Mac OS X makes it easy for users on the same system to share files and directories. For instance, everyone in a group can read documents stored in one of their manager's directories without needing to make their own copies, if the manager has allowed access. There might be no need to fill peoples' email inboxes with file attachments if everyone can access those files directly through the Unix filesystem.
Here's a brief introduction to file security and sharing. If you have critical security needs, or you just want more information, talk to your system staff or see an up-to-date book on Unix security such as Practical Unix and Internet Security , by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O'Reilly).
3.2.1 Directory Access Permissions
A directory's access permissions help to control access to the files and subdirectories in that directory:
3.2.2 File Access Permissions
The access permissions on a file control what can be done to the file's contents . The access permissions on the directory where the file is kept control whether the file can be renamed or removed. If this seems confusing, think of it this way: the directory is actually a list of files. Adding, renaming, or removing a file changes the contents of the directory. If the directory isn't writable, you can't change that list.
Read permission controls whether you can read a file's contents. Write permission lets you change a file's contents. A file shouldn't have execute permission unless it's a program or a script.
3.2.3 Setting Permissions with chmod
Once you know what permissions a file or directory needs ”and if you're the owner (listed in the third column of ls -l output) ”you can change the permissions with the chmod program. If you select a file or directory in the Finder, and then choose File Get Info ( -I), you can also change the permissions using the Ownership & Permissions section of the Get Info dialog (see Figure 3-6).
Figure 3-6. The Finder's Get Info dialog
There are two ways to change permissions: by specifying the permissions to add or delete, or by specifying the exact permissions. For instance, if a directory's permissions are almost correct, but you also need to make it writable by its group, tell chmod to add group-write permission. But if you need to make more than one change to the permissions ”for instance, if you want to add read and execute permission but delete write permission ”it's easier to set all permissions explicitly instead of changing them one by one. The syntax is:
chmod permissions file(s)
Let's start with the rules; we see examples next . The permissions argument has three parts , which you must give in order with no space between.
Some examples should make this clearer! In the following command lines, you can replace dirname or filename with the pathname (absolute or relative) of the directory or file. An easy way to change permissions on the working directory is by using its relative pathname, . (dot), as in chmod o- w .. You can combine two permission changes in the same chmod command by separating them with a comma (,), as shown in the final example.
After you change permissions, it's a good idea to check your work with ls -l filename or ls -ld dirname . (Without the -d option, ls will list the contents of the directory instead of its permissions and other information.)
188.8.131.52 Problem checklist
3.2.4 Changing Group and Owner
Group ownership lets a certain group of users have access to a file or directory. You might need to let a different group have access. The chgrp program sets the group owner of a file or directory. You can set the group to any of the groups to which you belong. Because you're likely going to be administering your system, you can control the list of groups you're in. (In some situations, the system administrator controls the list of groups you're in.) The groups program lists your groups.
For example, if you're a designer creating a directory named images for several illustrators, the directory's original group owner might be admin . You'd like the illustrators, all of whom are in the group named staff , to access the directory; members of other groups should have no access. Use commands such as:
$ groups gareth admin $ mkdir images $ ls -ld images drwxr-xr-x 2 gareth admin 68 Nov 6 09:53 images $ chgrp staff images $ chmod o= images $ ls -ld images drwxr-x--- 2 gareth staff 68 Nov 6 09:53 images
The chown program changes the owner of a file or directory. Only the superuser can use chown (see Section 3.3, later in this chapter). 
$ chown eric images chown: changing ownership of `images': Operation not permitted $ sudo chown eric images Password: $
3.2.5 Changing Your Password
The ownership and permissions system described in this chapter depends on the security of your username and password. If others get your username and password, they can log into your account and do anything you can. They can read private information, corrupt or delete important files, send email messages as if they came from you, and more. If your computer is connected to a network, whether it be the Internet or a local network inside your organization, intruders may also be able to log in without sitting at your keyboard! See Section 8.1 in Chapter 8 for one way this can be done.
Anyone may be able to get your username ”it's usually part of your email address, for instance, or shows up as a file's owner in a long directory listing. Your password is what keeps others from logging in as you. Don't leave your password anywhere around your computer. Don't give your password to anyone who asks you for it unless you're sure he'll preserve your account security. Also, don't send your password by email; it can be stored, unprotected , on other systems and on backup tapes, where other people may find it and then break into your account.
If you think that someone knows your password, you should probably change it right away ”although if you suspect that a computer "cracker" (or "hacker") is using your account to break into your system, you should ask your system administrator for advice first, if possible. You should also change your password periodically. Every few months is recommended.
A password should be easy for you to remember but hard for other people (or password-guessing programs) to guess. Here are some guidelines. A password should be between six and eight characters long. It should not be a word in any language, a proper name , your phone number, your address, or anything anyone else might know or guess that you'd use as a password. It's best to mix upper- and lowercase letters, punctuation, and numbers . A good way to come up with a unique but memorable password is to think of a phrase that only you might know, and use the first letters of each word (and punctuation) to create the password. For example, consider the password mlwsiF! ("My laptop was stolen in Florence!").
To change your password, you can use System Preferences Accounts, but you can also change it from the command line using the passwd command. After you enter the command, it prompts you to enter your old password. If the password is correct, it asks you to enter the new password ”twice, to be sure there is no typing mistake.
$ passwd Changing password for taylor. Old password: New password: Retype new password:
For security, neither the old nor the new passwords appear as you type them.