Repairing Permissions in Mac OS X Using Unix Commands: Part I
Date: May 27, 2005
The Basics
Every user on a Mac OS X system has a unique username and is a member of at least one group (the primary group for that user). A user can also be a member of one or more other groups. However, only the administrator can create new groups or add/delete group members
Directories are the "road maps" to access groups of files. Every directory and file on the system has an owner as well as an associated group. Directories and files also have a set of "permission flags" associated with them that specify separate read, write, and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) for the file or directory, In the Terminal utility (which is usually found along the path "volumename/Applications/Utilities") several commands exist to handle file and permission manipulation.
First, open Terminal. Then set the directory (with the cd command) to point to the folder of files you want to manipulate. The pwd (print working directory) command can confirm that you are where you think you are. The ls (local storage) command shows the permissions and group associated with files when used with the -l option. Figure 1 shows how I got from the Terminal's default directory to the top level of my hard disk. Note that I used the change directory (cd(space)(period)(period)(return)) shortcut twice to get to a higher directory level than where I started.
Figure 1 Terminal's output from the ls command for a directory.
Specifics of Permissions
Here's how to interpret the ls command's output in Terminal. There are nine fields in each line. Going from left to right, they are as follows:
Field 1: A set of 10 permission flags.
Field 2: Link count (don't worry about this)
Field 3: Owner of the file
Field 4: Associated group for the file
Field 5: Size in bytes
Field 6–8: Date of last modification
Field 9: Name of file
The permission flags are also read from left to right within the 10-digit field.
position
1: directory flag ('d' if a directory; '-' if a normal file; 'l' if an alias)
2, 3, 4: read, write, execute permission for Owner of file
5, 6, 7: read, write, execute permission for Group
8, 9, 10: read, write, execute permission for any other user
The values occurring in each of the 10 positions are listed below:
-: In any position, means that flag is not set.
r: File is readable by owner, group, or other.
w: File is writeable. On a directory, write access means you can add or delete files.
x: File is executable (only for programs and shell scripts). Execute permission on a directory means you can list the files in that directory.
s: In the place where 'x' would normally go is called the set-UID or set-groupID flag.
For an executable program with set-UID or set-groupID, that program will run using the effective permissions of its owner or group. For a directory, the set-groupID flag means that all files created inside that directory will inherit the group of the directory. Without this flag, a file takes on the primary group of the user creating the file. This property is important to people trying to maintain a directory as group-accessible. The subdirectories also inherit the set-groupID property.
Let's review the permissions hierarchy. Each level is independent. The user who is trying to access the file determines what level will be used to set permissions.
- If the user is the owner of the file, the owner permissions will be used.
- If the user is not the owner of the file but is in the same group as the file, the group permissions will be used.
- If the user is not the owner of the file and is not in the same group as the file, the other permissions will be used.
Messing with Things: chmod
Permissions for files and directories can be changed using the chmod command, which allows the individual r/w/x permissions to be set/changed for the owner, group, and other users.
chmod has the following syntax:
chmod <permissions> <name>
chmod has two ways to represent the permissions for owner, group, and other: numeric and alphabetic. The numeric way works on the octal (base 8) values of the changes, and most people (except for UNIX wizards) will never use it.
Alphabetic is far more descriptive. The syntax is as follows:
chmod [u g o a][+ - =][r w x X] file
u = user (owner), g = group, o = other, a = all (short for ugo). Any combination of ugo can be specified (u, ug, ugo, uo, go, etc.). a is default if nothing is specified.
+ = add permission, - = remove permission, = only specified permission will be set (replacing existing permissions). Only one of these can be used.
r = read, w = write, x = execute/access, X = execute only if the file is a directory or already has execute permission for some user. Any combination can be used.
Here are some specific examples.
chmod u+x file: Adds (+) x permission for the owner only (rw-rw-rw- becomes rwxrw-rw-).
chmod u-w file: Removes (-) w permission for the owner only (rwxr-xrwx becomes r-xr-xrwx).
chmod g+w file: Adds w permission to group (rwx---rwx becomes rwx-w-rwx).
chmod o=x file: Sets x permission only to other (rwxrwxrw- becomes rwxrwx--x).
chmod a+rx file: Sets r and x permission for owner, group, and other (--------- becomes r-xr-xr-x).
You can also set different permissions for owner, group, and other in the same command:
chmod u+x,g-x,o+r file: Adds x permission to owner, removes x permission for group, and adds r permission to other (rw-rwx--- becomes rwxrw-r--).
Summary
This has been the briefest of introductions to a hard-core command-line system that has been in use since 1969. Although you can do things at this level in Mac OS X, Part 2 of this series will look at doing things using GUI tools such as Finder.