 |
|  |
||||||
 |
||||||||
 |
 |
 |
 |
 |
||||
|
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
We use our old friend 'ls -l' to view permissions. Let's have a look at some key areas of the file system. 1) Your home directory. In these examples the user is 'melkor', an administrative user. % ls -l ~/osxfaq/ total 204 -rw-r--r-- 1 melkor staff 42496 ...part1 -rw-r--r-- 1 melkor staff 50688 ...part2 -rw-r--r-- 1 melkor staff 51712 ...part3 -rw-r--r-- 1 melkor staff 40960 ...part4 As you might expect, the files are owned by melkor. The group owner is 'staff'. Permissions are displayed as three triplets, in the order: user owner permissions, group owner permissions, and permission for all others. Each triplet gives read 'r', write 'w', and execute 'x' permissions. A '-' means permission withheld.
Examining the enclosing directory: % ls -ld ~/osxfaq/drwx------ 16 melkor staff 500 .../Users/melkor/osxfaq we see that melkor does not give visibility to users other than the owner. As a consequence, even though melkor's files have read access to all users, the directory permissions mean that users other than melkor cannot view them. It is important to realise that a file's effective visibility is firstly controlled by the permissions of each enclosing directory in which the file resides. If one cannot read a directory, one cannot gain access to the files within. 2. The Applications Directory. Any user can execute applications, but only an administrative user may add and remove applications (which requires write access to the directory and the files). With an understanding of groups and permissions, you may be able to guess how this is implemented. Examining the directory '/Applications' and its contents: % ls -ld /Applications/ drwxrwxr-x 30 root admin 976 Jul 25 14:05 /Applications % ls -l /Applications/ total 0 drwxrwxr-x 3 root admin 264 ...Address Book.app drwxrwxr-x 6 root admin 264 ...AppleScript drwxrwxr-x 9 melkor admin 264 ...AppleWorks 6.app Others can read and execute. The owner and members of group Admin can also write. Because all administrative users are members of group admin, and unprivileged users are not, we get the desired behaviour. Notice that the owner is root for applications installed when OS X was installed, and melkor for application installed afterwards by melkor. This does not affect administrative access to the files. 3. The System. The '/System/Library' directory contains the Unix core and is protected from administrative users. Only root may modify this area. (It seems that everyone can write to Caches.) % ls -ld /System/Library/ drwxr-xr-x 44 root wheel 1452 May 6 22:42 /System/Library % ls -l /System/Library/ total 2956 drwxr-xr-x 3 root wheel ...Authenticators drwxr-xr-x 10 root wheel ...CFMSupport drwxrwxrwx 5 root wheel ...Caches drwxr-xr-x 2 root wheel ...Classic drwxr-xr-x 6 root wheel ...ColorPickers 'chmod' changes file permissions (change modes) by specifying permissions for the user owner, the group owner, and all others. A single letter mnemonic is used to represent each class of user, and each class of permission. 'u' is for user owner, 'g' is for group owner, 'o' is for others. 'r' is for read permission, 'w' is for write permission, and 'x' is for execute permission. To set permissions to read, write, and execute (rwx) for the user owner (u) use: % chmod u=rwx file-nameTo set permissions to read and execute (rx) for the group owner (g) use: % chmod g=rx file-nameAnd finally, to set permissions to read (r) for others (o) use: % chmod o=r file-nameThese can be set all at once by separating the permission sets by commas. % chmod u=rwx,g=rx,o=r file-name % ls -l file-name -rwxr-xr-- 1 melkor staff ...file-name One may add or remove permissions by replacing the equals with a plus sign to add, or a minus sign to remove. Permissions that are not mentioned are left untouched. Take away read permission for others: % chmod o-r file-nameAdd write permission for the group: % chmod g+w file-nameto give us: % ls -l file-name -rwxrwx--- 1 melkor staff ...file-name See the advanced lesson for more detail on chmod. 'chown' changes the user owner and/or group owner of a file. Note that only user 'root' is allowed to change the owner of a file, so the command must be run using sudo. To change the owners of a file, give the new user owner and group owner separated by a colon: For example, change the group owner keeping the user owner the same: % chown :admin file-name % ls -l file-name -rwxrwx--- 1 melkor admin ...file-name To change both the user owner and the group owner: % sudo chown janice:staff file-name Password: (give your administrator password here) % ls -l file-name -rwxrwx--- 1 janice staff ...file-name See the advanced lesson for more detail on chown. |
Tell Me More...
|
|
Owners for New Files When a file is created the owner is implicitly the user who created the file. The group owner is decided not by the primary or any other group to which the owner belongs, but the group to which the enclosing directory belongs. /Users/Shared Examine the permissions of this shared directory with: % ls -ld /Users/Shareddrwxrwxrwt ... root wheel ... We can see that everyone may write to it. The 't' at the end is explained in the Advanced lesson. Your Public Directory Now look at the Public directory within you home directory: % ls -ld ~/Public/drwxr-xr-x ... melkor staff ... This allows others to read the files you wish to make public, but they cannot change them. The 'DropBox' within your Public directory is a place where other users have write access, but not read access. This forms a sort of private mailbox to which others can deliver files. % ls -ld ~/Public/Drop\ Box/drwx-wx-wx ... melkor staff ... Restrictions Only the owner of a file may change the permissions. This restriction is a necessary security feature to stop unprivileged users from increasing their own visibility to a file. 'sudo' 'sudo' stands for substitute user do. This allows one to run a command as a different user. It is most often used to run commands as the root user. Naturally this is a dangerous thing to do as you are overriding all the protection afforded by file system permissions. Mac OS X is set up to allow any administrative user to 'sudo' as root. It is a sort of backdoor into root, and avoids one having to log on as the root user for those (very rare) super-user tasks. In the example to the left we use it to change the owner of a file - an operation that only the root user is allowed to perform. system The Finder shows the Unix root user as system. Why? System sounds more mac-like. ~another-user You will be familiar with '~' being a shortcut for your home directory. '~another-user' is a shortcut for the home directory of another-user. NetInfo For those of you familiar with other Unix systems, Mac OS X does not hold users and groups information in the usual /etc/passwd and /etc/groups flat files. These exist but are used only in single-user mode. For multi-user operation NetInfo is queried. One can see this by viewing /users and /groups entries in NetInfo. On the command line it is possible to use nidump. % nidump passwd /for a list of users (in /etc/passwd format). % nidump group /for a list of groups (in /etc/groups format). |
Use the command 'passwd'. Remember that the password you give here is also the password you use at the login screen.
% passwdChanging password for melkor.
Old password:
New password:
Retype new password:
Give your old password, then type a new password twice.
Remember to change the password in Keychan Access too.
Adding New Users and Groups
Because Mac OS X uses NetInfo manager to maintain the authentication database, it is not worthwhile learning how to add new users and groups the traditional Unix way. However, a later advanced tutorial will cover NetInfo in detail.
Other User-Related Commands
I will briefly cover some other useful commands related to users.
You may recall that '~' is short-hand for your home directory. '~another-user' is shorthand for the home directory of the given user.
For example:
cd ~janicewill work for all users who wish to slip into janice's home directory.
To display your user and group information use 'id':
% iduid=502(melkor)
gid=20(staff)
groups=20(staff),
80(admin)
This shows your UID and user name, your primary GID and group name, and then a list of all the groups to which you belong.
In case of severe amnesia, you can recall who you are with either of:
% usersmelkor
% who am i
melkor ttyp1 Jul 26 23:50
In Part 5
The next part to this tutorial will cover commands to view and search for files, and those to search within files rather like Sherlock's search for contents. Until then, try the command
% file any-file-you-chooseEnjoy :-)
Discuss this article in the Learning Center forum
|
Part 4 - Managing Permissions (page 2 of 2) |
|
 |
 |
 |
| Copyright © 2000-2008 Inside Mac Media, Inc. All rights reserved. | ||
| Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users. | ||
| Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc. | ||