I have been studying the whole user vs. permissions vs. sharing of
files thing and find it pretty confusing at this point in my study.
What follows is what I think I understand. Before I do all these
experiments of logging in and out of users to test these, I though I
would see if someone has such a handle on it that they can succinctly
summarize the principles.


By default, each user's Home folder are set to No Access permissions,
UNLESS a folder is created in the root user directory, in which case it

is Read Only to other users.


Any folder, or file I guess, can have it's permissions changed at any
time to make it Read or Write by other users where it is currently
located. Question: If this is done in the current user's Document
Folder, does this mean that that another user, when they are logged on,

no longer sees a minus sine (ie, No Access) on the Document folder of
the user who has given permission for Read or Write access to a folder
or file?


Public Folder - files put in here are only visible in that user's
Public Folder but, what, are Read and Copy in the other users' Public
folder when they are logged on? Why aren't they visible immediately in
all other user's Public Folder?


Drop Box - Write Only - Files dropped in another User's Drop Box are no

longer visible (Readable) by the current user but are useable by the
person whose Drop Box was filled.


Shared Folder - All users have Read and Write access to files in the
Shared Folder, but the files can't be deleted by anyone but the user
who first put the file into the folder.


***


I am beginning to see why a program like Macaroni for doing maintenance

on Unix permissions is necessary. I can barely keep track of the
various levels of Read, Write, etc. for the multiple users and their
folders, let alone the operating system.


Dale

You seem to see what the permissions are from a practical point of view
if I might add a layer of theory on top you will be well on your way to
mastering them. The permissions in a UNIX system are rEAD, wRITE and
ExECUTE.

r - READ - Allow these files to be read
w-WRITE - Allow these files to be written (or on a folder allow
files to be created inside)
x- EXECUTE - Allow these files to be run as a program

On top of these we have three classes of users on the system.
Owners,groups and others.

Owners - The creator of a file (if you create a file you own it)
Groups - Sets of users on a system are combined into a groups (more
below)
Others - Anyone else who isn't you or in your group.

Now if you create a file you can allow yourself, your group or others
rights to these files. (the r,w, from above) So there are three sets
of people and each set can have different priviledges. Thus when you
log in you can see and modify all your files (i.e. you are the owner
and you have r,w rights). If you look at another user's directory
since you are not him, you are the "other" thus you can do only what an
"other" is allowed to do (which is nothing). Since you cannot read or
write them.

See this link below from a Linux site, make yourself a folder with some
dummy files and try the stuff below in the Terminal. I think that will
make it a bunch clearer.

(http://www.redhat.com/docs/manuals/l...ownership.html)

Thanks for the response and link. I learned a lot more about
permissions.

I see that there are two approaches to understanding file sharing among
owners:

A. one, like I have been starting to do, is to list the various folders
that have been set up by the system for sharing files and learn what
permissions have been set by default for them, and ...

B. the other is to see what is REALLY going on behind the scenes
regarding permissions when these things are happening.

Some questions come out of these approaches.

1. I understand the concept of read, write, and execute. How do copy
and delete fit into this scheme as far as what others are allowed to do
with how one has set permissions.

2. While a user can change permissions to their files and folders, the
Mac sets certain default permissions to specific folders in specific
locations. Different permissions seem to get set for others when a user
does the following:

a. Creates a new folder in their home folder as opposed to their
Documents folder
b. Puts a file in their Shared folder
c. Puts a file in the Public folder of another user
d. Puts a file in their own Public folder
e. Puts a file in the Drop Box of another user

I don't know, my mind begins to boggle when I read about and try to
grasp the various differences that occur with the folders above. Does
it become clearer by simply memorizing the permission differences, or
by understanding the principles of why the Macintosh set up these
different folders and their permissions the way they did?

It seems like one could make a table that has the folder types above
down the left and read, write, copy, delete across the top.

Dale

<dglaser@pacific.net> wrote in message
news:1109460129.858688.321570@f14g2000cwb.googlegr oups.com...

> By default, each user's Home folder are set to No Access permissions,
> UNLESS a folder is created in the root user directory, in which case it
> is Read Only to other users.

Sort of. If you are "jim", your Home Folder /Users/jim (simply "~" in
unix-shorthand) is readable by other users. But, by default, many of the
folders inside of it (~/Documents, ~/Library, ~/Pictures) are off-limits to
all other users except jim. So, a file /Users/jim/file.txt will be
readable, but not writable, by other users. Move that same file to
~/Documents, however, and it will be off-limits to everyone except jim.

By default, any new file or folder created by any user, anywhere on the boot
volume, will be read & write for the creator, and read-only for everyone
else.

> Any folder, or file I guess, can have it's permissions changed at any
> time to make it Read or Write by other users where it is currently
> located.

Yes, but only the file's owner (or a user in the "admin" group who has
authenticated as root) has permission to change its permissions.

> Question: If this is done in the current user's Document
> Folder, does this mean that that another user, when they are logged on,
> no longer sees a minus sine (ie, No Access) on the Document folder of
> the user who has given permission for Read or Write access to a folder
> or file?

No. ~/Documents is off limits to all users except for the owner (see
above). Any files or folders inside it, regardless of whether access has
been granted, are still off-limits, because no other user can even peer
inside ~/Documents.

> Public Folder - files put in here are only visible in that user's
> Public Folder but, what, are Read and Copy in the other users' Public
> folder when they are logged on? Why aren't they visible immediately in
> all other user's Public Folder?

No. If you are "jim", and save something in ~/Public, other users can
navigate to /Users/jim/Public, and can access (read-only) any files inside.
They don't appear in any other users' public folder.

> Drop Box - Write Only - Files dropped in another User's Drop Box are no
>
> longer visible (Readable) by the current user but are useable by the
> person whose Drop Box was filled.

Correct, and are also read-only for whoever received them in his Drop Box,
unless the file creator specifically authorized write permission by changing
the permission manually. If the recipient wants to edit the file, the file
can be easily duplicated, where the new duplicated file will be owned by the
new user, and automatically assigned read-write permission.

> Shared Folder - All users have Read and Write access to files in the
> Shared Folder,

No. This is one of the most common misconceptions about OS X and
permissions. All users have permission to save files in the Shared Folder.
But, by default, any file or folder that is created by any user, and is
saved anywhere on the boot volume (including the Shared Folder), is
uneditable by any other user, unless the creator specifically authorizes
write access by changing the permissions manually. System Administrators
can also, when authenticated as root, change ownership and permissions of
other users' files. Getting ownership and/or write permission to a whole
folder and all of its enclosed files (that you don't already own) requires
the Terminal to run UNIX commands as root, or the use of a third-party
permissions utility like BatChmod.

If you want to have a folder in which all users have read-write permission
to all the enclosed files by default, regardless of who created them, you
can use a non-boot volume like a FireWire drive. Just ensure that file
ownership on that volume are set to be ignored in the volume's Get Info
panel.

> but the files can't be deleted by anyone but the user
> who first put the file into the folder.

Correct, with the addition that users in the admin group can also do it with
root authentication.

> I can barely keep track of the
> various levels of Read, Write, etc. for the multiple users and their
> folders, let alone the operating system.

Yes, it is very confusing and has caused me plenty of headaches. Single
people who are the only users of their machines, and only work in one
account often don't understand the headaches that families and other
multi-user-mac people have to put up with. I am hoping that Tiger will
offer more flexibility in permissions in a multi-user environment.
Specifically I'd like there to be a preference pane that allows me to
specify the default permissions set that is automatically assigned for new
files of any type. I'd like all of my files, by default, to be read-write
for a certain group that I specify, and read-only for all others. It's
something I've been wanting and waiting for since 10.0, but I'm not holding
my breath.

GG

> 1. I understand the concept of read, write, and execute. How do copy
> and delete fit into this scheme as far as what others are allowed to do
> with how one has set permissions.

As long as a user has read permission to any file, that user can copy it.
The user will become the owner of the new copied file and will have write
permission by default.

If a user does not have write permission to a file, that user cannot delete
it. Unless, of course, the user is a member of the admin group. In that
case the user can delete the file by authenticating as root.

> 2. While a user can change permissions to their files and folders, the
> Mac sets certain default permissions to specific folders in specific
> locations. Different permissions seem to get set for others when a user
> does the following:
>
> a. Creates a new folder in their home folder as opposed to their
> Documents folder

No, any new files that are created all have the same permissions by default;
the only thing that changes is the group assignment (see below.)

> b. Puts a file in their Shared folder
> c. Puts a file in the Public folder of another user
> d. Puts a file in their own Public folder
> e. Puts a file in the Drop Box of another user

Not quite. Moving a file from one location to another never changes its
ownership or permissions.

By default, any new file that is created by a user is assigned read-write
permission to the owner, read-only for a specified group, and read-only for
all others. The specified group (but NOT the group's assigned permission)
is inherited by the file's enclosing folder.

For example, I have a folder in /Users/Shared. Permissions are set:

Owner: mywife, can read and write.
Group: parents*, can read and write.
Others: can read only.

*I set up the "parents" group to include my admin account and my wife's
standard account, but not our kids' standard accounts.

As a member of the admin group, I have write permission for this folder. If
I create a file and save it in this location, its ownership and permissions
will be:
Owner: me, can read and write
Group: parents, can read only.
Others: can read only.

As you can see, the Group was inherited from the enclosing folder. But, the
permissions themselves are NOT inherited. The OS X default of read-write,
read-only, and read-only were assigned. There's no way to change the
default; if you want some other permissions to be assigned they must be
changed manually after the file is created.

I hope this clears permissions up a bit!

GG

Whoops! I wrote:

> For example, I have a folder in /Users/Shared. Permissions are set:
>
> Owner: mywife, can read and write.
> Group: parents*, can read and write.
> Others: can read only.
>
> *I set up the "parents" group to include my admin account and my wife's
> standard account, but not our kids' standard accounts.
>
> As a member of the admin group, I have write permission for this folder.

The last line should read "As a member of the *parents* group, I have write
permission to this folder.

GG