OS X Permissions
Links
V User Permissions in Lion
* I discovered recently that in OS X Lion that when you run repair permission in Disk Utility that it will not repair permissions on anything in the users folder
* items inside the user’s home folder are regulated by ACLs while items outside the user’s home folder are regulated by Permissions
* using Disk Utility to Repair Permissions will not resolve issues related to objects in the user’s home folder. To resolve these issues, we need to “reset ACLs.”
V How to in OS X Snow Leopard
* Boot to the Mac’s install disc by inserting the disc and holding down the “C” key at startup (or holding Alt/Option and selecting the disc from the boot menu).
* Selected your language and from the installer’s main menu, choose “Utilities” from the menu bar, then “Reset Password.”
* Choose a user account from the "Select User Account" drop down menu.
* Then click “Reset” at the bottom of the screen next to the section that says "Reset Home Folder Permissions and ACLs".
V How to in OS X Lion
* In OS X 10.7 Lion, Apple removed the Reset Password option from the Utilities menu
* Boot to Lion’s recovery partition by holding “Command-R” at startup (or holding Alt/Option and selecting the recovery partition from the boot menu)
* From the Utilities menu, choose Terminal.
* Type “resetpassword” into Terminal and hit Return.
* This will launch the Reset Password tool and then you can perform the same steps as in the Snow Leopard procedure
V I use the tool Cocktail and it has an option for resetting the ACLs
* It's in the 'Disks' section and under the 'Permissions' tab there are two checkboxes for 'Rest home directory permissions and ACLs'
* In Cocktail you have the option to reset the ACLs for the current user or all users
V Permissions in OS X
* Since Mac OS X is based on Unix, it inherits the Unix system of file permissions (also called privileges)
* In OS X every file and folder has a set of permissions (some set by users, most set by the OS itself)
* In OS X, the terms "open" and "edit" are actually called "read" and "write."
V To view a file or folders permissions
* Select a file in the Finder (a document in your Documents folder is a good one to choose)
* Select File > Get Info.
* In the Info window, there is a section called Ownership & Permissions.
* Click the disclosure triangle to expand this section and show the permissions you have for this file
* Clicking the disclosure triangle next to Details will show the overall permissions given to the file.
V Each file or folder has permissons for owner, group, or Everyone (other)
* Owner is the user that created the file and the person who can control access to it
V Group is a defined subset of all users who have their own access privileges to the file
* The group is set by default to the group of the owner and is set Read Only
V Everyone is everyone else. Basically not the owner or anyone in the assigned group.
* The default setting for this group is also read only.
V Your home directory
* The top most level of your Macs hard drive is the root. In the Unix path structure it's represented by a "/". In the Finder it's the hard drive icon for your boot volume on your desktop or sidebar.
* Down from the root is the Users folder and all user accounts (set up in System Preferences > Accounts) have a Home folder in this folder. The Home folder is named with the account shortname and from the command line generally identified by the abbreviated pathname '~/'.
* Within each home folder are several folders that were automatically created when the user account was created: Desktop, Documents, Library, Movies, Music, Pictures, Public, and Sites. There may also be other folders or files that you created in your account either manually or that were crated by apps
* Files in your Home directory are owned by you and are not editable or viewable by anyone else. Exceptions would be the Shared or Sites folders which are accessible by other accounts by default.
* Your Home folder also contains all the permissons and settings and preferences specific for your account.
V Two types of user accounts
V Normal users have full access to their own user folder and to other users' Public folders
* A normal user account can change user-specific System Preferences (Desktop picture, views, Dock settings, as well as their own account password)
* Outside of their own user folder, they generally have only read access and cannot access other users folders at all
V Admin users
* Admin users do not have full access to the System, but they do have more access than Normal users
* Can install Applications in the Applications folder
* Can change system-level System Preferences (Network, Accounts, Sharing, Software Update, etc.)
* Can create folders and save documents almost anywhere on the drive
* The first account created under Mac OS X is an admin-level account by default and every install of OS X must have one Admin User.
V Root user
* Technically there is a third kind of user called 'root'. The root user has full access and complete control over everything, regardless of permission or location
* OS X has a root account, but it's disabled by default.
V Guest Account
* Ok actually a fourth kind of user, called 'Guest'
* Guests can then log in without a password.
* When they log out, all information and files in the guest account’s Home folder are deleted automatically.
V Typically you need to enable the Guest account from the System Preferences > Users & Groups
* Click the lock and enter your Admin credentials to allow changes
* Select the Guest Account from the Users list and check the "Alloe guests to log in to this computer" option to enable the account.
V OS X Lion 10.7.2 added a special kind of Guest account. The Safari only account.
* Enabled by defualt if you ran the update and viewable from the login screen
* This was added to help with iCloud's "Find My Mac" feature as it let's anyone use Safari without having to enter a username or password. The account is restricted to only using Safari.
V To disable the Safari only user:
* Open System Preferences
* Click on “Security & Privacy”
* Click the lock in the lower corner and type in your administrative password to unlock the control panel
* Click the 'Advanced…' button.
* In the sheet that slides down, check the box next to “Disable restarting to Safari when screen is locked”.
* Click 'OK' and exit the System Preferences
V Domain/Directory Levels
* If you've ever poked around in your Mac hard drive and explored the file and folder structure you've likely noticed some folders that are in different places, but have the same names.
* This is because Mac OS X has three different levels of system and user support, called domain levels. The three levels are the system, local, and user domains
V The System domain is all that stuff you find in /System
* These files and folders comprise what amounts to the files and folders of the operating system
V The Local domain is represented by the /Library and /Applications folders
* It provides resources to all local users of the computer
* Files and folders from administrators and 3rd party apps (in folders like the /Library/Application Support) are in here as well
V As you might expect the Stuff in your Home folder (~/) is managed by the User domain
* Perferences for your user accounts and app settings specific to you are in this folder.
V As I mentioned earlier, domain levels have a number of the same (or parallel) directories (folders). The main difference is the access permissons to the files and folders within those domains
* The (root) /Library/Preferences, for example, contains system-level preference files that affect all users, such as login window prefs, sharing and firewall prefs, power management prefs, and serial numbers for applications available to all users
* But, each user also has their own ~/Library/Preferences folder (in their home folder), holding all of their own preference files specific to just their user account
V Access Control Lists
V Most UNIX-based systems use the standard POSIX (Portable Operating System Interface) permissions when managing access to files and folders (in UNIX actually directories).
* They are the standard way to set very basic access control on files and directories.
* Setting the permissions for the owner, group, and "other" mentioned early is part of the POSIX permissons
* You can define whether or not each of these groups has read, write, or execute permission to the file or directory
* POSIX is generally independent of the file system, provided the system supports it.
V Access Control Lists (or ACLs) provide another more file system specific way to manage permissions
* OS X uses NFS ACLs when used with the HFS+ file system
* ACLs are made up of ACEs (Access Control Entries) and each ACL can contain more than one ACE.
V The advantage is that these provide more flexible and granular control over permissions
* On files for example, ACLs provide not only read, write, and execute access, but also append. Append allows you to add to an existing file, but not modify existing contents or delete it.
* For folders you can have permissions to list items, search items, add to a file, add a sub-directory, or delete a folders contents
* ACLs also offer inheritance, so that files and folders can inheret permisions from another ACL
V So ACLs can act like little permissions sets or groups that can be applied to user or group
* This allows you to assign a group to a directory and say assign that group with read & write permissions. Then you might give everyone else only read permissions to that folder.
* If you were using just POSIX permissions that would be it.
* With ACLs you can now add another ACL to a spcific file in the folder that allows a specific user or group of users write access to just that one file. You can assign multiple ACLs to a given directory or file.
* This avoids having to create a new group that would contain both sets of users just to be able to give them both write permissions on the folder, a typical "worksround" under a pure POSIX system
V To set and modify ACLs you can use the 'chown' and 'chmod' commands from the command line using the Terminal
* You can use the 'ls -le' command to view ACLs on specific files and folders from the Terminal
V You can also set them from the Get Info Window, under the Sharing and Permissions section in the Finder, but there your options are limited.
* ACL inheritance isn't supported in setting in the Finder, but you can use "Apply to enclosed" which will have the same basic effect. The difference is that rather than just inheriting it will go through and recessively assign the permissions
V Apple’s ACL model supports 13 permissions
* Change Permissions
* Take Ownership
* Read Attributes
* Read Extended Attributes
* List Folder Contents (Read Data)
* Traverse Folder (Execute File)
* Read Permissions
* Write Permissions
* Write Attributes
* Write Extended Attributes
* Create Files (Write Data)
* Create Folder (Append Data)
* Delete
* Delete Subfolders and Files
V Additional Resources
* I know that I have only provided a very basic overview of all this stuff and it does get a bit technical. Luckily if you want to dive in further there are a number of resources here you can check out.
* Introduction to OS X Access Control Lists (ACLs)
* Lion Server: Access control lists (ACLs)
* Lion Server: Access control entries (ACEs)