PDA

View Full Version : What the heck are default permissions???




robgendreau
Aug 30, 2013, 01:42 AM
Geez this was harder than I thought.

I just migrated to a new hard drive and permissions aren't what they were before. I don't recall exactly, but I certainly could at least copy, and maybe move, out of the root directory or application folder without having to authenticate. But maybe I had set the computer up to run as root? I just can't recall.

I couldn't find what the default permissions are for root folders, like /Applications, and for user folders at ~/Music for example. I'd like to get those set and then I could decide whether to run as root (although I can't quite recall now how I did that...aargh). I am currently the sole user and obviously the administrator, and I'm wondering if there is any big problem with running as root if I am using a home computer that requires a strong password to log on.



wrldwzrd89
Aug 30, 2013, 06:15 AM
The default permissions for items in OS X are determined in a variety of ways:

Are owners supported? If no, exit - there ARE no permissions. Else continue.
Do the current directory or any of its parents have inheritable ACLs? If yes, those override the POSIX permissions. Else, continue.
At this point, for a newly created file / folder, a "default permissions" (umask) file is consulted to determine the starting permissions for it.

The umask file can be edited to override the defaults, but this only affects the Terminal, not the Finder.

benwiggy
Aug 30, 2013, 07:44 AM
I just migrated to a new hard drive and permissions aren't what they were before. .
How did you do this, exactly?

I certainly could at least copy, and maybe move, out of the root directory or application folder without having to authenticate.
By default, dragging from the Applications folder makes an alias of the file. With <alt> held down, it copies.
From the root folder, dragging a file COPIES to a new location; You may be asked for authorisation when copying, depending on the permissions of the destination. (This includes the root folder itself.)

I'm wondering if there is any big problem with running as root if I am using a home computer that requires a strong password to log on.
Yes. Every process has access to every file and folder. Anything can be altered and deleted by anything. You can accidentally move system stuff and hose your system. You are significantly more vulnerable to any malware.
You are asking for trouble and will be back here again.;)

If you do want to have folders full of stuff at the root level, you can assign read and write permissions for everyone (or staff, or your user) to that folder and then you can add stuff normally.
However, it generally better practice to keep your files under your user domain. It makes it easier to restore your data after a problem with the system, for example.

The separation of user and system is a Good Thing™, and you would be well advised to work with it, rather than against it.

robgendreau
Aug 30, 2013, 12:41 PM
How did I migrate? Setup Assistant from TM.

Thanks for the info re root directory and applications; I suspected that. Makes sense, if cumbersome at times.

When I first ran Repair Disk Permissions it corrected tons of group numbers in /Applications (group 80 (admin) to group 0 (wheel). It also corrected tons of -rw-r--r-- to -rw-rw-r--

/Applications/Utilities also had the latter problem. Most of those were fixed by Disk Utility so I'm good with the

So most everything at / is showing 755; /Applications is 775. And Apple applications are 0 and 0; ones I installed 0 and 80.

I've got 700 for most everything in my user folder (except things like Google or Box's folders for their synching services). Is that correct? Again, makes intuitive sense, but wanna be sure. ~/Pictures is 700, but the subfolders within /Photos are 755. In ~/Music (700), by contrast, subfolders are 700. ~/Documents (700), subfolders 755. So I'm wondering if those ~/Music subfolders should be changed.

Yeah, thought being root was a pain. In moving lots of stuff around it's nice to not have to authenticate, but then I always forget to disable root access. Is there a way to time limit it's use? Didn't see anything like that in Directory Utility.

benwiggy
Aug 30, 2013, 02:31 PM
You don't really want to be doing stuff in the Finder as root. Finder is very simplistic in the way it does things.
You can of course use sudo in the Terminal to do precise work.

But as I said, you should not really need to turn on root/authorisation for normal usage. If you think you do, you're probably doing something "less than optimally".:p

robgendreau
Aug 30, 2013, 03:12 PM
You don't really want to be doing stuff in the Finder as root. Finder is very simplistic in the way it does things.
You can of course use sudo in the Terminal to do precise work.

But as I said, you should not really need to turn on root/authorisation for normal usage. If you think you do, you're probably doing something "less than optimally".:p

I tend to agree...which is why I'd like to sort the permissions. The whole point is that then I don't need to be a superuser to get simple tasks done. And it seems to be surprisingly difficult to answer simple questions about which folders should have which permissions.

Bruno09
Aug 30, 2013, 03:28 PM
I don't recall exactly, but I certainly could at least copy, and maybe move, out of the root directory or application folder without having to authenticate.
It is normal you can no longer do it, as default permissions for the root directory are :

system : r-w
wheel : r
everyone : r

If you want (but I know you know it), you can add yourself r-w (as I did) and you will no longer have to authenticate.

YOU : r-w
system : r-w
wheel : r
everyone : r

This is probably what you did but don't recall it.

(MBP 10.8.4)

benwiggy
Aug 30, 2013, 04:26 PM
It's worth pointing out that POSIX rw attributes are not the be-all-and-end-all.

There are also ACLs on the /Applications, /Library, and /System folders.

robgendreau
Aug 30, 2013, 04:34 PM
Yeah, I know. But that begs the question of how they should be set.

I ran the utility to reset the "home" directory (~/username) from resetpassword, so if that did it's job on the ACLs then eg ~/Music subfolders should be 700, while subfolders in ~/Pictures are 755. Dunno why this is.

Still can't find documentation re what the defaults should be. I can get by, but it irks me.