 |
|  |
||||||
 |
||||||||
 |
 |
 |
 |
 |
||||
|
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
It is now time to put away 'chmod', which controls a file's mode or permissions. Each file also has an associated set of flags that are controlled by 'chflags'. The flags you are most likely to come across are the user immutable flag and the system immutable flag. When a file is immutable it cannot be changed or deleted in any way until the immutable flag is cleared. A user may set and clear the user immutable flag on a file they own. For example, to set and clear the flag: % touch lockit % ls -al lockit -rw-r--r-- 1 melkor staff ..... lockit % chflags uchg lockit % ls -al lockit -rw-r--r-- 1 melkor staff ..... lockit % touch lockit touch: lockit: Operation not permitted Here we created a file called 'lockit' and set the user immutable flag with: % chflags uchg lockitYou notice that after locking the file, we still apparently have write permission to it. This is not the case as flags override permissions. When we subsequently tried to modify 'lockit' by touching it we were not permitted to so so. In fact, we were not even able to change its timestamp. To unlock 'lockit' we use: % chflags nouchg lockit % touch lockit % ls -al lockit -rw-r--r-- 1 melkor staff ..... lockit % rm lockit This time we were able to modify the file's timestamp, and remove it. 'uchg' sets the user immutable flag. |
Tell Me More...
|
|
Touch Me 'touch' creates a file if it does not already exist. Otherwise 'touch' changes the file's timestamp to the current date and time. Locked Files in the Finder When one locks a file using the Finder, write permission to file is not withdrawn. The Finder locks a file by setting the user immutable flag. Try the following experiment. Lock a file using the Finder. Then use the command line to clear the user immutable flag. Back in the Finder examine the file and you will notice that it is no longer locked. Similarly, setting the user immutable flag on the command line will cause the Finder to show it as locked. OS 9 and Immutable Flags The OS 9 Finder also locks by setting the user immutable flag. Some OS 9 files also have the system immutable flag set! |
|
|
The Immutable, Indestructible, Undeletable Super File Now for the system immutable flag. WARNING - If you follow this exercise and set the system immutable flag, you must stay to the bitter end in order to remove the file. Only the super-user may set the system immutable flag. For example, to set the flag: % touch super-lockit % sudo chflags schg super-lockit Password: % ls -al super-lockit -rw-r--r-- 1 melkor staff ..... super-lockit Now, we will be prevented from changing or removing the file, even as the super-user: % sudo rm super-lockit override rw-r--r-- melkor/staff for super-lockit? y rm: super-lockit: Operation not permitted So, let's clear the system immutable flag: % sudo chflags noschg super-lockit chflags: super-lockit: Operation not permitted % aaarrrrg! aaarrrrg!: Command not found. Help. The system immutable bit cannot be cleared. What do I do now? |
Append-Only Files Similar to the user and system immutable flags, are the user and system append-only flags. As you might guess, an append-only file can only be changed by adding to the end of the file. You cannot delete or change the existing contents. To set the flags use 'chflags' and: uappnd sappnd and to clear them use: nouappnd nosappnd Remember 'man' Need I remind you? Find out more about flags and 'chflags' with: % man chflags |
If the super-user cannot clear the system immutable flag, then who can? Only super-root - the super-duper-user. The what?
When your Mac is up and running in multi-user mode (the normal operating mode) it is running at level 1. Some operations even root can't do at level 1, such as turn off the System Immutable and System Append-only flags. You must run at level 0. Switching into single user mode will allow one to run at level 0 and thus change the System Immutable flag. Super-user running at level 0 is the all-powerful super-duper-user.
Do this.
Close all applications and issue the command:
% sudo shutdown +0to shutdown multi-user mode and enter single user mode. You will lose all services such as network connectivity while in single user mode.
Then navigate to the directory in which you created super-lockit. (I'm assuming your home directory.)
% cd /Users/your-name-here/ % chflags noschg super-lockit
Then hit control-d to return to multi-user mode. You should now be able to remove super-lockit.
% cd ~ % rm super-lockit
Note: when you enter single user mode, type:
% whoamiIf the answer is not 'root' type:
% suand type control-d twice when you need to return to multi-user mode.
|
Real Unix dudes use octal! The 'chmod' command is able to take the permissions in 'absolute' format. Here one specifies exactly which permission bits to set, and which to clear. For example, the following are equivalent: chmod 777 file chmod ugo=rwx file and: chmod 000 file chmod ugo= file The file permissions can be considered as a set of 9 bits, in the order user r,w,x; group r,w,x; other r,w,x -or- ur uw ux gr gw gx or ow oxAssigning values to these we have: 100 000 000 = read by user 010 000 000 = write by user ... ... 000 000 010 = write by other 000 000 001 = execute by other A more convenient form is used by 'chmod'. The permissions are expressed as three digits, one for user, one for group, and one for other. Each can take on the values 0 to 7, and can be formed as follows: 400 = read by user 200 = write by user 100 = execute (search directory) by user 040 = read by group 020 = write by group 010 = execute (search directory) by group 004 = read by other 002 = write by other 001 = execute (search directory) by other Simply add these values (actually bit-wise 'or') to set the desired permissions. For example, rwx by user, rx by group, and x by other = 400+ 200+ 100+ 040+ 010+ 001 --- 751 --- So: chmod 751 fileis equivalent to (and shorter than): chmod u=rwx,g=rx,o=x file |
Tell Me More...
|
|
Why Octal? Each digit in the value passed to chmod represents the permissions for one class of access, and can take on the range of values 0 to 7. This means we are using base 8 arithmetic. Hence the values are in 'octal', as opposed to decimal or hexadecimal (base 16). Some Common 'chmod' Values It's all mine, hands off: Free for all: The default permissions for a newly created file are: and for a newly created directory are: umask The 'umask' command sets the default permissions for newly created files and directories. Type: %umask22 The actual permissions applied to a new file are calculated by subtracting (actually bit-masking) by the umask as follows: For files: For directories: You can change umask. For example: % umask 066% touch x % la -al x 0 -rw------- ... x |
And Finally
This is the end of the Users, Groups, and Permissions Advanced Unix lesson. If I have missed anything please feel free to join in the discussions on the OSXFAQ forums at the address given below.
The next Advanced Lesson is planned to cover the all-powerful 'find' command.
Until then, Enjoy :-)
Discuss this article in the Learning Center forum
|
Lesson 2 - Users, Groups, and Permissions 2 (page 2 of 2) |
|
| Copyright © 2000-2009 Inside Mac Media, Inc. All rights reserved. | ||
| Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users. | ||
| Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc. |