Skip to Content UTAS Home | Contacts
University of Tasmania Home Page Site Title

Home

Privileges and Mac OS X

Thanks to the UNIX core of Mac OS X, Macintosh users have the ability to control who can access, modify, and see their personal files and folders. The following is a short overview of the Mac OS X Privilege architecture.

Users

A Mac OS X system can potentialy serve many users. Users are used by Mac OS X to keep track of what belongs to who and what each user is allowed to do with any given thing (file, program, device, etc) on the system. Internally, Mac OS X identifies each user by a User ID (UID) and the username (or login) such as 'zorlarf' and 'www' is just an alias to the UID that makes us humans more comfortable.

Groups

Users can be organized in groups. A user may belong to one or more groups of users. The concept of groups serves the purpose of assigning sets of privileges for a given resource and sharing them among many users that need to have them. (perhaps because they are all members of a project working team and they all need access to some common project files) For example, under Mac OS X all "Administrator" users are members of the admin group. This allows users granted "Administrator" rights to remove applications from the Applications folder and perform other operations that a user not in the admin group would not be able to perform.

Ownership

Every file in UNIX has an owner and an group. So, for any file in the system, user 'zorlarf' may have one of the following ownership relations:

  • zorlarf owns the file, i.e. the file's owner is 'zorlarf'.
  • zorlarf is a member of the group that owns the file, i.e. the file's owner group is 'admin'.
  • zorlarf is neither the owner, nor belonging to the group that owns the file

Permissions

Every file on the system has associated with it a set of permissions. Permissions ( in conjunction with owner and group information ) tell Mac OS X what can be done with that file and by whom. There are three things you can (or can't) do with a given file:

  • read it,
  • write (modify) it and
  • execute it.

Permissions specify what the owner, the group, and everybody else can do with the file. For any given entity ( 'owner', 'group' and 'everybody' ), we need three bits to specify access permissions: the first to denote read (r) access, the second to denote (w) access and the third to denote execute (x) access. Each entity ('owner', 'group' and 'everybody' ) has it's own permission triplet. Each bit can be set or clear. (not set) We mark a set bit by it's corresponding operation letter (r, w or x) and a clear bit by a dash (-) and put them all on a row. An example might be rwxr-xr-x.What this means is that the owner can do anything with the file, but the group and the rest of the world can only read or execute it.

So if you try ls -l on the command prompt you will get something like the following:

[zorlarf:guns] djclark% ls -l

-rwxrwxrwx 1 djclark staff 8449880 Mar 21 2000 November Rain.mp3
drwxrwxrwx 16 djclark staff 500 Jun 21 2001 Use Your Illusion II
-rwxrwxrwx 1 djclark staff 3832685 Apr 22 1999 Welcome to the Jungle.mp3

The first column here shows the permission bit pattern for each file. The third column shows the owner, and the fourth column shows the group. By this time, the information provided by ls -l should be enough for you to figure out what each user of the system can do with any of the files in the directory.

Directories

Another interesting thing to note is that Use Your Illusion II which is a directory has permissions, too. Permissions take a different meaning for directories. Here's what they mean:

  • read determines if a user can view the directory's contents, i.e. do ls in it.
  • write determines if a user can create new files or delete file in the directory. (Note here that this essentially means that a user with write access to a directory can delete files in the directory even if he/she doesn't have write permissions for the file! So be careful with this.)
  • execute determines if the user can cd into the directory.

Permissions as numbers

When dealing with permissions you will most often encounter shorthand values like : 755, 777, 444, etc.... Every permission string ( ex. -rwxrwxr-x ) has a corresponding shorthand value, and below we'll show a simple way to figure out what shorthand value corresponds to any given permission string.

Each digit in the shorthand value corresponds to one of the three permission triplets. (user, group and everybody) Every permission bit in a triplet corresponds to a value:

  • read (r) has a value of 4
  • write (w) has a value of 2
  • execute (x) has a value of 1
If the permission bit is set you add this value to the number of the permission triplet. If it is cleared, then you add nothing. So if a file has rwxr-xr-x permissions we do the following calculation:

Triplet for u: rwx => 4 + 2 + 1 = 7
Triplet for g: r-x => 4 + 0 + 1 = 5
Tripler for o: r-x => 4 + 0 + 1 = 5
Which makes : 755

Pretty easy, huh ?

  

University of Tasmania Home Page Authorised Publication of the Faculty of Health Science
© University of Tasmania ABN 30 764 374 782
CRICOS Provider Code 00586B | Copyright & Disclaimers | Accessibility | Site Feedback To Faculty.Secretary@healthsci.utas.edu.au
Last Modified: 17-Nov-2005