DirectNET

Data Center Management Solutions including UPS Systems, Data Center Cooling, KVM over IP & IP Power Strips, Server Racks and Server Rack accessories; KVM Switches and KVM Extenders; Rackmount Monitors and Rackmount Keyboards.

NAVIGATION
	Home
	Store

INSIDE MAC
	Television Shows
	Broadcast Shows
	Daily News Shows
	Special Shows

EVENTS




DAILY TIPS
	Design
	Mac OS X
	Mac OS X UNIX

COMMUNITY
	Surveys

NEWS
	Current
	Press
	Archive

FEATURES
	Editorial
	Dr. Mac
	Reviews
	Reader Reports

RESOURCES
	FAQ
	Documentation
	Learning Center
	MAN pages
	Glossary
	Tutorials
	Tips
	Links

OUR PARTNERS

OS X | UNIX

Mac OS X Unix Tutorial

by Adrian Mayo - Senior Editor for Mac OS X Unix, Janice Mayo - Senior Editor for Mac OS X Unix

Part 4 - Managing Permissions (page 1 of 2)

The Story So Far

The previous three parts have covered Unix basics, files, and directories. Once one starts to play around with files and directories, problems with Unix permissions will inevitably be encountered: so this is the next step in our understanding of Unix.

This tutorial explains Unix file permissions, presenting basic concepts and theories before delving into the commands that view and manage file permission and ownership.

The two-part advanced lesson on Users, Groups, and Permissions expands on this tutorial. It covers the commands in much greater detail - more than is necessary for simple every-day use.

The command left dangling at the end of part three:

% last

lists all users who have logged into your Mac (since the last monthly tidy-up of log files). It says who, how (e.g. ftp), and when.

Concepts

Unix and Mac OS 9 come from very different backgrounds. The Mac was conceived as a single user personal computer: a computer with one all-powerful user to whom file permissions mean nothing. In contrast, Unix was developed from the outset to serve many users. Segregation of these users, both from each other and from the system itself, was a fundamental requirement. The system administrator maintained the machine whilst users simply used it.

Mac OS X brings a Mac-like user interface built on a Unix background. Mac owners moving from Mac OS 9 suddenly find themselves demoted from all-powerful to mere user, and feel uncomfortable with the user-administrator split. It helps to be a little schizophrenic: consider yourself a user most of the time and an administrator when necessary.

Apple has opted for a three-way split: normal users maintain their own home area; an Administrator user maintains the shared library and applications; and the core system itself is the domain of the root user. This split works well: demarcation of the Unix core allows the non-expert Mac user to administer their own machine without any danger of hosing the Mac OS X installation.

A Lecture

Unix-based Mac OS X is very much more powerful and complex than the old Mac OS. File permissions and ownerships are set up in a specific manner, necessary for both the correct functioning and the security of the your Mac. To simply change owners and permissions on items outside of your own area, and particularly those to which only the root user has access, is strongly discouraged. Unless you know what you are doing, and have a very good reason to do so, leave well alone. This tutorial and the advanced lessons on Users, Groups, and Permissions, arm you with the Unix equivalent of an automatic weapon. Be careful where you point it.

You may be familiar with GUI-based applications that allow one to wield the power of root changing owners and permission through out the file system. I consider them to be dangerous tools. I'd question the need to use them any more than almost never.

The GUI application Disk Utility, under tab First Aid, has Verify Disk Permissions and Repair Disk Permissions buttons, should you need rescuing. (Pre OS X 10.2 - Apple has released a repair privileges (permissions) program to repair a sick installation should you need rescuing. It requires Mac OS X 10.1.5 and can be downloaded from Apple's Support...Download pages. (Search for "repair privileges".) )

What is a User?

A user is someone who is recognized by the system by having a name, usually a password, and a numeric User Identification or UID. OS X has two types of user: those you create from the Users preference pane in System Preferences, and shadowy users created by the system that hide in the background. You will not see those users in the login window, and need not be concerned with them.

A user you create yourself can be either an unprivileged user, or an administrative user.

What is a Group?

Each user belongs to one or more groups. Groups act as a tool to facilitate finer control of file system permissions. One can assign file permissions to a group, which are then inherited by all users belonging to that group.

When a new user is created the user is automatically placed in a group called staff. This is their primary group. A user is made an administrator by adding them to the admin (and pre OS X 10.2, wheel) groups. This is what happens when you check the 'Allow user to administer this computer' box in the Users preference pane.

Like users, groups have a name and a numeric Group Identification or GID. A Group does not have a password as one cannot login as a group.

What are Permissions?

Permissions state which files and directories one may view, write to, and execute. Users, groups, and permissions work together to present each user's own view of the file system.

Each file, directory, and executable is owned by a particular user - termed the user owner. Each also has a secondary owner, which is always a group - termed the group owner. Three sets of read/write/execute permissions are defined, one for each of the user owner, the group owner, and then all others. In each case a particular permission can be granted or not granted.

Your permissions for a given file are determined as follows:

If you are the owner of the file then you have the permissions stated for the user owner.
If you do not own the file, but you belong to the group that owns the file, then you have the permissions stated for the group owner.
If neither of the above applies you have the permissions stated for all other users.

The user 'root' has automatic read, write, and execute permission to all files.

Group Permissions

Without the concept of a group owner and group permissions, no mechanism would exist by which a file can be shared between selected users. By setting group permissions, one can share a file with all users who are a member of the owning group, whilst excluding all other users.

Tell Me More...

Shadowy Users

The shadowy users are:
daemon, nobody, unknown, www, (perhpas others), and of course root - the all-powerful user which has access to the whole system.

Other Groups

Other groups include:

wheel - the primary group for root;
nobody - for unprivileged logins;
www for the www user;

and many more.

www User

The Apache web server starts as user root and switches to run as user www as a security measure. If someone hacks into your system through Apache, they will hopefully be restricted to the permissions of www instead of those of root.

A Spare User

This is a handy tip. Create a second administrative user. If you run into problems such that your regular administrative user becomes unusable, you can log into the spare one to diagnose and hopefully correct the problem from there.

Additionally, if an Application is misbehaving the problem may well lie in a corrupted preference file. Logging into the spare user and running the offending application with effectively virgin preferences can confirm this possibility.

Next Page

This page has covered the theory behind users, groups, and permissions. I have gone into some depth because it is a concept that is alien to a lot of Mac users making the move from OS 9, but non-the-less a concept that must be understood.

Page two will present Unix commands that allow one to view and change permissions.

Part 4 - Managing Permissions (page 1 of 2)

Copyright © 2000-2010 Inside Mac Media, Inc. All rights reserved.
Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users.
Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc.