Section 9.4. The File Permissions System | Mac OS X Tiger in a Nutshell: A Desktop Quick Reference (In a Nutshell (OReilly))

9.4. The File Permissions System

Mac OS X uses the Unix file permission system to control who has access to the filesystem's files, folders, and disks, and what they can do with them.

Ownership and permissions are central to security. It's important to get them right, even when you're the only user , because odd things can happen if you don't. For most users' interaction with Mac OS X, the system will do the right thing, without their having to think much about it. (Things get a little trickier when viewing the system as an administrator, though.)

Permissions refer to the ways in which someone can use a file. There are three such permissions under Unix:

Read: Allows you to look at a file's contents.
Write: Allows you to change or delete a file.
Execute: Allows you to run a file as a program. (This isn't so important when using Mac OS X's GUI, though; see the sidebar "What About the Execute Bit?" later in this section.)

When each file is created, the system assigns some default permissions that work most of the time. For instance, it gives you both read and write permission , but most of the world has only read permission. If you have a reason to be concerned , you can set things up so that other people have no permissions at all.

There are times when defaults don't work, though. For instance, if you create a shell script or Perl program in the Terminal, you have to assign executable permission so that you can run it. We'll show how to do that later in this section, after we get through the basic concepts.

Permissions have different meanings for a directory:

Read: Allows you to list the contents of that directory.
Write: Allows you to add or remove files in that directory.
Execute: Allows you to make that directory your working directory and list information about its contents.

If you allow people to add files to a directory, you are also letting them remove files. The two privileges go together when you assign write permission. However, there is a way you can let users share a directory and keep them from deleting each other's files: you can set that directory's sticky bit . (See the entry for chmod in Chapter 2.)

The differences between the Read and Execute bits allow you to set up special kinds of directories such as drop boxes and pickup boxes. A Drop Box is a directory with only write and execute access allowed. Users are therefore able to place items inside the directory but not see what's inside. A Pickup Box has only execute access allowed, forcing users to specify a full pathname to access any items inside and preventing them from adding anything to the directory.

There are more files on Unix systems than the plain files and directories we've talked about so far. These are special files (devices), sockets, symbolic links, and so forth; each type observes its own rules regarding permissions. However you don't need to know the details on each type.

9.4.1. Owners and Groups

Now, who gets these permissions? To allow people to work together, Unix has three levels of permission: owner , group , and other . The other covers everybody who has access to the system and who isn't the owner or a member of the group .

The idea behind having groups is to give a set of users, such as a team of programmers, access to a file or set of applications. For instance, a programmer creating source code may reserve write permission to himself, but allow members of his group to have read access through a group permission. As for other , it might have no permission at all.

Each file has an owner and a group . The owner is generally the user who created the file. Each user also belongs to a default group that has the same name as the user account, if that account was created in Tiger (older versions of Mac OS X assigned the group staff to new accounts). Therefore, by default, each user is the only member or their group. That group , then, is assigned to every file the user creates. You can create other groups, though, and assign each user to multiple groups. By changing the group assigned to a file, you can give this level of access to any collection of people you want.

Mac OS 9 had something similar to this system with its Users & Groups Control panel, but this was relevant mainly to configuring who could mount your machine's hard drive over a network. Mac OS X's permission system also applies itself to this use but is far more pervasive, affecting every user's interaction with every part of the filesystem whether they are logged in locally or over a network.

9.4.2. Viewing and Modifying File Permissions

The permissions system is another part of Mac OS X with two distinct interfaces: you can either use the traditional Unix command-line tools through the Terminal to view and change a file's permissions, or you can use the Finder's Get Info window for a graphical interface to the same task.

Figure 9-5 shows the Finder's interface to the permission system, a section of the Finder's Info window .

Figure 9-5. The Get Info window's Ownership & Permissions view

The pop-up menus display the object's current owner and group, as well as the owner, group, and other access permissions.

If you are the file's owner, you can modify the three permission menus, setting them to Read & Write, Read Only, or No Access for that type of user. If you have administrative privileges, you can also modify the object's owner and group.

What About the Execute Bit?

Unix veterans will note that the Finder offers no interface to any of a file's "execute" bits, which determine whether someone is allowed to try launching a file as a program. Simply put, this type of distinction doesn't exist in Mac OS X's Aqua layer, in which the Finder recognizes only certain kinds of files or directories as launchable, including .app application bundles and .jar Java archive files.

Furthermore, directories created in the Finderthrough File New Folder (Shift- -N)--always have their execute bits set, and there's no way to unset them in the Finder. Again, you have to use chmod for that.

If you run the ls command with the -l option, it lists the requested files in a tabular format, with columns specifying the group, owner, and permissions of each file. Here is the Terminal's view of the same file depicted in Figure 9-5:

 honey:~/Documents andy$  ls -l Perl\ Foundation\ Press\ Kit.pdf  -rw-rr--  1 andy staff 326887 Dec 14  2004 Perl Foundation Press Kit.pdf

The code of letters and dashes in the first column lists the permissions. The first hyphen means it's a plain file (as opposed to a directory, which would be designated with a d ). The next three characters list the read, write, and execute bits for the file's owner; rw- means that the read and write permissions are active, but the execute permission is not. (If it were, you'd see rwx instead.) Then there are three characters showing the group permissions (read-only, in this case) and three more for "other" permission (read-only, again).

After this, we see the file's owner ( andy ) and group ( andy ), followed by the file's size in bytes, a timestamp, and finally, the file's name.

To change permissions, you must use the chmod command, while the chown and chgrp commands change a file or directory's owner and group, respectively. Consult Chapter 2 or your Mac's manpages for more information on these commands. You may also wish to consult the ls command's documentation to see other ways you can list files in the Terminal.