Privileges and Mac OS X

Thanks to the UNIX core of Mac OS X, Macintosh users have the ability to control who can access, modify, and see their personal files and folders. Tools like FileXaminer allow you to configure privileges for your files and folders without the need to learn cryptic UNIX commands. The following is a short overview of the Mac OS X Privilege architecture.

Users

A Mac OS X system can potentially serve many users. Users are used by Mac OS X to keep track of what belongs to whom and what each user is allowed to do with any given thing (file, program, device, etc.) on the system. Internally, Mac OS X identifies each user by a user ID (UID) and the username (or login), similar to 'zorlarf' and 'www' being just aliases to the UID that makes us humans more comfortable.

Groups

Users can be organized in groups. A user may belong to one or more groups of users. The concept of groups serves the purpose of assigning sets of privileges for a given resource and sharing them among many users that need to have them; for example, they are all members of a project team and they all need access to some common project files. For example, under Mac OS X all "Administrator" users are members of the admin group. This allows users granted "administrator" rights to remove applications from the Applications folder and perform other operations that a user not in the admin group would not be able to perform.

Ownership

Every file in UNIX belongs to an owner and a group. Say that we have an user zorlarf, and zorlarf belongs to a group called ProjectTeam. For any file, say, an Excel file named Budget.xls:

What user zorlaf can do with Budget.xls, then, is determined, in part, by whether or not he's the owner of the file, and whether or not he's a member of the group ProjectTeam. (Strictly speaking it's more complex than that. For instance, in Unix, it's possible to own a file and belong to the group that owns the file -- yet not be able to even read the file!)

Permissions

Every file on the system has associated with it a set of permissions. Permissions, in conjunction with owner and group information, tell the operating system what can be done with that file and by whom. There are three things you can (or can't) do with a given file:

Permissions specify what the owner, the group, and others can do with the file. For any given entity ('owner', 'group' and 'other'), we need three bits to specify access permissions: the first to denote read (r) access, the second to denote write (w) access and the third to denote execute (x) access. Each entity ('owner', 'group' and 'other') has its own permission triplet. Each bit can be set or clear (not set). We mark a set bit by its corresponding operation letter (r, w, or x) and a clear bit by a dash (-) and put them all on a row. An example might be rwxr-xr-x, where the first three (the first triplet, rwx) indicates the owner can do anything with the file, and the second and third triplets (r-x) indicate the group and the rest of the world (the others) can only read and execute it.

So if you try ls -l (lowercase ell) from a Terminal command prompt you will get something like the following:

[zorlarf:guns] djclark% ls -l
-rwxrwxrwx   1 djclark  staff  8449880 Mar 21  2000 November Rain.mp3
drwxrwxrwx  16 djclark  staff      500 Jun 21  2001 Illustrations
-rwxrwxrwx   1 djclark  staff  3832685 Apr 22  1999 Welcome to the Jungle.mp3

The first column here shows the permission bit pattern for two files and one directory (directories have permissions too, as we'll discuss in a moment). The third column shows the owner to which the file (or directory) belongs, and the fourth column shows the group to which the file (or directory) belongs. By this time, the information provided by ls -l should be enough for you to figure out what each user of the system can do with any of the items shown.

Directories

In the example above, Illustrations is a directory. Directories have permissions as well, but they take on a different meaning:

Permissions as numbers

When dealing with permissions you will encounter numeric representations like 735, 777, 444, etc. When taken together as three digits I call these "numeric strings" instead of "numbers" because each character stands alone and has its own meaning. For example, 735 is not the number seven hundred thirty-five; rather, each digit in the numeric string corresponds to one of the three permission triplets: user, group, and other, in that order. In the numeric string 735, the digit 7 corresponds to the user permissions, the 3 to the group permissions, and 5 to the permissions of others. Further, each permission -- read, write, execute, no none at all -- corresponds to a number:

Working from numerics to strings: For each permission bit that is set, you add, or sum, each numeric value; if it is clear, then you add nothing. For example, consider the user permission 7, which is 4 + 2 + 1; this tells us that all three permission bits are set, and thus the user can read, write, and execute the file. Breaking down our 735 permission string, we have the following:

triplet: user group others
numeric string: 7 3 5
numbers to sum: 4+2+1 0+2+1 4+0+1
string: rwx -wx r-x

Working from strings to numerics: If a file has rwx-wxr-x permissions we do the following calculation:

triplet: user group others
string: rwx -wx r-x
numbers to sum: 4+2+1 0+2+1 4+0+1
numeric string: 7 3 5

Thus we see that the permission rwx-wxr-x is the same thing as the numeric string 735. The following table is another way to summarize this information:

read writeexecuteValue (total)read writeexecute
---0000
--x1001
-w-2020
-wx3021
r--4400
r-x5401
rw-6420
rwx7421

Pretty easy, huh ?

Have a question ? Click to Send Feedback
Have a question ? Click to send feedback.
Desktop Bundle - Dock-It - FileXaminer - GSFTP - Secure Shell Helper - Snard - xBack
Home - About Gideon Softworks - Buy 
Web Site (c) Copyright 2001-2006 Gideon Softworks, Inc.