Tutorial: Permissions, Accounts, and File Organization

 

The following tutorial is adapted from Mac OS X Power Tools, Panther Edition, by MacFixIt's own Dan Frakes.

 

PERMISSIONS, ACCOUNTS, AND FILE ORGANIZATION

Because of its Unix heritage, Mac OS X is a true multi-user operating system from the ground up. Yet some people have used Mac OS X for many months without fully realizing what this means -- as the only user of their Mac, they press the power key and it simply boots up and runs, much like a Mac running OS 8 or OS 9. To many other users, a multi-user OS just means that several people can use the Mac without sharing the same Documents folder and preference files.

The truth is that the multi-user architecture of Mac OS X offers so much more than separate Documents folders. It is a powerful system of files, folders, and volumes, with varying degrees of access to those items given to individual users. Everything from setting preferences to installing software, from opening files to emptying the trash, is affected by this system; as a result, OS X provides levels of security and flexibility heretofore unseen on the Mac platform. Understanding the concepts of user accounts and permissions, and understanding the file structure of Mac OS X, are the first steps towards becoming a true Power User. Consider the following discussion the foundation on which you'll build your power user skills.

PERMISSIONS EXPLAINED

Users of Mac OS 9 and earlier may remember setting up File Sharing privileges -- when File Sharing was enabled, each "shared" file had a set of privileges, set manually by the user sharing that file, that told the OS which remote users could access it. Since Mac OS X is based on Unix, it inherits the Unix system of file permissions (also called privileges). This system is similar to File Sharing privileges, except that in OS X every file and folder has a set of permissions (some set by users, most set by the OS itself), and these permissions apply to everyone, whether they are connecting remotely or sitting in front of the host computer. To put it simply, OS X keeps track of which users can open each document, folder, or application, and which users can edit each individual file. (In OS X, the terms "open" and "edit" are actually called "read" and "write.")

You can see an example of permissions by selecting a file in the Finder (a document in your Documents folder is a good one to choose), and then selecting File -- > Get Info. In the resulting Info window, you'll see a section called Ownership & Permissions. Clicking the disclosure triangle will expand this section to show the permissions you have for this file; clicking the disclosure triangle next to Details will show the overall permissions given to the file. The Info window for a document from my Documents folder is shown below:

The owner of the file is me, frakes, and I have read and write access to the file. You also see two other sets of permissions: Group and Others. In addition to an owner (the user who controls access to the file -- generally the person who created it), every file belongs to a group, which is simply a defined subset of all users who have their own access privileges to the file. The group is automatically set to the default group for the owner -- in this case, frakes -- and set to Read only. These settings can actually be changed to provide certain other users with a particular level of access, without opening up such access to everyone. (I talk more about groups and group access -- as well as why the owner and the group might be the same -- elsewhere in this chapter, but for now just remember that they are there; they can be extremely useful once you learn how to use them.) Finally, the Others permission setting is used to set privileges for users who are neither the owner of the file nor part of the group assigned to the file; think of this as "everyone else." The default setting for others is Read only. (See "What Permissions Really Mean" for more info on the various levels of access.)

NOTE: Mac OS X permissions are not enforced under Mac OS 9. If you reboot into OS 9, you're free to do anything you want, to any file you want -- and so is anyone else.

Understanding what permissions are isn't too difficult; comprehending how they work and why they work the way they do can be quite confusing. The first step towards that goal is understanding user accounts.

PRO USERS: Click here for a bonus sidebar, "What Permissions Really Mean."

UNDERSTANDING USER ACCOUNTS

Mac OS 9 and earlier were essentially single-user operating systems. Sure, Mac OS 9 had the less-than-perfectly-implemented Multiple Users feature, but it was just that -- less than perfect. Mac OS X is a true multi-user system, meaning that whether you realize it or not, you're no longer the only user of your machine. In this section, I'm going to explain what "multiple users" means in a practical way: how files and folders are organized, what users do and don't have access to, and more.

User Accounts and File/Folder Organization

At the topmost level of your Mac OS X hard drive (this is called the root level of the drive, and is designated in Unix terminology as /), you'll see a folder called Users. This folder contains all user-level files for all users of your computer. Within this folder, each user has their own individual folder, the name of which is their "short" username (as found in Accounts preferences). This folder is called the user's home folder or directory (and is generally identified by the abbreviated pathname ~/). Thus, on my computer, my home directory is located at /Users/frakes. Within each home folder are several folders that were automatically created when the user account was created: Desktop, Documents, Library, Movies, Music, Pictures, Public, and Sites (see figure below). In addition, a user's home folder can also contain any other files and/or folders the user has placed there, or that OS X has created there.

The important thing to note about home directories under OS X is that with the exception of the Public and Sites folders (which are accessible by other users), files, folders, or applications stored inside your home folder are for your eyes only, and unless you explicitly change their permissions, no one but you will be able to edit them, or even view them. Your user folder is yours and yours alone. In fact, the Desktop that you see is actually a folder called Desktop within your user folder. This means that, unlike OS 9, each user has their own Desktop, so anything you save or copy to the Desktop will be visible and accessible only to you.

However, user folders aren't just for security. They also provide an enormous amount of flexibility between users. In addition to documents, folders, and applications, user folders also store each user's preferences (in ~/Library/Preferences). This means that any settings or changes you make to your Mac -- your desktop picture, your e-mail account information, your web browser bookmarks -- will apply only to you, allowing each user to customize OS X to best serve their own needs. When you log in, the OS uses your preferences and restores the environment to exactly the state it was in when you last logged out. (This is great because it means that as customize OS X to your own preferences, sometimes using third-party software, many changes will apply only to your personal account, thus preventing you from annoying or disrupting other users.)

NOTE: When I said that all preferences apply only to the user who set them, that wasn't entirely true. There are a few exceptions to this rule; for example, network settings apply to all users, and therefore can only be changed by an administrator.

PRO USERS: Click here for a bonus sidebar, "Dissecting the Contents of Your Home Directory."

User Levels

As I previously mentioned, every user of Mac OS X has their own account. Each of those accounts has one of two levels of access: normal and administrative.

Normal users Normal users (called Standard users in some places in OS X 10.3) have full access to their own user folder and to other users' Public folders. They can also launch applications located in the /Applications directory, and can change user-specific System Preferences (Desktop picture, views, Dock settings, as well as their own account password). However, that's basically the extent of their access. Outside of their own user folder, they have only Read access (except for other user folders, for which they have no access at all). In fact, a normal user cannot even create a folder or save a document outside of their own home folder. (And an administrative user can actually restrict the account of a normal user to have even less access via Accounts preferences; OS X 10.3 calls these users Managed or Simplified users.)

Admin users Admin users do not have complete run of the house, but they are much less limited than normal users. Admin users can install new applications in the /Applications directory, can change system-level System Preferences (Network, Accounts, Sharing, Software Update, etc.), can install system-wide add-ons, can create folders and save documents almost anywhere on the drive, and can use system-level utilities such as Disk Utility and NetInfo Manager. The first account created under Mac OS X (the one you created when you first installed OS X) is an admin-level account by default, since every Mac OS X computer must have at least one administrator.

You can view user levels in the Accounts pane of the System Preferences application.

Despite having a higher level of access, even admin users cannot access other users' private folders, nor can they make changes to certain system-level folders (such as much of the System folder at the root level of the hard drive) -- at least not without help. Although I said that there are only two levels of accounts in Mac OS X, this is technically not true. There is a third level of access in Mac OS X called root access that has complete control over everything, regardless of permission or location. However, you cannot simply assign root privileges to particular accounts; Mac OS X actually has a separate root account (which always exists, but is disabled by default, for obvious security reasons). In order to gain root access you must log in as the root user. (A future MacFixIt Tutorial will cover the root user, as well has how to temporarily gain root access from an administrator account.)

NOTE: Users can also authenticate, as described in the sidebar noted below, in order to perform certain actions that they would not otherwise be able to do.

Other Uses for User Accounts (besides Other Users, That Is)

At this point you may be saying to yourself "OK, I'm the only user of my computer, and I have admin access by default, so why do I need to know about user accounts?" That's a good question. In addition to the importance understanding user accounts and permissions has for fully understanding OS X as a whole, there are several reasons I recommend creating other user accounts that have little or nothing to do with multiple human users:

Troubleshooting Although Mac OS X is incredibly stable, the truth is sometimes things go wrong. When you experience a computer problem, the first step you should take towards finding a solution is to narrow down the possible causes. In Mac OS 9, you held the shift key down to start up without extensions; if your Mac then worked fine, you had isolated the problem to a startup file conflict. In Mac OS X, because each user account has a different set of preferences, support files, and startup/login files, the first thing you want to do is to find out if your problems are caused by your account or by a larger system issue. A helpful way to do this is to create a new account (right now, before you have problems), name it something clever (I call mine "Troubleshooting User," or "trouble" for short), and then never use it... until you have a problem. If that happens, log out of your own account, log back in under your troubleshooting account, and see if the problems are gone. If they are, you've just isolated your problem to something in your own account (~/Library files, Startup/Login Items, etc.), and that's where you should start looking for the cause. If the problems still exist, then the cause is most likely system-wide.
TIP: In Mac OS X 10.3 (Panther), you can take advantage of Fast User Switching to use your troubleshooting account without even logging out of your own account.

I also recommend that you give your troubleshooting account admin access. If you ever find yourself in an emergency where you need admin access, but you can't log into your normal admin-level account, having an extra admin account can be a lifesaver.

Testing Software If you're an aspiring power user, chances are that at some point you've downloaded "beta" software (or even -- gasp -- "alpha" software). In other words, you've tried out software that isn't quite ready for prime time. Although a lot of beta software is very stable, some isn't, and you may have experienced crashes or other problems. Even if you're not that brave, at some point you may have installed software just to check it out, and later decided that you didn't really like it, but you couldn't figure out how to get rid of all the support files that the software installed. My approach to these situations is to create an extra user account just for testing out software. You can run the alphas, betas, and "just curious" software from this account until you've either decided you want to use it in your main account or decided you want to get it off your Mac as soon as possible. Whatever you decide, your personal account -- the important one you can't afford to screw up -- should be unaffected. (One exception is if the software in question installs system-level files, or otherwise affects the entire system. Even multiple users can't help you out in that case.)

Guests We've all had a friend who needs to borrow our laptop to type up a report, or asks to use our computer to do their taxes, or is just hanging out and wants to surf the Web. We let them (because we're nice people, of course), but the next time we sit down at our computer we find that our Desktop is a mess, or our application preferences have been changed, or, worst case scenario, an important document was accidentally deleted! A great solution is to create an extra account, call it "Guest" (or something a bit more clever), and then set it up for just these situations. I've got my guest account configured with limited access and with just the essentials in the Dock: Web browser, word processor, spreadsheet, etc. You can even set up the guest account with no password, so that anyone visiting or borrowing your computer can simply click on the "Guest" icon at login and be on their way.

Remote access and file sharing In addition to allowing others to use your computer locally (sitting down at it), user accounts also control who can access your Mac remotely (over the Internet, or via your home or office LAN). If you want someone to be able to access files on your computer, that person generally must have a user account on your computer -- even if they will never use the computer in person.

As you can see, "multiple users" doesn't necessarily mean "multiple people using the computer." I hope these suggestions will get you thinking about other ways to take advantage of the security and flexibility provided by multiple user accounts.

WHY ARE THERE SO MANY COPIES OF SO MANY FOLDERS? (OS X FILE/FOLDER ORGANIZATION)

I previously discussed the flexibility that user accounts provide, especially in providing a way for users to customize their individual computing environments. However, this versatility also creates new challenges that are not present in single-user operating systems. For example, what if you or another administrator of your Mac wants to install a system add-on or utility, and wants the effects or features of that software to be applicable to all users? Or, at the opposite extreme, what if some software needs low-level access to the operating system and needs to ensure that nosy users don't remove installed files?

Fortunately, the way Mac OS X is organized provides solutions to these dilemmas. Unfortunately, this organization can be quite confusing for the new user (and even for experienced users). If you truly want to master Mac OS X, understanding how files are organized is just as important as understanding permissions and user accounts. With that in mind, I'm going to explain the various folders and folder levels and their purposes.

Domain/Directory Levels

If you've done any digging around on your OS X hard drive, you've most likely discovered a number of "identical" folders in different places. In reality, these similarly named folders are not identical; they actually serve different, but parallel, purposes. This parallel structure is due to the fact that Mac OS X has three different levels of system and user support, called domain levels. These three levels are known as the system, local, and user domains. Each of these domains provides a different level of support, and a different degree of access to its files and folders; a summary of each follows.

System The system domain is represented by the directory /System at the root level of your hard drive. The contents of this folder (which are effectively the contents of /System/Library, as that is usually the only folder contained in /System) comprise the entire operating system. With a few exceptions, everything inside was installed by the Mac OS X installer or by Apple updaters (those exceptions being a few third-party installers that require very low-level access to the OS). The contents of this folder are protected by the OS and are not easily modified -- and for good reason: modifying files in the /System directory is the easiest way to screw up your computer! If you want to witness this security in action, try deleting a file or folder, such as /System/Library/Keyboard Layouts. (Go ahead, try to drag that folder to the trash, I'll wait...) If you're running OS X 10.3 or later, you'll see an Authenticate dialog that says "Finder requires that you type your password." (Click the Cancel button in the dialog -- you don't really want to delete the file/folder in this example!) This is OS X's way of saying "Are you sure you want to do that? It's an important file." Typing your admin-level username and password basically gives you temporary root access and allows you to delete the file. (If you're running OS X 10.2 or earlier, you'll see an error message that says, "The operation could not be completed because this item is owned by root.")

Basically, unless you have root access, most of the /System directory is off-limits (at least without authenticating). Think of this directory as the foundation of the OS -- you can remodel what's on top of it, but you don't want to start messing with the foundation itself unless you really know what you're doing.

PRO USERS: Click here for a bonus sidebar, "Authentication Dialogs."

Local The local domain is represented by the /Library and /Applications folders (at the root level of your hard drive). These directories provide a way for administrators to provide resources to all local users of the computer. You'll notice that the contents of /Library look similar to the contents of /System/Library. However, whereas almost everything inside /System/Library is installed by the OS X installer, /Library is largely populated by support files and system add-ons installed by administrators or software installers. The /Applications folder contains any applications you or another administrator have installed there; just as the resources in /Library are available to all users, the applications installed in /Applications can be used by all users. Although the contents of these two folders are not modifiable by a normal user, any administrator can make changes.

User The user domain is represented by each user's home folder (~/). As described in the sidebar "Dissecting the Contents of Your Home Directory," each user folder has its own Library directory (referred to by the path ~/Library). Although support files and other resources located in the ~/Library folder function in much the same way as files located in /Library and /System/Library (and the folders inside ~/Library look very similar to those in the other two Library directories), those in ~/Library, the user-level directory, are available only to the particular user whose user folder contains them. Likewise, if a user creates their own Applications folder, any applications installed in ~/Applications will only be available to that particular user.

Files generally get installed in ~/Library or ~/Applications for two reasons. First, when an administrator decides that they want to make certain files or applications available only to themselves or to a particular user, the administrator will install files in their own or a particular user's directory. Second, recall that a normal user cannot modify any folder outside of their home directory. Thus, if a normal user wants to install an application, system add-on, or other /Library-level file, they must use their own ~/Library and ~/Application directories.

NOTE: There is actually a fourth domain level in Mac OS X, the Network domain. If you are connected to a network (most likely a local area network, or LAN), a central server can host this Network domain, and the corresponding Library and/or Application directories. This /Network/Library directory can contain resources and support files available to all users on the network (and /Network/Applications can host applications for all users on the network). However, such a configuration is rare for the average user of Mac OS X, and the presence of such a Network domain does not really affect the discussion at hand.

A good example of a group of parallel folders that illustrates the concepts discussed in this section is the way Mac OS X stores fonts. Fonts that are installed by the Mac OS X installer are stored in /System/Library/Fonts. Fonts installed by applications or by administrators for use by all users are located in /Library/Fonts. Fonts installed by a single user, or by an administrator for use by only a single user, are located in ~/Library/Fonts. All users can take advantage of fonts stored in /System/Library/Fonts and /Library/Fonts, but user-level fonts (those stored in ~/Library/Fonts, inside the user's home directory) are only accessible by the user in whose home directory the fonts are located.

Another good example of parallel folders is the folders that hold preference files. The folder /Library/Preferences contains system-level preference files that affect all users, such as login window prefs, sharing and firewall prefs, power management prefs, and serial numbers for applications available to all users. These preferences generally require administrative access to change. Each user also has their own ~/Library/Preferences folder, holding all of their own preference files. Having parallel folders for preferences is actually quite powerful (and flexible), as it allows for both personal and system-wide preferences. (You'll notice that there are relatively few preference files in /Library/Preferences; this is a testament to how much of OS X is configurable by each user individually.) Also note that there is no /System/Library/Preferences directory. This makes sense if you think about it, as /System shouldn't be modified.

What do these domain levels mean to you? First, you should now have a better idea of how OS X keeps track of single-user versus all-user versus system-level files. But perhaps more importantly for the purposes of troubleshooting, understanding these domains should help you understand how changes you make to files or folders will affect your own user account, other user accounts, or the system as a whole. You also now know where to put something or edit something depending on which accounts you wish to affect.

Resources


• More from Tutorials