Ever have a file you can’t do anything with? Can’t change it, can’t delete it, can’t even look at it? We’re going to find out why.
FreeBSD, and by extension, OS X (which is loosely based on FreeBSD), uses file permissions. This lets the system control access to files and directories by different users. Would you want another user looking at your files? Of course not. Permissions determine who can access any file or directory and whether it can be edited or deleted.
There are three types of access for a file:
Read: You can view the file, and only that.
Write: You can edit or change the file. You can also delete the file.
Execute: You can ‘run’ the file if it’s a binary or application. Shell scripts must have this bit set to run.
These are used to determine access for owners, groups, and everyone else. A group is a collection of users on the system. For example, the Wheel group would be users which are administrators on the system. A user can belong to several groups or only one, depending on what the admin sets it to.
If you do a long-list (ls -l) on your user directory you will see something like this:
[email protected]:~$ ls -l total 5656 drwxr-xr-x 28 craig staff 952 Oct 14 15:52 Applications [email protected] 5 craig staff 170 Nov 2 21:34 Desktop [email protected] 257 craig staff 8738 Nov 2 22:25 Documents [email protected] 32 craig staff 1088 Nov 4 13:24 Downloads [email protected] 13 craig staff 442 Nov 2 21:34 Dropbox [email protected] 1 craig staff 1167 Oct 26 15:43 Folder Action Script.rtf [email protected] 82 craig staff 2788 Oct 23 17:44 Library drwxr-xr-x 118 craig staff 4012 Oct 27 17:37 Manuals [email protected] 8 craig staff 272 Jul 23 2007 Maps
Lets break the permissions down by looking at the first column. The first character, d, means it’s a directory. The – means it’s a file. Next you have nine characters following this, each of which can be one of four characters: –, r, w, x. These are arranged into triplets (groups of three). The first set are for the owner, the second are for the group, and the third are everyone else. The @ on the end is the ACL (Access Control List) which I won’t go into because I don’t think I really understand it that well myself (but I’m working on it!). You’ll notice not all the letters are set with a letter (r/w/x). If, for example, the r/w/x is not there (there is a – instead), that means the attribute is denied, or you can’t write/read the file.
Let’s look at an example to clarify this. In the list above, let’s explore the Desktop directory (d). I can read, write, and execute (rwx) it, and no one else can since the first triplet after the d has rwx and everything else is a dash. In Finder, they can’t even look in it. Ever come across a folder with a red and white circle with a line in it? Try looking in it. You can’t. If you have more than one user on your computer, you can’t look into others folders unless they change the permissions.
The execute bit is slightly different for directories than regular files. In order to list a directory, the read bit must be set. In order to delete a file in it, the execute bit must be set. On files, the execute bit means the file can be run, as in the case of shell scripts, or applications.
If you are the owner of the file you can change the attributes with the chmod command. chmod stands for change mode, or change the access. There are two ways to change permissions using the chmod tool: using switches, or using octal numbers.
The chmod command has several switches. It’s syntax looks like this:
$ chmod [who] [operator] [permission] file
The [who] is used to specify which users the permissions apply to.
u user the owner of the file g group users who are members of the file's group o others everyone else a all everyone - same as ugo
The [operator] specifies how the modes should be changed.
+ adds the mode to the specified class - removes the mode from the specified class = the modes specified are to be made exact for the class
There are three basic permissions. These are:
r Read w Write x Execute
For example, if I wanted to give access to my Desktop folder to others in my group I would change the access:
[email protected]:~$ chmod g+rwx Desktop
This would give everyone in my group, in my case ‘staff’, read, write and execute permission to my Desktop folder.
There are other types of permissions which are more advanced. If you are interested check the man pages (man chmod).
For some, it may be easier to use numbers (letter combinations can sometimes be cryptic). Each set of attributes can be expressed as a number, depending on which bits are set. Using the table below you can change the permissions for each user/group.
Value Permission Directory Listing 0 No read, no write, no execute --- 1 No read, no write, execute --x 2 No read, write, no execute -w- 3 No read, write, execute -wx 4 Read, no write, no execute r-- 5 Read, no write, execute r-x 6 Read, write, no execute rw- 7 Read, write, execute rwx
The normal permissions on commands available to most users in Terminal , 755, would be:
rwxr-xr-x or rwx r-x r-x
Which would give the owner, the system, all permissions, and everyone else read/execute permission. This is so that the commands are available to users but cannot be changed or deleted so that other users can use them.
Lets say you have a folder you don’t want anyone to look into. You can change the permissions so no one can view or move the folder. In this case the command would be:
[email protected]:~$ chmod 700 foldername 7 0 0 rwx --- ---
The 7 means you can read, write, execute the file but the two zeros mean no one else can do anything with it.
Note: if you set permissions on a file, remember the file is in a directory. If no one can enter the directory, they can’t read the file. You need to make sure it is in a place where others have access.
You can’t go around changing permissions on whatever you feel like. Some files or directories are not meant to be messed with (system files especially). The system expects certain files to have certain permissions and sometimes complains when they are different. You might need to occasionally open Disk Utilities and do a Repair Permissions. What this does is reset the system installed files to their original access states. This sometimes fixes small problems with the smooth running of the system but it certainly isn’t a fix all.