Many Mac administrators view and change file and folder permissions using the Finder’s Get Info window. Often, basic file ownership and permission information is all administrators require. Occasionally, though, administrators need to dig further while troubleshooting access, or more advanced configuration information associated with specific files or folders is needed, or they may need to make numerous changes. The command line enables enterprise administrators to view and edit all conceivable permission settings with surgical precision more quickly than using the Finder.
To get started, administrators must be familiar with the ls command. The ls command displays file and folder information. Using the -l option, the ls command on my Mac displays the following, for example:
lserik-eckels-macbook-pro:~ Erik$ ls -l
drwx------+ 3 Erik staff 102 Jul 3 14:20 Desktop
drwx------+ 20 Erik staff 680 Jul 18 12:40 Documents
drwx------+ 5 Erik staff 170 Jul 3 13:36 Downloads
drwx------+ 37 Erik staff 1258 Dec 22 2009 Library
drwx------+ 5 Erik staff 170 Dec 27 2009 Movies
drwx------+ 6 Erik staff 204 Jan 2 2010 Music
drwx------+ 7 Erik staff 238 Dec 27 2009 Pictures
drwxr-xr-x 7 Erik staff 238 Apr 8 21:16 ProgramsAndApplications
drwxr-xr-x+ 5 Erik staff 170 Apr 9 08:20 Public
drwxr-xr-x+ 5 Erik staff 170 Jun 26 2009 Sites
drwxr-xr-x 12 Erik staff 408 Apr 3 11:31 Wallpaper
Here’s how to make sense of the permissions displayed within that window. The first set of letters, such as for the first line (Desktop directory), read drwx. d means the item is a folder (- would indicate a file, while l specifies a symbolic link).
The next three characters, rwx in this case, specifies the owner’s permissions. – indicates no access, while r specifies read access, w specifies write access and x indicates file execute or folder browsing access.
The next set of dashes (—) specify the group’s permissions. The last set of characters indicates everyone else’s permissions. For example, because the Desktop permissions listed on the first line read drwx, —— indicates that no groups or other users possess access to the user Erik’s Desktop.
However, for the ProgramsAndApplications folder, (drwxr-xr-x), the user Erik receives read, write and execute access, while the assigned group receives read and execute permissions, and all other users receive read and execute access.
Next appears the number of hard links associated with the listed item. Then comes the owner’s name and the assigned group, followed by the octal notation value (0 for no access, 1 for execution, 2 for write only and 4 for read only) for each entity (user, group and everyone else) added together. Finally, the data and time the item was last updated is recorded, followed by the item’s name.
To change ownership using the command line, enterprise Mac administrators should use the chown command. The command requires root access, so an administrator must be logged in to execute the command or the sudo command must be used.
Run the chown command by entering chown, then the user’s name, then (optionally) a colon with the new group name if desired, and then the item’s path. For example, the chown command might look like this if wanting to change ownership of a file named test1.docx located within the Desktop folder to the user Erik and the group staff:
sudo chown erik:staff Desktop/test1.docx
To change permissions using the command line, enterprise Mac administrators should use the chmod command. Again, as with the chown command, when using the chmod command to change files your user account does not own, you must use the sudo command.
To change permissions using the command line, enter chmod followed by the account type (u for owner, g for group and o for everyone), modifier (+ specifies allow, – indicates deny and = specifies an exact setting) and the privilege (r for read, w for write and x for execute or folder access).
For example, to change the permissions of the test1.docx file to provide user Erik with read, write and execute permissions and change the group and everyone permissions to also include read, write and execute permissions, an administrator can type:
chmod ugo=rwx Desktop/test1.docx
Or, to change permissions for that file back to providing the user Erik with read, write and execute access and to eliminate access for the group and everyone else, an administrator can type:
chmod u=rwx, g=---, o=--- Desktop/test1.docx
An alternative available to administrators is to leverage octal notation. Running the chmod command with octal values (such as by typing chmod 775 Desktop/Folder) enables quickly setting specific permission values for all three groups (user, group and everyone) in one fell swoop. In the example of chmod 775 Desktop/Folder1, the administrator would extend read and write (and execute) access to the owner and group but simple read-only access for everyone else for the folder named Folder1.
Command line saves enterprise admin time
Because files and folders can be quickly navigated from within a console menu, changing permissions from the command line makes chmod and chown handy for enterprise administrators looking to make many and specific changes to folders and files. The process is much quicker from the command line than it would be opening Finder, locating specific files and folders, right-clicking them individually, selecting Get Info and making manual changes and then repeating the entire process for the next item in the list requiring updates.