Project7.Know Your Users and Groups | Mac OS X Unix 101 Byte-Sized Projects

Project 7. Know Your Users and Groups

This project covers users and groups, and how they affect your access to the file system. Permissions, covered in Project 8, are intimately related to users and groups.

Unix and its file system (its method of organizing and storing information) were designed from the ground up to keep data secure on computers shared by multiple users. Users, Groups, and Permissions form the foundation of this secure file system (and that of Mac OS X as well). Unix employs users and groups to identify you and associate you with the files you own and the files you share. Permissions (see Project 8) are assigned to each file individually. They mark out your personal "turf" and the extent of your access to the remainder of the file system that is, which files and directories you can see and change, and which programs you can run.

Every Unix file is owned by a specific user and is associated with a specific group. Three sets of permissions are applied to each file: one for the owner, one for members of the associated group, and one for everyone else. Each set of permissions allows or forbids the file to be read, written, and executed.

Users

A user is someone who has an account on a Unix machine. A user has a name and a password, and is able to log in. Each user has a numeric user identity (UID) on that machine and a home directory in which to place personal files. The user name is used only for logging on; thereafter, you are identified to Unix by your UID.

There are two classes of user: those created as user accounts and daemonic users created for the purpose of running daemons, such as user www, under which the Apache web server runs. There's also the root user, an all-powerful user with a UID of 0 to which permissions and restrictions do not apply.

Creating a user account using Mac OS X System Preferences also creates a new Unix user account. In fact, the two are one and the same, as the same account information is shared between Aqua and the command line.

Tip

Use System Preferences to create a second administrative user. If you run into a problem such that your regular administrative user becomes unusable, you can log into the spare one to diagnose and ideally correct the problem.

Groups

Many users can belong to the same group. Every user belongs to at least one group (a self-named primary group) and can be added to any number of other groups at any time. Like a user, a group has a name and a numeric group identity (GID).

The idea behind groups is to associate a set of users with a set of files. Group file permissions can be set to allow access to members of the group and to prevent access by nonmembers. Without the concept of groups, no mechanism would exist by which a file can be shared among selected users.

Groups are used in OS X to distinguish administrative users from normal (staff) users; administrative users belong to the group admin, for example. There are also groups such as www, which serve as the primary group of the corresponding daemonic users.

Root's primary group is called wheel and has a GID of 0.

Unix Commands

Because the concept of users and groups is so central to Unix, it's important to learn some commands that let you identify and specify user and group information for files and directories.

Display Your Details

To display your user and group information, use the command id. It displays your UID and user name, your primary GID and group name, and then a list of all the groups to which you belong. The command groups lists the groups to which you belong. In the following example, saruman is an administrative user, and loraine is a standard user.

$ id uid=501(saruman) gid=501(saruman) groups=501(saruman), 81(appserveradm), 79(appserverusr), 80(admin) $ groups saruman appserveradm appserverusr admin $ id uid=504(loraine) gid=504(loraine) groups=504(loraine) $ groups loraine

In case of severe amnesia, recall who you are by typing either of the following.

$ whoami saruman $ who am i saruman ttyp1 Jul 17 19:31

Display a File's Details

Use the familiar command ls, with its -l option, to display the owner and associated group of a file.

$ ls -l letter.txt -rw-r--r-- 1 saruman saruman 100 12 May 19:27 letter.txt

From this, we can see that letter.txt is owned by user saruman and is associated with group saruman. The very first character describes the file type, - for file, d for directory, and so on (see the man page for ls). The next nine characters, -rw-r--r--, describe the file permissions for the user, for members of the associated group, and for everyone else (see Project 8 for an explanation of permissions). At the end we see the file size (100 bytes), the date of last modification, and the filename.

On the other hand, mach_kernel is owned by user root and is associated with group wheel.

$ ls -l /mach_kernel -rw-r--r-- 1 root wheel 4308960 31 Mar 05:11 /mach_kernel

Change Groups and Owners

Use command chgrp to change the group associated with a file. You must be the owner of the file to change its group, and the new group must be one to which you belong. Only root has the power to change the group arbitrarily.

$ chgrp admin letter.txt $ ls -l letter.txt -rw-r--r-- 1 saruman admin 100 12 May 19:27 letter.txt $

Command chown will change the owner of a file and optionally the group too. You must be root to change the owner of a file, for obvious security reasons.

$ chown loraine letter.txt chown: letter.txt: Operation not permitted $ sudo chown loraine letter.txt Password: $ ls -al letter.txt -rw-r--r-- 1 loraine admin 100 12 May 19:27 letter.txt $

Check out the Unix man pages for chgrp and chown. Both have a recursive mode when you need to modify all files in a directory hierarchy. (See "Recursion" in Project 2.)

List Users and Groups

Use the command dscl to maintain and query Mac OS X Directory Services, where much of the account information is held. The command dscl is a comprehensive utility, but here we use it just to display a list of users and groups.

$ dscl / -list /Users amavisd appowner ... root saruman ... xgridcontroller $ dscl / -list /Groups accessibility admin amavisd ... saruman ...

Default Users and Groups

When you create a new file or directory, the owner is always you, the user who created the file. The associated group is not as you may expect; it has nothing to do with your primary group or any of the groups to which you belong. It is in fact the group of the containing directory (which is often your primary group anyway). This behavior is not the same in all variants of Unix; others use the primary group of the user who creates the file. The way Mac OS X does it makes good sense when you create a file in a directory outside your home, such as /Users/Shared.