Work with Permissions - Take Control of the Mac Command Line with Terminal (2015)

Take Control of the Mac Command Line with Terminal (2015)

Work with Permissions

Everything you do on your Mac, and especially on the command line, is governed by permissions—which user(s) can do which things with which items, under which circumstances. In this chapter, I introduce you to file permissions, along with the closely related notions of owners and groups. I also explain how to temporarily assume the power of the root user using the sudo command.

Understand Permission Basics

As you may recall from See What’s Here, when you list files in the long format (ls -l), you can see the permissions, owner, and group of each file and directory. Every file in Mac OS X has all these attributes, and you should understand how they work because they influence what you can and can’t do with each item.

Note: This section covers only the basics of permissions. To learn the full details, I heartily recommend reading Brian Tanaka’s Take Control of Permissions in Snow Leopard (which also applies to newer versions of Mac OS X).

Before I get into how to read or change permissions, I want to describe the basic options. Put simply, permissions consist of three possible activities (reading, writing, and executing), performed by any of three types of user (the file’s owner, the file’s group, and everyone else). Three types of permission multiplied by three types of user equals nine items, each of which can be specified individually for any file or folder.

Read, Write, and Execute

Someone with permission to read a file can open it and see what’s inside it. Someone with write permission can modify an item or delete it. Execute permission, for a file, means it can be run (that is, it can behave as a program or script); for a directory, execute permission means someone can list its contents.

On the command line, read permission is abbreviated with an r, write permission is abbreviated with a w, and execute permission is abbreviated with an x.

User, Group, and Everyone Else

Every file and folder specifies read, write, and execute permissions for the following types of user:

· User: In terms of file permissions, the term user means the owner of a file or directory. (The user may be a person, like you, or it may be a system process, such as _screensaver, which is exactly what it looks like.)

· Group: Each file and directory also has an associated group—one or more users for whom a set of permissions can be specified. That group could have just one member (you, for example), or many. Mac OS X includes several built-in groups, such as admin (all users with administrator access), staff (all standard users without administrative access), and wheel (which normally contains only the root user—see Perform Actions as the Root User). You can also create your own groups.

· Others: Every user who is neither the owner nor in the file’s group is lumped into the “others” category.

Reading Permissions, Owner, and Group

To illustrate how this all works, suppose you find the following two items in a certain directory by entering ls -l (list in long format):

drwxr--r-- 15 jk admin 510 Aug 27 15:02 fruits

-rw-r--r-- 2 root wheel 1024 Sep 02 11:34 lemon

For the purposes of this section, we care about just three of the items on each line (apart from the item’s name, at the end). The initial group of characters (like drwxr--r--) constitutes the permissions, and the two names in the middle (like jk admin) are the user and group, respectively. For now, you can ignore all the other information.

Directory or Not?

The first character of the permissions string tells you whether the item in question is a directory or a regular file. So in the first example (drwxr--r--), the item fruits is a directory because its permissions string starts with a d. The second item, lemon, has a hyphen (-) in the first slot, which means it’s not a directory (in other words, it’s a file).

Three Permissions, Three Sets

The remaining nine positions in the mode specify the three possible permissions for user (the first three characters), the group (the middle three), and others (the final three).

In each set of three characters, the order is always the same: r (read), w (write), and x (execute). So picture a template with ten slots, of which the first is the d character for directories:

directory user group others ← Access for whom

d rwx rwx rwx ← A directory with all attributes on

- --- --- --- ← A file with all attributes off

For each kind of user, each permission can be either on or off. If it’s on, the corresponding letter (r, w, or x) appears; if it’s off, you see a hyphen (-). So, for example, if the owner’s permissions are rwx, it means she can read, write, and execute the item; if they’re r--, she can read only.

If everybody—user, group, and others—had read, write, and execute permissions for a file, its permissions would look like this:

-rwxrwxrwx

Here are a few other combinations to make the system clear:

· Owner can read, write, and execute; group and others have no permission:

-rwx------

· Owner can read and write; group and others can read:

-rw-r--r--

· Everyone can read and execute, but only the owner can write:

-rwxr-xr-x

· Owner can read and write; group can read only; others have no permission:

-rw-r-----

Owner and Group

After the file’s permissions and a number (the number of links to the item—a concept that’s beyond the scope of this book) are two names. The first of these is the file’s owner (user) and the second is its group.

For example in this item:

drwxr--r-- 15 jk admin 510 Aug 27 15:02 fruits

the owner is jk and the group is admin. (In some cases, owner, group, or both may be shown as numbers, such as 501, rather than names.)

What’s with the + and @ Characters?

Sometimes a file has an extra character at the end of the permissions string—either a + or an @. For example:

drwx------@ 90 jk staff 3060 Aug 1 09:29 Library

drwx------+ 8 jk staff 272 Jul 11 11:24 Movies

The + means the item includes an ACL (access control list), which is a more elaborate and finer-grained way of specifying permissions than simply read, write, and execute for user, group, and others. To see the ACL settings for a file or directory, use ls -le.

The @ means the item includes extended attributes—extra metadata beyond the file’s contents often used for specific Mac OS X features (such as Gatekeeper). To see which types of extended attributes a file or directory contains, use ls -l@; to view the contents of those extended attributes, use xattr -l file.

Understanding, using, and modifying ACLs and extended attributes is, alas, beyond the scope of this book.

Permissions and You

When you create a file (whether by saving, copying, moving, downloading, or whatever), you become that file’s owner (user).

In addition, by default, all users on a Mac have read and write permission (and, for directories, execute permission) for everything in their home folders, and can read and execute shared items (such as things in the /Applications folder). However, users can’t read or write files, or view the contents of directories, owned by other users.

Your default group (and thus, the default group of files in your home folder and new items you create anywhere) depends on a few factors, the most significant of which is what sort of user account you’re using. Account types are specified in the Users & Groups pane of System Preferences (called Accounts in earlier versions of Mac OS X). If you’re an administrator, your default group is normally admin; otherwise, it’s normally staff.

Change an Item’s Permissions

If you want to change an item’s permissions, you use the chmod command (for “change mode,” mode being a Unix way of describing an item’s permissions). You can use chmod in a number of ways. The easiest one to understand is what you may sometimes hear described as chmod’s symbolic mode. There’s also a more-powerful absolute mode, which we’ll get to in a moment.

Use the chmod Symbolic Mode

To change permissions with chmod, you simply indicate one or more of user, group, and others (using the abbreviations u, g, and o respectively), then + or - (to add or remove permissions), and one or more of r, w, and x (for read, write, and execute), followed by the file or directory. For example, to grant group write access to the file file1, you might enter this:

chmod g+w file1

To remove others’ execute permission, enter this:

chmod o-x file1

You can affect multiple users at once—for example, add read access for user, group, and other in one stroke with this:

chmod ugo+r file1

You can also affect multiple permissions at once; for example, subtract read, write, and execute permission for the group and others with the following:

chmod go-rwx file1

Note: Ordinarily, you can change an item’s permissions only if you are the owner or are in the item’s group, and if you already have (in either capacity) write permission. In all other cases, you must use sudo (described ahead) before the chmodcommand.

Use the chmod Absolute Mode

In order to make more complex changes in one go (say, adding write permission for the user while removing execute permission for others), you must use chmod’s absolute mode. This is somewhat advanced, but as you work on the command line you’re bound to come across it, so I want you at least to be familiar with how it works.

In absolute mode, permissions are indicated by a series of three digits, such as 133 or 777. The first of these digits stands for the user, the second for group, and the third for others (just as in symbolic mode). But discerning the meanings of the numbers requires a little arithmetic.

The basic values are these:

· 1: read

· 2: write

· 4: execute

To combine permissions, you add these numbers. So, 3 means read and write; 5 means read and execute (but not write); 6 means write and execute; and 7 means read, write, and execute.

Thus, if you read an article telling you to change a file’s permission with this command:

chmod 755 file

it means you want the user to be able to read, write, and execute, while the group and others can read and execute only. In other words, the file’s permissions would become:

-rwxr-xr-x

Change an Item’s Owner or Group

To change an item’s owner, group, or both, use the chown (change owner) command. It takes one or two arguments—the new owner and/or the new group, separated by a colon (:)—followed by the item you want to change. For example, to change the owner of the file file1 to bob (without changing the group), enter:

chown bob file1

To change the owner of file1 to bob and the group to accounting, enter:

chown bob:accounting file1

To change only the group, but not the owner, simply leave out the owner but include the colon before the group:

chown :accounting file1

However… What I just said is hypothetical, because as an ordinary user you can’t change an item’s owner—that would mean changing it either to or from an account to which you don’t have access! Similarly, you can change an item’s group only if you’re a member of both the old group and the new group. So for all practical purposes, the chown command must always be performed using sudo, described next.

Perform Actions as the Root User

As a security measure, Mac OS X (like all Unix and Unix-like operating systems) prevents users from viewing or altering files that don’t belong to them, including those that make up the operating system itself. However, in certain situations you may have a legitimate need to alter a file or folder of which you’re not the owner—or run a command for which your user and group don’t have execute permission.

Every Mac has a special, hidden account called root, which is a user with virtually unlimited power to change anything on the computer. The root account is disabled by default, and that’s for the best. However, any administrator can temporarily assume the capabilities and authority of the root user, even without the root account as such having been activated.

The way you do this is to use the sudo (“superuser do”) command.

Note: Because the “do” in sudo is the actual verb do, the preferred pronunciation of the term rhymes with “voodoo.” But lots of people pronounce it to rhyme with “judo,” which is also logical—and it’s acceptable to everyone except the nitpickiest geeks.

For Administrators Only

Before I go any further, I must make this crystal clear: only users with administrator privileges can use sudo. If your Mac has just one user account, it’s automatically an administrator account. However, as you create additional accounts, they only gain administrator privileges if you check the Allow User to Administer This Computer box in the Users & Groups (or Accounts) pane of System Preferences.

Most Mac experts recommend using a non-administrator account for ordinary, day-to-day computing, logging in as an administrator only when necessary.

That’s good advice, but if you follow it, you’ll have to do one of two things before you can make use of the sudo command:

· Log in as an administrator first, and then run Terminal, or

· In your shell session in Terminal, switch to an administrator’s account using the su (switch user) command, like so:

su username

(Replace username with the short username of an administrator, and enter that account’s password when prompted.)

Note: As you type the administrator account’s password, no text appears—not even bullet or asterisk characters. That’s normal.

It’s a good idea to keep excursions to other accounts brief. When you’ve finished executing commands as another user, you can close the shell session as normal with the exit command.

Using sudo

Once you’re logged in as an administrator, to perform any command as the root user, preface it with sudo:

sudo command

The sudo command prompts you to enter the administrator account password; do so now.

Note: As you type your password, no text appears—not even bullet or asterisk characters. That’s normal.

The shell then performs whatever command you just entered as though you’d entered it as the root user, which ordinarily means it’s guaranteed to work as long as you entered it correctly.

If you perform a command and get a “permission denied” error, try it again with sudo in front of it, and in all probability it will work the second time.

For example, if you try to change a file’s owner like so:

chown bob file1

and you get this message:

chown: file1: Operation not permitted

try this instead:

sudo chown bob file1

Tip: Now that you understand how sudo works, you may enjoy this highly geeky comic from xkcd: Sandwich.

Notes and Precautions

Before you start using sudo, you should be aware of a few things:

· 5-minute rule: Once you use sudo and enter your password, you can enter additional sudo commands, without being prompted for a password, for 5 minutes. The timer resets every time you use sudo.

· Great power = great responsibility: You can do almost anything with sudo, and that includes damaging Mac OS X beyond repair. So use sudo only when necessary, and only when you know what you’re doing.

· Stay for a while: If you must enter a large number of commands with root privileges, you can avoid having to enter sudo every time by switching to the root user’s shell account. (Again, surprisingly, this does not require that the root account be enabled on your Mac!)

To switch to the root user’s shell, enter sudo -s and supply your password if requested. Your prompt changes from a $ to a # to signify that all commands you enter are now performed as the root user.

Be extra careful! If sudo alone is dangerous, sudo -s is asking for trouble. It’s a convenience feature I personally use on rare occasions, and it can be handy in a few situations in which sudo alone won’t do the trick. But use this with the utmost caution, and be sure to enter exit to log out of the root user’s shell as soon as possible.