If you do an ls -a / on your Tiger system, you'll see some familiar things, such as /etc and /var, but you'll also notice some unfamiliar things, such as /TheVolumeSettingsFolder, /Library, and /Documents. Mac OS X's filesystem contains traces of Unix, NeXTSTEP, and Mac OS 9. The tables in the rest of this chapter list directory entries and provide a description of each file or directory.
Table 3-1 describes the files and directories (indicated with a trailing slash) you may find in your / (the root) directory. The remaining tables in this chapter describe significant subdirectories.
Table 3-1. Mac OS X's root directory
File or directory
Contains Finder settings, such as icon location and window size. The file will appear in any directory that you've viewed with the Finder.
Contains metadata used by Spotlight. For more information, see Chapter 2.
Contains files that have been dragged to the Trash. On a boot volume, such files are stored in ~/.Trash. On a non-boot volume, these files are in /.Trashes/uid/.
Maps HFS+ file IDs to files. If you know a file's ID, you can open it using /.vol/id.
Holds all your Mac OS X applications. Its Utilities subdirectory includes lots of useful things, such as the Terminal, Console, and the Activity Monitor.
Applications (Mac OS 9)/
Contains all your OS 9 applications if you've got Mac OS X and Mac OS 9 installed.
Handles static NFS mounts for the automount daemon.
Contains essential system binaries.
Quake III players have this.
A symbolic link (or symlink) to /private/cores. If core dumps are enabled (with tcsh's limit and bash/sh's ulimit commands see the tcsh and bash manpages for more details) they are created in this directory as core.pid.
Along with Desktop DF, contains the desktop database that is rebuilt when you click Rebuild Desktop in System Preferences Classic.
See Desktop DB.
The Mac OS 9 desktop folder.
Contains files that represent various devices. See Table 3-6.
Contains Apple's Xcode Tools and documentation. Available only if you have installed the Xcode Tools.
The Mac OS 9 documents folder.
Contains system configuration files. See Table 3-2. The directory is a symbolic link to /private/etc.
Installer Log File
May be left by some third-party application installers.
Contains support files for locally installed applications, among other things. See Table 3-4.
Stores orphaned files discovered by fsck. You'll only find this on UFS volumes.
A symbolic link to the /mach.sym file.
Contains kernel symbols. It is generated during each boot by /etc/rc.
The Darwin kernel.
Contains network-mounted Application, Library, and Users directories, as well as a Servers directory, which contains directories mounted by the automount daemon.
Contains the tmp, var, etc, and cores directories.
Contains executables for system administration and configuration.
Contains the Fink installation (see Chapter 13).
Gives OS 9 multiuser systems a place where users can store files for other users to access.
Contains a subdirectory, Library, which holds support files for the system and system applications, among other things. See Table 3-3.
The Mac OS 9 System Folder.
Contains temporary files used by Mac OS 9.
Created by Sherlock 2 (the Classic version).
Keeps track of shared volume details, such as open windows and desktop printers.
Holds temporary files. It is a symbolic link to /private/tmp.
Where Mac OS 9 stores deleted files until the Trash is emptied.
User Guides And Information/
An alias to /Library/Documentation/User Guides and Information, and contains hardware-specific documentation and information about Mac OS X.
Contains home directories for the users on the system. The root user's home directory is /var/root.
Contains BSD Unix applications and support files.
Contains frequently modified files, such as log files. It is a symbolic link to/private/var.
Mac OS 9 virtual memory file.
Contains all mounted filesystems, including removable media and mounted disk images.
3.2.1. The /etc Directory
The /etc directory contains configuration files for Unix applications and services, as well as scripts that control system startup. Table 3-2 lists the contents of the /etc directory.
Table 3-2. The /etc directory
File or directory
Configuration file for encapsulating IPv6 within IPv4. See ip6config(8).
Causes Mac OS X to use TCP/IP as the default transport for Apple File Protocol (AFP). Use this file to configure the defaults for AFP over TCP/IP.
Mail aliases file. Symbolic link to /etc/postfix/aliases.
Mail aliases db file created when you run newaliases.
AppleTalk configuration file for routing or multihoming. See the appletalk.cfg(5) manpage.
Controls how applications, such as installers, can temporarily obtain root privileges.
Global configuration file for bash, the Bourne-again shell.
Global csh configuration file, processed when the shell starts up. If you have a .cshrc or .tcshrc file in your home directory, tcsh executes its contents as well.
Global csh login file, processed when a login shell starts up. If you have a .login file in your home directory, tcsh will execute its contents as well.
Global csh logout file, processed when a user logs out of a login shell.
Contains configuration files for Common Unix Printing System (CUPS).
cron job that is run once a day (see crontab). This is a symlink to /etc/periodic/daily/ 500.daily.
Contains default configuration files for applications and utilities.
Dump date records created by dump(5), which is run by /etc/daily.
Configuration file for fax(1).
Configures fonts for X11.
List of users who are prohibited from using FTP.
Global gdb configuration file.
Terminal configuration database.
Group permissions file. See Chapter 5.
System configuration file that controls many of the startup items described in Chapter 3.
Host database; a mapping of IP addresses to hostnames. You can use this as a supplement to other Directory Services, such as DNS. Mac OS X 10.1 and earlier consulted this file only in single-user mode, but as of Mac OS X 10.2 (Jaguar), this file is used at other times. For more information, see Chapter 5.
List of trusted remote hosts and host-user pairs. This is used by rsh and is inherently insecure. You should use ssh instead, which is a secure alternative. See ssh-keygen(1) to generate key pairs that can be used to set up a trust relationship with remote users.
List of hosts that are allowed to connect to the Unix lpd service.
Contains Apache's configuration files.
Internet super-server (inetd) configuration file.
Stores an encrypted version of a user's password for auto-login.
Mach's kernel server loader configuration file. Empty in the current version of Mac OS X.
Symbolic link to your system's time zone, such as: /usr/share/zoneinfo/US/Eastern.
Mach bootstrap daemons. See Chapter 4.
Per-user Mach bootstrap daemons. See Chapter 4.
Global configuration file for /usr/bin/mail.
Shadow passwd file, consulted only in single-user mode. During normal system operation, Open Directory manages user information (see Chapter 5).
Configuration file for the group membership resolution daemon, memberd(8).
System-wide prime numbers used for cryptographic applications such as ssh.
Monthly cron job (see crontab); a symlink to /etc/periodic/monthly/500. monthly.
Message of the day; displayed each time you launch a new Terminal or log in remotely.
Configuration file for named, the DNS daemon. For more details, see named(8).
Configuration file for the nano text editor.
Network name database.
Configuration for the Notification Center.
Contains configuration files for OpenLDAP, an implementation of the Lightweight Directory Access Protocol.
Contains configuration files for PAM.
Password file. For more information, see Chapter 5.
Configuration file for pear, the PHP Extension and Application Repository.
Contains configuration files for the periodic utility, which runs cron jobs on a regular basis.
Default PHP initialization file.
Contains postfix configuration files.
Contains configuration files for Point-To-Point Protocol (PPP).
Printer configuration file for lpd. CUPS automatically generates this file. For more information, see cupsd(8).
Global profile for the Bourne-again shell.
Network protocol database.
Contains configuration files for racoon, the IKE key management daemon.
Startup script for multiuser mode.
Common settings for startup scripts.
Startup script for booting from the network using NetBoot.
System shutdown script.
DNS resolver configuration. Symlink to /var/run/resolv.conf.
Remote NFS mount table.
RPC number-to-name mappings. Mac OS X 10.1 and earlier consulted this file only in single-user mode, but newer versions of Mac OS X use this file at other times.
Configuration file for the router advertisement daemon. For more details, see rtadvd(8).
Internet service name database. Mac OS X 10.1 and earlier consulted this file only in single-user mode, but Mac OS X 10.2 (Jaguar) uses this file at other times. For more information, see Chapter 5.
List of shells.
Configuration file for the service locator daemon (slpd).
Samba configuration file.
Template configuration file for Samba.
Configuration file for the ucd-snmp snmpd agent.
Global configuration file for OpenSSH client programs.
Private DSA host key for OpenSSH. This file, and the other ssh_host_* files, are created the first time you start Remote Login in the Sharing System Preferences.
Public DSA host key for OpenSSH.
Private host key for OpenSSH when using SSH 1 compatibility.
Public host key for OpenSSH when using SSH 1 compatibility.
Private RSA host key for OpenSSH.
Public RSA host key for OpenSSH.
Configuration file for the OpenSSH sshd daemon.
Configuration file for the sudo command. Make sure you use the visudo command only to edit this file.
syslogd configuration file.
Terminal initialization file.
Weekly cron job (see crontab). This is a symlink to /etc/periodic/weekly/500.weekly.
X11 configuration directory. This file is present only if you have installed X11.
Configuration files for Xgrid.
Configuration file for xinetd, the extended Internet superserver daemon.
Contains service-specific configuration files for xinetd.
Lists current NFS exports.
3.2.2. The /System/Library Directory
Table 3-3 lists the directories stored under the /System/Library directory. You should not modify the contents of these directories or add new files to them. Instead, use their counterparts in the /Library folder. For example, to install a new font, drag it into /Library/Fonts, not /System/Library/Fonts.
Table 3-3. The /System/Library directory
File or directory
Contains Automator actions and supporting files.
Contains caches used by various parts of the operating system.
Holds shared libraries used by Carbon applications.
Includes localized resources for Mac OS X color pickers.
Contains the names and values of colors used in the color picker control.
Contains ColorSync profiles.
Contains application building blocks (components), such as AppleScript and color pickers. Components are not applications themselves and are generally shared between applications.
Contextual Menu Items/
Contains plug-ins for the Finder's contextual menu (Control-click or Right-click).
Contains system applications, such as SystemStarter, BootX, the Finder, and the login window.
Contains dictionaries used by the Dictionary application.
Contains ColorSync information for external monitors.
Contains document type definitions for XML documents used by the system, such as property lists.
Holds Darwin kernel extensions.
Contains information about extensions in the cache; a compressed XML document.
Contains the kernel extension cache. It is created at boot by /etc/rc.
Contains drivers and utilities for various filesystems (MS-DOS, AppleShare, UFS, etc.).
Contains Quartz Filters that are used in the Print dialog's ColorSync section.
Includes support files for Sherlock's content indexing.
Contains core Mac OS X fonts.
Holds a collection of reusable application frameworks, including shared libraries, headers, and documentation.
Contains device support files for the Image Capture application.
Contains Java class and jar files.
Contains bundles that support internationalized keyboard layouts.
Contains system-wide keychain files.
Contains startup configuration files for launchd as described in Chapter 4.
Plug-ins for locale-specific text handling.
Contains helper applications that are launched as you log in.
Contains modem configuration scripts.
Includes panels used by System Preferences Displays.
Holds OpenSSL configuration and support files.
Holds Perl Libraries.
Contains all the preference panes for the Preferences application.
Contains printer support files.
Holds private frameworks meant to support Mac OS X. These frameworks are not meant for programmers' use.
Holds QuickTime support files.
Includes support files for the QuickTime/Java bridge.
Contains information used for text handling, such as word-breaking rules for hyphenation.
Contains screensavers that you can select from System Preferences Desktop & Screen Saver.
Includes AppleScript plug-ins and libraries.
Contains a script to toggle whether postfix is loaded on demand.
Contains services that are made available through the Services menu.
Contains sounds that are available in System Preferences Sound.
Includes speech recognition and generation support files.
Contains metadata importers for Spotlight (see Chapter 2).
Contains startup scripts as described in Chapter 4.
Contains iSync conduits.
Contains plug-ins used to monitor various system activities (for Apple use only).
Contains support files for System Profiler.
Holds Tcl Libraries.
Contains localized text encodings.
Holds localized skeleton files for user directories. See "Creating a User's Home Directory" in Chapter 5.
Contains support files for Dashboard.
3.2.3. The /Library Directory
Table 3-4 lists the contents of the /Library directory. The /Library directory contains counterparts to many directories found in /System/Library. You can use the /Library counterparts for system-wide customization. If you find a directory of the same name in your home Library directory (~/Library), you can use that for user-level customization. For example, you can install fonts for one particular user by moving them into ~/ Library/Fonts. Table 3-4 lists only the directories found in /Library that are not also found in /System/Library (with the exception of Java and Perl, which bear additional discussion included in the table).
Table 3-4. The /Library directory
File or directory
Address Book Plug-Ins/
Contains plug-ins for the Address Book application.
Contains support files for locally installed applications.
Contains audio plug-ins and sounds.
Contains user-installed ColorSync profiles and scripts.
Contains desktop pictures used by System Preferences Desktop & Screen Saver.
Provides documentation for locally installed applications.
Contains locally installed browser plug-ins.
Contains locally installed Java classes (you can drop jar files into /Library/Java/Extensions), as well as a suitable directory to use as your $JAVA_HOME (/Library/Java/Home).
Holds logs for services such as Apple File Services, the Crash Reporter, and the Directory Service.
Includes support files for Mail.app.
Contains locally installed Perl modules (MakeMaker's INSTALLSITELIB).
Holds global preferences.
Contains locally installed Python modules.
Leaves a receipt in the form of a .pkg directory after you install an application with the Mac OS X installer. The .pkg directory contains a bill of materials file (.bom), which you can read with the lsbom command.
Contains a variety of AppleScripts installed with Mac OS X.
Contains user pictures that are used in the login panel.
Contains the Apache CGI and document root directories.
3.2.4. The /var Directory
The /var directory contains transient and volatile files , such as PID files (which tell you the process ID of a currently running daemon), log files, and many others. Table 3-5 lists the contents of the /var directory.
Table 3-5. The /var directory
File or directory
Contains information about jobs scheduled with the at command.
Contains backups of the NetInfo database.
Contains user crontab files.
Includes a grab bag of configuration and data files, including the locate database, the NetInfo database, and network interface information.
Used as an unwritable chroot(8) environment.
Contains launchd's working files.
Contains a variety of log files, including syslog, mail, and web server logs.
Contains inboxes for local users' email.
Holds system-wide messages that were delivered using msgs -s.
Includes various files used for local DNS services.
Contains various files used for NetBoot.
Serves as the root user's home directory.
Holds PID files for running processes. Also contains working files used by programs such as sudo.
Contains information used by the rwho command.
List of servers found with Service Location Protocol (SLP).
Serves as a spool directory for mail, printer queues, and other queued resources.
Serves as a temporary file directory.
Contains your swap files.
Holds working files used by Xgrid.
Contains files used by NIS.
3.2.5. The /dev Directory
The /dev directory contains files that represent devices attached to the system, including physical devices, such as serial ports , and pseudo-devices , such as a random number generator. Table 3-6 lists the contents of the /dev directory.
Table 3-6. The /dev directory
File or directory
Berkeley Packet Filter devices. See bpf(4).
The system console. This is owned by whoever is currently logged in. If you write to it, the output ends up in /var/tmp/console.log, which you can view with the Console application (/Applications/Utilities).
Modem devices for compatibility with the Unix cu (call up) utility.
Disk partition. For example, /dev/disk0s1 is the first partition of /dev/disk0.
Devices that correspond to file descriptors. See the fd manpage for more details.
Device used by syslogd to read kernel messages.
Image of kernel memory.
Image of the system memory.
Device file used for smbfs.
Bit bucket. You can redirect anything here, and it disappears.
Master ends of the first sixteen pseudo-ttys.
Master ends of the remaining pseudo-ttys.
Source of pseudorandom data. See random(4).
Raw disk device.
Raw disk partition.
Symbolic link to /dev/fd/2.
Symbolic link to /dev/fd/0.
Symbolic link to /dev/fd/1.
Standard output stream of the current Terminal or remote login.
Various modem and serial devices.
Slave ends of the first sixteen pseudo-ttys.
Slave ends of the remaining pseudo-ttys.
Source of pseudorandom data, not guaranteed to be strong. See random(4).
Pseudo disk devices.
Infinite supply of null characters. Often used with dd to create a file made up of null characters.