DirectNET

Data Center Management Solutions including UPS Systems, Data Center Cooling, KVM over IP & IP Power Strips, Server Racks and Server Rack accessories; KVM Switches and KVM Extenders; Rackmount Monitors and Rackmount Keyboards.


NAVIGATION
Home
Store
INSIDE MAC
Television Shows
Broadcast Shows
Daily News Shows
Special Shows
EVENTS
DAILY TIPS
Design
Mac OS X
Mac OS X UNIX
COMMUNITY
Forums
Surveys
NEWS
Current
Press
Archive
FEATURES
Editorial
Dr. Mac
Reviews
Reader Reports
RESOURCES
FAQ
Documentation
Learning Center
MAN pages
Glossary
Tutorials
Tips
Links

OUR PARTNERS

OSX | UNIX

Advanced Mac OS X Unix

by Adrian Mayo - Senior Editor for Mac OS X Unix

Lesson 1 - Users, Groups, and Permissions (page 1 of 2)

The Basics

Users, Groups, and Permissions form the foundation of Unix's multi-user view of the file system. Users and groups identify you, the files that you own, and the files that you share. Permissions mark out your personal 'turf' and the extent of your access to remainder of the file system - that is the files you can see and change, and the programs that you can run. Permissions are applied individually to each file and define who can read, write, and execute it.

This advanced lesson expands on the Unix Tutorial part 4 - Managing Permissions.

Users and Groups

A user is someone who has an account on a Unix machine. A user has a name, a password, and is able to login. Each user has an identity (a unique identity) on that machine, and a home directory in which to place personal files. The password is proof of identity, stopping others from stealing your identity and your files.

Your user name is used to form the name of your home directory. For OS X that will be /Users/your-name. On other Unices it could be /home/your-name or /export/home/your-name.

A group is something to which any number of users can belong. Each user belongs to at least one group (their primary group), and can belong to any number of other groups. When a user is created the primary group must be specified. At a later date the user may be added to or removed from other groups.

The idea behind groups is to associate a group of users with a group of files. Files permissions can be set to allow access to members of the group, while excluding access to non-members.

Permissions

Every file in the file system has a set of permissions that define who can access the file, and how. Access is defined for three classes of user:

  • the user owner
  • the group owner
  • everybody else - termed others.

And each user is allow to, or disallowed from:

  • reading the file
  • writing to the file (or changing it in any way)
  • executing the file (applicable to executable files such as programs or shell scripts).

As an example of this, issue the command:

% ls -al ~

(that's a tilde character at the end) to give a detailed listing of your home directory. Lets examine a couple of lines of output from this.

drwx------ 27 melkor staff 874 May 29 17:41 Pictures
drwxr-xr-x  4 melkor staff 264 Mar 10 18:08 Public

The user owner and group owner for both of these directories are melkor and staff.

Permissions are displayed from left to right for: user owner, group owner, then others. 'r' = can be read. 'w' = can be written to. 'x' = can be executed. '-' means permission not granted. From this we can deduce that Pictures can be read and written only by the user owner (melkor), whereas Public can also be read by any member of group staff, and in fact anyone at all.

This is consistent with Pictures being melkor's private directory, and Public being a directory that others can view, but cannot change.

Consider:

-rw-r----- 1 melkor admin 41 May 29 20:21 me-and-my-group

This file has permissions set so that melkor can read and write, any user who is a member of the group admin can read, and everyone else is excluded.

Some Unix commands

% groups

will list the groups to which you belong.

% id -p

will list your user name and the groups to which you belong.

% users
% who

will list the names of all users currently logged onto the machine.

% who am I

will...well guess!

OS X 'staff' and 'admin' Groups

OS X uses groups to implement its concept of normal users and users with administrative privileges. As you may be aware, an administrative user is able to (among other things) install and delete applications in /Applications, while a normal user cannot.

How is this achieved?

A normal user is a member of group 'staff'. An administrative user is a member of group 'staff', and is also added to groups 'admin' and (pre OS X 10.2) 'wheel'. Most files in OS X outside of the /Users directory are set up as follows:

  • User owner is root with read, write, and execute permissions
  • Group owner is admin with read, write, and execute permissions
  • Others have only read and execute permissions.

If we list the contents of the /Applications folder...

% ls -l /Applications

drwxrwxr-x 4 root admin 264 Jan 28 22:00 Acrobat Reader 5.0
drwxrwxr-x 3 root admin 264 Sep 15 2001  Address Book.app
drwxrwxr-x 6 root admin 264 Feb 15 01:35 AppleScript
drwxrwxr-x 9 melkor admin 264 Mar 2 17:48 AppleWorks 6.app
drwxrwxr-x 4 root admin 264 Jan  6 19:00 Calculator.app
...

...we can see this to be so. A normal user is able to execute all applications, but cannot modify them. Notice here that AppleWorks is owned by melkor. This is because AppleWorks was installed later by melkor, rather than at system installation. The owner does not make any difference - other administrative users can still delete it because they will be members of group 'admin'.

The /Applications folder itself has similar permissions.

% ls -ld /Applications
drwxrwxr-x 28 root admin 908 May 30 17:42 /Applications

Some parts of OS X are protected even from the administrative users - mainly anything in /System.

If you list /System/Library you will notice that write permission has been removed from the group owner. The group owner is actually 'wheel' not 'admin'. The reason for 'wheel' is to emphasise that these are system files, not to be messed around with by mere users.

  
Tell Me More...

Files and 'Files'

In Unix, 'files' are more than just files. Directories are a special class of file. Executables are files. Even devices like discs, terminals, and printers are treated like files and appear somewhere in the file system hierarchy.

% ls /dev

will list lots of devices - all rather odd-sounding.

Dual Ownership

A file in Unix has two owners.

The primary owner is a user - termed the user owner - and is usually (but not necessarily) the user who created the file.

The other owner is a group - termed the group owner - and is usually (but not necessarily) the group to which the user owner belongs.

Both user owner and group owner can be changed at any time. A file's group owner is not necessarily a group to which the user owner belongs. This gives greater flexibility in managing permissions for groups.

User 'root'

Root is special. Root is all powerful. Root is above permissions. Root has read, write, and execute permission on any and every file, regardless of the permissions set for that file. Root is also called the Super User. Needless to say, root is dangerous as it can crucify your whole system.

User 'system'

If you examine a file using the Finder's Show Info window, you will notice that user 'root' is always shown as 'system'. That's just the way the Finder likes to think of root. 'System' is more Mac-like.

Group 'wheel'

The primary group for root is 'wheel'. Administrative users pre OS X 10.2 were also members of group wheel.

Flat Files vs NetInfo

Traditionally, Unix configuration information is held in files in /etc/. 'Flat files' refers to the information being held in simple files rather than in a database. OS X holds all this information in the NetInfo database. Only in single user mode are the traditional Unix /etc file consulted.

The NetInfo database is held in /var/db/netinfo/local.nidb/ (and is not textual).

Display the contents of /etc/passwd and /etc/groups to show the (single user mode) groups and users.

% cat /etc/passwd
% cat /etc/group

To examine the NetInfo database of users and groups type:

% nidump passwd /
% nidump group /

'nidump' is a command line utility for extracting the contents of the NetInfo database.

I hope to cover NetInfo in a future Advanced Unix lesson.

Execute Permissions on Directories

At this point, you may be wondering what execute permission means for a directory. Read permission means one can list the contents of a directory. Execute permission means that one can 'cd' into the directory.

Here is an example. (Note the cool transparent terminal. :-))



'mkdir' makes a new directory
'touch' creates a new file
'chmod 600' changes the permissions as viewed by the following 'ls'


Next Page

Now that we understand users, groups, and permissions, I will introduce some of the Unix commands that allow one to change and set these.



Lesson 1 - Users, Groups, and Permissions (page 1 of 2)

Copyright © 2000-2008 Inside Mac Media, Inc. All rights reserved.
Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users.
Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc.