DirectNET

OSX | UNIX

Default Users, Groups, and Permissions

When I create a new file or directory, what are the default settings for user owner, group owner, and the permissions? Try creating a new file in your home directory.

The output should be:

The user owner is always the user who created the file. Permissions allow the owner to read and write, and all others to read only. The owner group is not as you may expect - it is nothing to do with your primary group, or any of the groups to which you belong. It is in fact the group of the containing directory (which in this case is your primary group anyway).

This behaviour is not the same in all Unices. BSD Unix, on which OS X is ultimately based, works this way. Others use the primary group of the user who creates the file. The BSD way makes more sense when one creates files in directories outside of one's own user area.

Try this:

The owner group is now 'wheel', consistent with the owner group of /Users/Shared. (Now don't leave those files lying around - be tidy and delete them with 'rm new-file'.)

The same rules apply to directories, which are after all just files.

'umask' Command to Set Default Permissions

The permissions of created files are controlled by the Unix command 'umask'.

Type:

'22' is a mask to say which permissions should not be granted. It won't mean much until we cover numerical representation of permissions a little later. The mask can be set with:

Which will set permissions on newly created files to:

(for the security conscious).

Unix Commands

It is now time to look at some Unix commands that allow one to manipulate users, groups, and permissions.

These are:

• chmod - change file modes
• chown - change file owner and group
• chgrp - change file group

'chmod' Command to Change and Set Permissions

'chmod' is used to change file modes (or permissions) by specifying 'who' and 'permissions'.

Who is 'u' for user owner, 'g' for group owner, 'o' for others, and 'a' for all (ugo).

Permissions are 'r' for read, 'w' for write, and 'x' for execute.

To set permissions to rwxr-xr-- (rwx for users, rx for group, r for others) use:

'who' and 'permissions' are separated by '=', and a ',' separates the a list of 'whos'. You must not put spaces anywhere within the who/permissions clause.

This is an example of absolute mode, setting the permissions you specify, and clearing those you don't. You can also add or remove specific permissions whilst leaving others unchanged - relative mode.

will remove read access from others.

And to add write access to the group:

To add execute permission for everyone, one can use either:

% chmod a+x file
or
% chmod ugo+x file

Finally:

sets the group permissions to be equal to those of the user.

'chgrp' Command to Change Group Owner

The command:

will change the owner group of file to the specified group. You must be the user owner of the file to change its group, and the new group must a group of which you are a member.

For example:

Only root has the power to change the group owner of a file to any group.

'chown' Command to Change and Set Owners

The command:

will change the user owner of a file.

The command:

will change the group owner of a file (equivalent to chgrp).

The command:

will change both the user owner and group owner of a file.

You must be root to change to user owner of a file, for obvious security reasons.

As an example:

All change. Note that janice may not be a member of group admin, but the group owner is not tied to the user owner, so the above is ok.

Touch Me

What is 'touch'? Well, it's an easy way to create a new file.

Its real purpose is to alter the modification and access times of a file. Default behaviour is to change these to the current date and time. It can take parameters allowing any date and time to be set.

Useful when your digital camera 'forgot' its settings and your imported photographs have an incorrect timestamp.

Eyes Off

You may worry about the default permissions giving read access to everyone. Is this really what I want?

Well, yes and no. Yes if you are writing to a shared directory, and no otherwise.

This is not a problem because the folders in your home directory - Documents, Pictures, etc - do not have permissions for anyone other than yourself. So even though the files you create in Documents are readable by anyone, the directory itself is not, so no one can read your files.

The directory Public has read access to the rest of the world, so files you create in, or copy to, this directory will be readable.

Notice that directory 'Drop Box' within Public is unusually write-only, allowing others to send you files knowing that they will remain private.

Of course, root can see all your private files regardless of the permissions you set.

Big X

An alternative to 'x' for execute permissions is 'X'. This is used in relative mode and says to add execute permission to a file, but only if somebody already has execute permission.

For example, if permissions are:

then

will have no effect.

If permissions are:

then

will add execute to group and others.

Octal Anyone?

The permissions can be set in an absolute manner by specifying directly which bits to set. There are nine bits in total, three (r,w,x) times three (u,g,o).

For example, 777 sets all bits giving:

744 sets

and 600 sets

If this sounds a bit glib, don't worry. Octal will be covered in part 2 of Users, Groups, and Permissions.

umask

The 'umask' mentioned earlier is in octal too. When a new file is created, its permissions are set to 666 (rw-rw-rw-), and then any bits set in the 'umask' are cleared in the file permissions. The 'umask' is normally 022, giving permissions of 644.

For directories, permissions are set to 777 and this is reduced to 755 by the 'umask'.

Don't Forget Wildcards and Recursion

If you wish to 'chmod', 'chown', or 'chgrp' a number of files, you may specify a wildcard for the filename. For example:

and if you wish to possess a whole directory hierarchy:

which is a clear abuse of your administrative powers. :-)

Any More Questions?

Don't forget your old friend 'man'.

if you need to know more.