Accounts and Permissions
Adjusting Permissions using the Info Window
A file or folder's Info window in the Finder is where most users will adjust settings for ownership and permissions. This includes some ACE settings for ACLs, although users do not use the Info window to directly interact with the entire set of available ACLs.
Guest Accounts & Troubleshooting
A guest account can also be helpful when troubleshooting a user-specific issue, because you do not need to create a user name and password for a test user, or use up disk space for a temporary test.
Guest Accounts
A guest account provides someone temporary access to your Mac without the need for a password. A guest account can do anything a standard user can, but the home directory is deleted when the guest logs out. You can enable parental controls for a guest account. A guest account cannot be an administrator, nor can users log into a guest account remotely.
Sharing Only Account
A sharing only account has network-only access to public folders and other shared items on your computer, by logging in from another computer over the network with a user name and password. Sharing only accounts are useful when you wish to grant someone remote access to files on your Mac over a network, but you do not wish to allow that user to log into your Mac locally from its login window.
Name all five account types available for creation in Snow Leopard.
Administrator, Standard, Managed with Parental Controls, Sharing Only, Group
Access Control Lists
An Access Control List (ACL) is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user, and how these permissions are propagated throughout a folder hierarchy. To determine if an action is allowed or denied, the ACEs in an ACL are considered in order. The first ACE that applies to a user and action determines the permission and no further ACEs are evaluated. After evaluating the ACEs, Mac OS X evaluates the standard POSIX permissions defined for the file or folder. If none of the ACEs apply, then standard POSIX permissions determine access.
Administrator Account
An administrator account user can create, delete, and modify accounts, install software, and change system settings. Administrators can make changes to locked preferences in System Preferences, install software, and perform a variety of tasks that other users can't. The first user account created when you initially set up Snow Leopard is an administrator account.
Name two additional permission attributes that are part of ACLs in Snow Leopard.
Any two of the following: Delete, Read Attributes, Take Ownership
To give access to a new user or group
Click the plus (+) button. This window lists every Mac OS X user account and group. It also lists contacts from your Address Book, that you can select and turn into user accounts on the computer. If you add a contact from your address book that does not have an account on your Mac, Snow Leopard will automatically create a Sharing Only user account for that contact so that the user can log in and access the shared item remotely over the network. To remove a user, select the user name and click the (-) button
Isolating Software Issues
Create a new user account of the same type, log out of the current user, and log in as the newly-created user to test if an issue is user-specific. This is a useful troubleshooting step when trying to isolate software issues in Mac OS X. You should use this as one of your primary diagnostic tools
When trying to isolate many software issues in Mac OS X, what is a useful troubleshooting step to test if an issue is user-specific?
Create a new user account, log out of the current user, and log in as the newly-created user to test if an issue is user-specific.
Disk Utility's Permissions Repair does not affect any files in your ______ folder, so it does not help a permissions issue with any _______ files.
Disk Utility's Permissions Repair does not affect any files in your home folder, so it does not help a permissions issue with any user-created files.
The system can give three possible types of permission to a file.
Every file and folder on your hard disk also has an associated set of permissions that determines who can read, write to, or execute the contents of that item. (the letter designation next to each permission type is its corresponding UNIX command symbol): Read (r--) You can open and view the contents of a file. The /System folder is read-only for most user accounts to prevent tampering with Mac OS X. Write (-w-) You can write to (save changes to) the file. Other user accounts can write to the Drop Box in the ~/Public folder, but cannot read it. Execute (--x) You can run that program. (This designation is usually used for programs and folders.)
Ownership
Every file and folder on your hard disk belongs to a specific owner and group that determines who can read, write to, or execute it. This system gives permissions to every file or folder on the system.
Disk Utility repairs all ACL permissions. T/F
False. Disk Utility repairs only POSIX permissions or the minimal ACL permissions. It only checks applications with a receipt file at /Library/Receipts; it checks no other files. Some applications are installed by simply dragging them into the /Applications folder, not by using an installer .pkg file, and therefore do not leave any receipt. Such applications are not affected by Disk Utility's Permissions Repair.
Changing permissions of a folder changes the permission of the files inside of that folder. T/F
False. These permissions dictate what can and cannot be done to the contents of a file or folder, not to the files or folders themselves. In other words, if you have write permissions for a file, you can write into (save changes to) the contents of that file; if you have write permissions for a folder, you can write into the contents of that folder.
Permission settings using the Info window vs Terminal
Most users will typically adjust permission settings using the Info window in Finder, which is covered below, rather than using Terminal. However, configuring permissions using the Info window in Finder yields only a few of these permission combinations, as indicated by the asterisks.
Is using Repair Permissions in Disk Utility in Snow Leopard a good way to correct file permission issues? Why / why not?
No, because Repair Permissions does not affect permissions on individual user files, only applications and system files.
Can using the same account name reactivate a deleted user who's home folder has not been changed?
No. If you create a new account with the same name as an account deleted in this manner, this does not "undelete" it. If you create a user "foo" after deleting it, you see home folders called "foo" and "foo (Deleted)."
Ownership User Classes
Owner (technically called "user") The owner is most often the user who created the file or folder. Almost all files and folders in your home directory will have your username listed as the owner Group Specifying permissions for a group allows you to assign permissions to an entire set of user accounts in a single setting, rather than having to do this for each separate file and/or folder for each username. Admin users are members of the groups called "staff" and "admin". The super user "root" is a member of these and several other groups. Non-admin users are members of "staff" only. Typically, all files and folders are assigned to either "staff," "admin," or "wheel". The group may or may not include the owner. Others Any user account that is neither the owner nor a member of the specified group. This class of permissions simply applies to "everyone else."
Ownership User rules of precedence
Owner permissions override Group permissions. Group permissions override Others permissions. For example, when a user is both the owner of a shared item and a member of the group assigned to it, the user has the permissions assigned to the owner.
Group
Snow Leopard lets you create groups from other user accounts on your computer. When creating a new account, choose Group as the type of account. Then, name the group and select the users you want to include in it. Creating a group lets you assign permissions to an item for multiple individual user accounts simultaneously. A group can contain local users and sharing only users. After you have created a group, give that group permission to an item in the item's Get Info window.
Standard Account
Standard account users cannot administer other accounts, but can install software for their own use and change settings related to their accounts. This type of account is created by default when you create a new user account in Snow Leopard, unless you deliberately select otherwise.
Name issues that are almost always system-wide
Startup (including startup disk) Printing or faxing Getting an IP address Internet connections, unless application-specific Sharing Energy Saver settings System date, time, or time zone
You should not use Repair Permissions in any of the following cases:
Startup or login issues Any issue isolated to a specific user account Permissions issues with individual documents (files) Issues related to installing or reinstalling Snow Leopard Errors that Disk Utilities Verify Disk or Repair Disk discovers
Viewing ACLs in Terminal
The Info window for a file in Snow Leopard Finder shows only its read and write permissions, and does not allow a user to adjust all the available ACL settings listed above. You can view all the permissions for a file, including UNIX-style read/write/execute permissions and ACL permissions, by listing the file in Terminal (ls) with the "-le" argument.
Reset Home Directory Permissions and ACLs
The Reset Password utility on the Mac OS X Install disc includes an option to "Reset Home Directory Permissions and ACLs." You can use this option to restore the default permissions on files in the selected user's home folder.
A Mac OS X user has an issue with a file in her home folder. What utility could be used to attempt to correct the issue?
The Reset Password utility on the Snow Leopard Install disc includes an option to 'Reset Home Directory Permissions and ACLs.' This option could be used to restore the default permissions on files in the selected user's home folder. This might resolve permissions issues with the user's personal data.
What is a danger when modifying advanced account options?
The advanced settings can damage an account if misused.
POSIX
The formal name for the traditional permissions model used in Mac OS X is "Standard Portable Operating System Interface"
Managed with Parental Controls Account
This is a standard user account with parental controls applied. In an account managed by parental controls the administrator can place restrictions on: inappropriate Internet content, the amount of computer use, and access to applications, email, and iChat. If an administrator disables Parental Controls for a managed user, that account is then a standard account.
Saving the home folder in a disk image
This is the default selection. This deletes the user account and home folder in /Users, and transfers the contents of the deleted home folder into a disk image. The disk image acts as a backup container that can be opened in case any files need to be retrieved from that user account later.
Delete the home folder
This option deletes the home folder and the user account information immediately with no trace left on the hard disk. Take care when using this option.
Do not change the home folder
This option deletes the user account, but keeps the home folder in /Users. If the user's name is "foo," the user folder is renamed "foo (Deleted)." This prevents the deleted user from logging in to the computer, but keeps the user's data on the computer.
What is one advantage of selecting the 'Do not change the home folder' option when deleting a user account in Snow Leopard?
This option saves time, because it doesn't make a disk image from the home folder. This can be useful for quickly deleting a user with a large home folder.
To assign a new owner to the item
To assign a new owner to the item, click the Action pop-up menu
Permissions benefits
Use of privileges (permissions) for every file on the system enhances the security. If you try to rename your System folder or open another user's home folder, you see that you don't have complete access to your own system. This keeps you from accidentally removing files that Mac OS X needs to operate It also prevents other users from accessing your data.
Troubleshooting User plists
When Mac OS X applications are launched and configured by each user, the user's preferences are created and saved as .plist files in the user's ~/Library/Preferences folder, so each application can re-configure itself to the user's liking the next time it is launched. If an application's preference file for a particular user becomes corrupted for whatever reason, that user may experience problems with that application. The easiest way to test if this type of issue is user-specific is to create a new user account and log in as that newly-created user.
Renaming the Home Directory
When customers set up their computers, they often don't realize that the automatically-generated short name is also the name of their home directory. Using the advanced settings, you can change the short name and choose or create a new home folder. Important: Snow Leopard does not allow you to rename your home directory in the Finder.
Read Only Permission
With read-only permission for a folder containing documents, you can open and read documents but not save changes or add new documents to the folder. Read-only (r--) permission is common for sharing files with guest access, for example. Folders contain file names, not the file contents themselves, so write permissions for a folder means that you could alter a file's name inside that folder, even if the permissions for the file itself were set to read only.
Advanced Account Options
You can Control-click an account name to access its advanced settings, such as its User/Group ID#, short name, UUID, login shell, and home directory These settings are only for advanced users, and can damage the account if misused.
Viewing Permissions With Terminal
You can use Terminal to inspect or change permissions. Unlike the Finder's Info window, the sudo command gives you the convenience of root access without having to log out and back in as root. To determine the permissions settings for files or folders, open Terminal and navigate to the directory where the file or folder is located. Then execute the command "ls -l".
Execute Permission
You must have execute permission for any folder that you can open; thus File Sharing requires execute permission set for other, world, and everyone for the ~/Public folder, while Web Sharing requires the same setting for the ~/Sites folder.
In addition to the file permissions—read, write, and execute—supported in the traditional UNIX model, Snow Leopard lets you choose from a generous selection of ACL permissions
read -Open file for read -List directory contents write -Open file for write -Add a file entry to the directory execute -Execute file -Search through the directory delete -Delete file -Delete directory append -Append to file -Add subdirectory to directory delete child -Remove a file or subdirectory entry from the directory read attributes -Read basic attributes write attributes -Write basic attributes read extended -Read extended (named) attributes write extended -Write extended (named) attributes read permissions -Read file permissions (ACL) -Read directory permissions (ACL) write permissions -Write file permissions (ACL) -Write directory permissions (ACL) take ownership -Take ownership
