How tosMac OS X

Learning the Command Line – File Permissions

Posted on by cradom

Ever have a file you can’t do anything with? Can’t change it, can’t delete it, can’t even look at it? We’re going to find out why.

FreeBSD, and by extension, OS X (which is loosely based on FreeBSD), uses file permissions. This lets the system control access to files and directories by different users. Would you want another user looking at your files? Of course not. Permissions determine who can access any file or directory and whether it can be edited or deleted.

There are three types of access for a file:

Read: You can view the file, and only that.

Write: You can edit or change the file. You can also delete the file.

Execute: You can ‘run’ the file if it’s a binary or application. Shell scripts must have this bit set to run.

These are used to determine access for owners, groups, and everyone else. A group is a collection of users on the system. For example, the Wheel group would be users which are administrators on the system. A user can belong to several groups or only one, depending on what the admin sets it to.

If you do a long-list (ls -l) on your user directory you will see something like this:

craig@zinger:~$ ls -l
total 5656
drwxr-xr-x   28 craig  staff      952 Oct 14 15:52 Applications
drwx------@   5 craig  staff      170 Nov  2 21:34 Desktop
drwxr--r--@ 257 craig  staff     8738 Nov  2 22:25 Documents
drwx------@  32 craig  staff     1088 Nov  4 13:24 Downloads
drwx------@  13 craig  staff      442 Nov  2 21:34 Dropbox
-rw-r--r--@   1 craig  staff     1167 Oct 26 15:43 Folder Action Script.rtf
drwx------@  82 craig  staff     2788 Oct 23 17:44 Library
drwxr-xr-x  118 craig  staff     4012 Oct 27 17:37 Manuals
drwxr-xr-x@   8 craig  staff      272 Jul 23  2007 Maps

Lets break the permissions down by looking at the first column. The first character, d, means it’s a directory. The – means it’s a file. Next you have nine characters following this, each of which can be one of four characters: r, w, x. These are arranged into triplets (groups of three). The first set are for the owner, the second are for the group, and the third are everyone else. The @ on the end is the ACL (Access Control List) which I won’t go into because I don’t think I really understand it that well myself (but I’m working on it!). You’ll notice not all the letters are set with a letter (r/w/x). If, for example, the r/w/x is not there (there is a instead), that means the attribute is denied, or you can’t write/read the file.

Let’s look at an example to clarify this. In the list above, let’s explore the Desktop directory (d). I can read, write, and execute (rwx) it, and no one else can since the first triplet after the d has rwx and everything else is a dash. In Finder, they can’t even look in it. Ever come across a folder with a red and white circle with a line in it? Try looking in it. You can’t. If you have more than one user on your computer, you can’t look into others folders unless they change the permissions.

The execute bit is slightly different for directories than regular files. In order to list a directory, the read bit must be set. In order to delete a file in it, the execute bit must be set. On files, the execute bit means the file can be run, as in the case of shell scripts, or applications.

If you are the owner of the file you can change the attributes with the chmod command. chmod stands for change mode, or change the access. There are two ways to change permissions using the chmod tool: using switches, or using octal numbers.

The chmod command has several switches. It’s syntax looks like this:

$ chmod [who] [operator] [permission] file

The [who] is used to specify which users the permissions apply to.

u user the owner of the file
g group users who are members of the file's group
o others everyone else
a all everyone - same as ugo

The [operator] specifies how the modes should be changed.

+   adds the mode to the specified class
-   removes the mode from the specified class
=   the modes specified are to be made exact for the class

There are three basic permissions. These are:

r   Read
w   Write
x   Execute

For example, if I wanted to give access to my Desktop folder to others in my group I would change the access:

 craig@zinger:~$ chmod g+rwx Desktop

This would give everyone in my group, in my case ‘staff’, read, write and execute permission to my Desktop folder.

There are other types of permissions which are more advanced. If you are interested check the man pages (man chmod).

For some, it may be easier to use numbers (letter combinations can sometimes be cryptic). Each set of attributes can be expressed as a number, depending on which bits are set. Using the table below you can change the permissions for each user/group.

Value	Permission                        Directory Listing
  0    No read, no write, no execute          ---
  1    No read, no write, execute             --x
  2    No read, write, no execute             -w-
  3    No read, write, execute                -wx
  4    Read, no write, no execute             r--
  5    Read, no write, execute                r-x
  6    Read, write, no execute                rw-
  7    Read, write, execute                   rwx

The normal permissions on commands available to most users in Terminal , 755, would be:

rwxr-xr-x
or
rwx r-x r-x

Which would give the owner, the system, all permissions, and everyone else read/execute permission. This is so that the commands are available to users but cannot be changed or deleted so that other users can use them.

Lets say you have a folder you don’t want anyone to look into. You can change the permissions so no one can view or move the folder. In this case the command would be:

craig@zinger:~$ chmod 700 foldername

 7    0    0
rwx  ---  ---

The 7 means you can read, write, execute the file but the two zeros mean no one else can do anything with it.

Note: if you set permissions on a file, remember the file is in a directory. If no one can enter the directory, they can’t read the file. You need to make sure it is in a place where others have access.

You can’t go around changing permissions on whatever you feel like. Some files or directories are not meant to be messed with (system files especially). The system expects certain files to have certain permissions and sometimes complains when they are different. You might need to occasionally open Disk Utilities and do a Repair Permissions. What this does is reset the system installed files to their original access states. This sometimes fixes small problems with the smooth running of the system but it certainly isn’t a fix all.