 |
Search |
|
|
|
|
Classic 2 Guys |
|
10 Random Stories:
|
|
|
|
Mother May I? An Introduction to Mac OS X Permissions |
|
 As we follow our path down the UNIX road, there will be times on the command line that you will not be able to run a command or modify a file because you do not have permission. What are UNIX file permissions and why are they there? What can I do to change a files permissions? What can I do to prevent permissions related problems in the future? We will look at these questions in turn and see if we can't sort out this permissions business.
Permissions may be a pain to deal with at times, but they are an essential part of what keeps your Mac secure. They also protect you from doing inadvertent damage to the file system. On multi-user systems (Macs where more than one user are able to use the computer), permissions keep the users from seeing and deleting each others files and work. They also allow users to share files with each other. Let's look at what makes up the permissions model.
Mac OS X permissions have three distinct levels: Users, Groups and All Others. Each of these levels are broken down into three permission types:Read, write and execute. These permissions apply to all of the files and folders on your system.
Every user account has a short name and an associated group. The first account that you set up on your Mac when you take it out of the box is an Admin account. What isn't really shown when you create your account is that you actually create a group for yourself as well. Let's look at this information in the finder before we look at the command line.
Find a file in your home directory and single click it so that it is highlighted. Then press command-i. This will open the info pain for the file. There is a lot of information in this dialog, but we are only going to be concerned with what is at the bottom. You should see a dialog similar to the one below.
The field we are most interested in is the one labeled Ownership & Permissions. Go ahead and click on the arrow to the left of the word Owner and expand the dialog. You will see something similar to this:
This tells you that you, as the owner of the file, have permission to both read and write the file. This is typical for a file that you created that lives in your home directory. But wait, I said that there were groups and other permissions. Where are they in the finder info window? Well, click on the arrow to the left of the word Details: to expand the dialog even further.
Now we see a much clearer view of the permissions. From this information we see that I am in fact the owner. I have read and write permission. Members of the rich group have permission to read the file only. All others also have permission to read the file.
Let's look at this file in the terminal where we can get an even better view.
Open the terminal and type the following command.
$date > date.txt
Next type the command
$ls -l date
Use the man command to look up what the command line switch -l does for the ls command.
Let's break down the resulting line. The first thing the line starts out with is -rw-r- -r- -. The first - indicates that we are looking at a file. If we were looking at a directory (a folder in the finder) there would be a d at the front. Type the following command to see an illustration of this:
As you can see, Desktop has a d preceding this line instead of a - to indicate that it is a directory.
Now lets get back to the previous line. What does this -rw-r- -r- - mean? Is it some sort of code? The answer is sort of. Remember that earlier we stated there were three levels of permissions - users, groups and all others and within these levels there were three types of permissions - read, write and execute. Well each letter here indicates one of those permissions. Here is the map:
type:owner:group:all
r = read
w = write
x = execute
If a - is present instead of a letter, than that permission is not allowed. So what is the permissions of our file. From above we see that it is a file(-), the owner has read (r) and write (w) permissions, the group has read ( r) permissions and all others have read ( r) permission as well. So a file that had read, write and execute permission for everyone would look like this:
-rwxrwxrwx
Let's continue to dissect this result.
After the permissions, comes a number. This number is the number of files involved. Since we are looking at a single text file the number is one. Following this number, you will see rich rich. This is the owner and the group. Following that is the file size in bytes. The date and time that the file was last modified precedes the name of the file itself.
The next question is how does this stuff help with security? How does it help me from harming the operating system? Security is accomplished by looking at both the individual permissions and the owner and group. Let's look at our example. Only the owner rich can read and write the file. No one else has write permission. This keeps the file from being changed, moved or deleted. If you are a member of rich's group, then you can read the file. If you didn't want other people to see what was in the file, you could take those permissions away from them (you could use the finder or the command line - we'll look into how to do it from the command line next time).
Try changing the permissions of the file using the finder and then see what happens. Take away write permissions from yourself. Then see if you can modify the file and save your changes. Then change it back. Play around a bit. Also, use the ls -l command to look around the system and see what the permissions look like elsewhere.
Permissions are the way the operating system protects itself from damage. Key files are owned and modifiable by the operating system itself. It doesn't allow you to change them (in fact, there are ways to modify them, but that is an advanced topic and better left to power users).
If you read that last statement closely, you might be asking yourself why do I sometimes have to 'repair' permissions when my system is acting up. Well, that is the rub.
Occasionally, permissions will get screwed up. After you install an update or add some new software, key system files might get modified. In order to modify them, the installer must temporarily change the permissions and return them after it is done. Sometimes, they don't get put back the way they were found and sometimes they get changed in a manner that takes access from certain applications or even the operating system itself. When the operating system or application comes along to access the file, it finds that it can't. Either the application won't run without the information or things start to get funny.
The thing to remember here is that permissions don't change on their own. You are not going to go along happily and all of the sudden have corrupted permissions (I really shouldn't say never here because disk problems could make it happen, but it is unlikely). If things are running smoothly, you shouldn't ever have to repair permissions.
It is also true that just because permissions have changed doesn't mean they are broken. Everything might be running fine and Apple's repair utility will still find errors. The reason is in the way the utility checks the permissions. When you repair permissions, the utility checks the permissions on key system files and folders against a table of permissions. This table has the status of the permissions as these files and folders were copied to the drive at installation. From the information we have learned, we can easily see how the permissions could be different from what was installed and have everything still work correctly.
Repairing permissions should be used as an early stage of troubleshooting when things aren't going exactly right. It is an easy thing to do. That being said, repairing permissions will not hurt anything either. So if you really want to do it on a regular basis, then go right ahead, but you are really not fending off any software demons by doing so.
If you are planning on repairing permissions, review what we have talked about here then go look at Apple's Knowledge Base Articles -
About Disk Utility's Repair Disk Permissions feature
Troubleshooting permissions issues in Mac OS X
Even if you have repaired permissions before, it is a good idea to look at the articles and take the new knowledge you have learned about permissions and see what the utility is doing. The more you know about your system, the more effective you can be.
|
|
June 10 2005, 10:52 AM EDT, by |
Comments:
|
| Jonahan |
6/14/05, 7:39 AM EDT |
Wow nice article! I had a basic idea before, but it's really nice to have things fleshed out a little more. Nice volume name too ;-)
|
This article is archived, so you may not comment on it.
(The good news is there's always the shoutbox, the forums or the contact form if you're socially-inclined at the moment!)
|
