular user account, every item on your computer carries with it a set of permissions that control which user accounts can access it and what kind of access they have.

That, in a nutshell, is the purpose of permissions: They control who can do what to which files, folders, and disks.

Permissions, combined with accounts and ownership, are exceedingly useful for a number of reasons, including:

• Security: Permissions are a critical component in the security model of all Unix-based operating systems, including Mac OS X. For instance, if a standard user account is compromised in some way by a malicious attacker, the attacker should not be able to alter critical system files because the permissions on those files disallow tampering by non-administrator accounts.

• Privacy: Permissions on your private files and folders can be set so that user accounts other than your own have limited access or no access at all.

• Controlled sharing: Because permissions are powerful and flexible, you can exercise a significant degree of control over which users can access items you choose to share and what those users can do with the shared items.

• System integrity: Permissions prevent non-administrator accounts from damaging the system by altering important system items, and they prevent users from tampering with other users’ items.

The anatomy of permissions

Every item on your computer is owned by an account and carries a set of permissions. These permissions control the access that each of three classes—owner, group, and other—has to an item.

Here’s a quick explanation of what I mean by owner, group, and other:

• Owner: The owner is the user account that owns an item, such as a file, folder, or disk. Every item is owned by an account. (Traditionally in Unix, this is known as the user class, and Unix commands abbreviate it with a u.)

• Group: In addition to being owned by a user account, every item is also owned by a group . A group is a set of user accounts conceptually clumped together so permissions can apply to its members collectively. Mac OS X provides a number of default groups, and you can create additional groups.

• Other: Everyone else! Other refers to all user accounts on the system other than the owner and members of the group. You will see this type referred to as “others” (in the Finder’s Info window) and “world” (by other tools).

Permissions for an item say whether owner, group, and other have three permissions:

Read: View the contents of the item.

Write: Change the item.

Execute: Execute the item.

Effect of Permissions on Files and Folders

Permission	Effect on Files	Effect on Folders
Read	File can be viewed or copied.	A list of items contained in a folder can be viewed if the execute permission is also enabled. Note that the contents of some enclosed items can be viewed even if the read permission is disabled.
Write	File can be modified or deleted.	Items can be added to, or removed from, the folder.
Execute	File can be run (launched). A common example of a “runnable” file is a Unix shell script. Note that while Unix applications use the execute permission, Mac OS X applications ignore it.	Also known as searchable when applied to folders, the execute permission allows the listing of the folder’ contents provided the read permission is also enabled.

So, if you mix owner, group, and other with read, write, and execute, you can see that permissions answer the following three sets of questions:

Can the owner read this item? Write to this item? Execute this item?

Can members of the group read this item? Write to this item? Execute this item?

Can all other user accounts read this item? Write to this item? Execute this item?

The following example looks more deeply at permissions and explains how to use Terminal to check the permissions on a file. I go into a fair amount of detail so you can apply the principles just discussed in a real-world example:

In this example, I use the ls command on a file called “foo:”

Launch Terminal. (Terminal is in /Applications/Utilities.)

Create a new file by entering:

touch foo

The touch command changes an item’s access and modification times, but if the file you touch doesn’t exist, touch will create it. Because of this convenient side effect, touch is a fast way of creating a new file if you happen to be at the Unix prompt in Terminal.

Enter:

ls -l foo

This reveals the ownership and permissions of our new file. The output of

ls -l foo

is:

-rw-r--r-- 1 btanaka staff 0 2 Apr 08:25 foo

Here’s an explanation of the individual parts of the output:

-rw-r--r--

: These characters are the permissions (or, more technically, the file mode) section of the ls output. The permissions appear in three groups of three corresponding to the three owner classes (just as I discussed earlier). The first set,

rw-

, specifies that the owner can read and write, but not execute. If the owner were allowed to execute, then the permissions would read

rwx

not

rw-

. (

is the symbol for execute.) The second set,

r--

, applies to the group, and specifies that the group can only read. The third set,

r--

, specifies that all other accounts have read-only permission.

btanaka

: The owner. In this example, my user account, btanaka , owns the file. On your computer, your account will be the owner. Again, the permissions that apply to this user are

rw-

, meaning my account can read and write, but not execute.

staff

: The group. In this example, the group

staff

owns the file. Again, permissions for the group owner are

r--

, meaning group members can read only.

: The file’s size in bytes.

2 Apr 08:25

: The date and time of last modification.

foo

: The file’s name.

Any individual permission can be changed. For instance, you can allow everyone on the system to alter the file simply by granting write permission to other. (This is known as making the file world writeable . Files can, obviously, also be world-readable .)

As you see, there are nine basic permission settings, each of which can be turned on or off. That’s a total of 512 possible combinations!

Because the same combinations are used over and over, Apple wisely provides an extremely easy way of using the most common combinations. The convenient combinations provided by Apple are:

Read & Write: A user can see the contents of an item, and change it.

Read Only: A user can see the contents of an item, but cannot change it.

Write Only: A user can write to an item but can’t see its contents. This setting exists so that a folder can be turned into a Drop Box . A Drop Box is a folder other users can put items into, but only the user owner can open to take items out.

No Access: A user is denied all access to the item.

Any one of these four pre-defined settings can be applied to each of the three owner types via the Info window of the Finder.

Choose a method of setting permissions

You can set permissions in Mac OS X in more than one way. Namely, you can use:

The Info window in the Mac OS X Finder

Third-party tools

Unix commands

Each method has relative advantages and disadvantages, outlined below.

Methods of Setting Permissions

Method	Advantages	Disadvantages
Info window	Easier and more intuitive than Unix commands.	Limited capabilities. Not as powerful or flexible as Unix commands.
Third-party tools	More features than the Info window.	Not present by default. May require additional expense.
Unix commands	More powerful and flexible than the Info window. May be faster if you are familiar with Unix.	Less intuitive than the Info window.

Because the vast majority of users will get by just fine with the easier graphically based methods, I cover the Info window and third-party tools next; advanced Unix commands appear elsewhere in this ebook.

Figure 1: Ownership and permissions for a typical file as viewed in the Info window.

Set permissions using the Info window

For simple tasks, set permissions using the Finder’s Info window. The Info window does not provide the degree of control that Unix commands do. You cannot, for instance, manipulate individual Unix permissions. However, setting permissions via the Info window is quite easy, and is perfectly adequate for most day-to-day situations.

Set permissions with the Info window by following these steps:

Working in the Finder, select an item.

Choose File –> Get Info (Command-I). You may need to click the Ownership & Permissions triangle to reveal more detail, as shown in Figure 1 on the right.

Now, do one or more of the following: • Set access permissions: Choose your access permissions from the You Can pop-up menu. The menu item will be dimmed if you lack sufficient permissions to change the item. • Set owner permissions: Click the Details triangle to change permissions for owner, group, and others ( as shown in Figure 2 below).

A lock icon beside an item indicates that such a change requires administrator level privilege. Click the lock icon and provide the user name and password of an administrator account when prompted.

If the item you selected in Step 1 was a folder, and you wish to apply your changes to everything inside of it, click the Apply to Enclosed Items button at the bottom of the Details section.

Close the Info window.

Unix Equivalents of Info Window Access Settings

Setting	Effect on Files	Effect on Folders
Read & Write	rw-	rwx
Read Only	r–	r-x
Write Only (Drop Box)	Not applicable	-wx
No Access	—	—

Set permissions using third-party tools

The Info window is adequate for most day-to-day, basic permissions editing. However, it has a limited feature set and cannot handle many permissions-related tasks. Fortunately, several third-party tools perform these missing tasks. I cover three popular ones here: FileXaminer, Super Get Info, and XRay.

All three tools do what the Info window does and more, and provide finer control over permissions. The interfaces and features—at least as far as permissions are concerned—are very similar, and they all provide good help documentation and contextual menus.

FileXaminer

The $10 FileXaminer from Gideon Softworks has several advantages over the Info window. A partial list of its permissions-related features includes:

• Batch edit: You can change permissions (and other settings) on multiple items simultaneously.

• Manage groups: This feature simplifies the management of Unix groups considerably. (At the time of this writing, the current version of FileXaminer did not manage groups in Tiger reliably, though it works fine in Panther. Hopefully the problem has been resolved by the time you read this.)

• Manipulate the Set UID, Set GID, and Sticky Bit: I cover these advanced file attributes elsewhere in this ebook.

• Change ownership recursively: While the Info window will allow you to apply permission changes to items enclosed within a folder, it will not allow you to apply ownership changes to all items enclosed within a folder. FileXaminer will.

• View the Unix command equivalent: When you set permissions, FileXaminer displays the syntax for the equivalent chmod command.

Figure 3: Ownership and permissions in FileXaminer. Note that you can set all the basic permissions settings individually.

• Set individual Unix permissions: The Info window allows you to set only predefined combinations of Unix permissions. You cannot change the individual permissions one by one. FileXaminer, while also providing preset combinations, allows you to set Unix permissions individually (see Figure 3 on the right).

In addition to permissions-related tasks, FileXaminer handles many other tasks, such as changing the modification and creation dates of items, editing icons, editing configuration text files as root, and copying paths of selected items to the clipboard.

You can set permissions with FileXaminer in many ways; here are the steps for changing basic permissions on a single item:

Drag the file or folder you want to change to the FileXaminer icon.

Select Privileges from the unlabeled pop-up menu (Command-2), and: • Use the Owner/Group pop-up menus to change the user owner or group owner. • Use the grid of checkboxes to set permissions, or choose from among the options in the Presets pop-up menu.

Click Apply.

Super Get Info

Figure 4: Ownership and permissions as seen in Super Get Info. You can set all the basic permissions settings individually.

Super Get Info costs $20 and comes from Bare Bones Software, makers of BBEdit (See Figure 4 on the right).

In addition to the capabilities of the Info window, features of Super Get Info include:

• Multiple Super Get Info windows: In versions of Mac OS X before Tiger, if you select multiple items in the Finder and then choose Get Info, you will get one Info window. If you open multiple items with Super Get Info, you get a Super Get Info window for each item, thus allowing you to change ownership and permissions settings individually.

• Set individual Unix permissions: The Info window allows you to set only predefined combinations of Unix permissions, but Super Get Info allows you to set Unix permissions individually.

The sgi command line tool is an interesting additional item. Optionally installable, it allows you to open files in Super Get Info directly from the Mac OS X command line.

To set permissions with Super Get Info, simply follow these steps:

Drag the item you would like to change to the Super Get Info icon.

Select the Permissions tab and: • Use the pop-up menus to choose Owner and Group. • Use the grid of checkboxes to set permissions.

Click Save.

XRay

The $10 XRay is the brainchild of Rainer Brokerhoff (see Figure 5).

Figure 5: The XRay interface for changing ownership and permissions lets you set all the basic permissions settings individually, and it displays the Unix equivalents.

Like FileXaminer and Super Get Info, XRay augments the function of the Info window in a number of ways, including:

• Set individual Unix permissions: The Info window allows you to set only predefined combinations of Unix permissions. You cannot change the individual permissions one by one. XRay allows you to set Unix permissions individually.

• Change obscure attributes: Not only can you set the set UID, set GID, and sticky bit, you can also set attributes, such as immutability, ordinarily only accessible via the Unix chflags command.

• View Unix command equivalent: When you set permissions, XRay displays the syntax for the equivalent chmod command. I talk about chmod in Change Permissions with chmod.

To set permissions with XRay, follow these steps:

Drag the item you would like to change to the XRay window.

Choose Permissions from the Show pop-up menu, and then: • Use the pop-up menus to choose owner and group. • Use the grid of checkboxes to set permissions.

Click Show Obscure Options to set special mode bits, root flags, and owner flags.

Choose File –> Save Changes (Command-S).

I talk about chmod in “Change Permissions with chmod” in the full ebook.

[ Brian Tanaka provides Unix and open source technologies consulting. His writing has appeared in Linux Journal and Sysadmin Magazine ; his latest is Take Control of Permissions in Mac OS X ( TidBits Electronic Publishing, 2005). ]