Permissions: the heart of access control

Every file and every folder on your Mac has, as a minimum, a set of permissions which determine which users can do what with it. Your own Home folder, for instance, is set so that you can read and write to it, and so that other users, whether or not they have admin privileges, can see the folder but cannot write to it. That keeps its contents protected, and personal.

Normal permissions settings specify access privileges for three different entities: the owner, the group, and everyone else. So a file within your Home folder normally has you specified as the owner, and gives both read and write access to it. As an admin user (as you are likely to be), the group specified is normally named staff, and given read access only, with no powers to write to files or folders.

However, folders within your Home folder, such as Documents, normally do not have a group associated with them, and give no access at all to ‘everyone’ (that is, all other users apart from yourself, as the owner) – this is reflected in their icon, which bears the standard ‘no entry’ sign when seen by other users.

The easiest way to inspect and edit a file’s or folder’s permissions is to select the item in the Finder, and use the Finder’s Get Info… command in its File menu, or use the keyboard shortcut of Command-I. The lowermost section in the Get Info dialog then tells you the privileges which apply to that item.

perms1Try this with a file in your Documents folder, and you should see this pattern: you (the owner) have read and write access, staff (the group) have read only access, and everyone else has read only access too.

perms2Try this with a file in /System/Library, for example, and you will see that it is owned by system, which has read and write access, its group (wheel) has only read access, as does everyone.

It used to be that you, as an admin user, could still access System files once you have authenticated as that user. But with El Capitan comes the extra protection of SIP, which prevents any user from altering the contents of certain System folders and files. This protection is applied on top of standard permissions. There are also extended permissions in the form of ACLs, which are detailed here, although they remain little-used.

To change the permissions of a file or folder using the Get Info… dialog, you normally need to click on the padlock at the bottom right of the dialog to authenticate. You can then select and change user or group names, and privileges to assign to them.

You can also access permissions in Terminal’s command line. Simply type in a command like
ls -la
and you will see a full listing of all the files and folders in the current folder. Permissions information is given at the beginning of each line: the first character is a d for folders (directory) or - for files, then permissions are expressed in pairs of letters, where r is read and w is write, for the owner, group, and everyone, in that order. Thus
-rw-r--r--
is standard for a file, with read and write access by the owner, and read only access by the group and everyone, while
drwx------
is a folder with read and write access by the owner, but no access at all to anyone else. Further along the line the owner is named, and the group is also given.

You can also change permissions at the command line, using chmod. This is relatively complex, and fully documented when you type man chmod into Terminal.