Unix permissions on OS X

There are nine standard permissions in Unix-like operating systems on each file (and directory). There is a set for the owner of the file, a set for the group owner of the file, and set for everyone else. Each set has a Read (r), a Write (w), and an eXecute (x) permission. You can view the permissions on a file by using the ls (list) command with the long format option (-l). The permissions are listed in rwx order. For example:

keithw$ ls -l
-rw-r--r-- 1 keithw keithw 6677 Apr 5 2006 ab.php

The permissions are read+write for the owner, read for the group, and read for everyone else.

In addition to the standard permissions (rwx), there are three special permissions that can be set for a file or directory: suid, sgid, and sticky bit.

suid

this special permission allows the file to be executed with the security permissions of the file owner instead of the permission of the user who ran the program. This can be a source of security problems. Some daemons run as suid root. The suid permission is seen as an "S" in the user executable position a long directory listing (ls -l). Has no effect if the file is not executable.

To set the suid permission:
chmod u+s filename

sgid

this special permission allows the file to be run with the security permissions of the group instead of the permission of the user who ran the program. This can be a source of security problems. The sgid permission is seen as an "S" in the group executable position in a long directory listing (ls -l). Has no effect if the file is not executable.

To set the sgid permission:
chmod g+s filename

note: If sgid is set on a directory, any file created within that directory will have the same group owner assigned as the directory. Useful when a group of users is sharing the same directory.

sticky bit on a directory

Prevents any files in a directory from being deleted by anyone but the owner of that file. Often used on the /tmp directory. Good to prevent accidental deletions by rm * commands. The sticky bit is seen as a t in the other executable position in a long directory listing (ls -l). Setting the sticky bit on a file is ignored.

To set the sticky bit:
chmod u+t dirname

note: in Linux, the option is set using the "other" permissions instead of "user":
chmod o+t dirname

In both cases, the "t" appears in the other executable position:
drwxr-xr-t 2 keithw keithw 68 Jul 26 09:02 test

Finally, Unix permissions are not the end of the story. The OS X file system can also use Access Control Lists stored in extended attributes to give you more fine grained access control. You can view extended attributes using the -e option of the ls command. See the chmod and ls man pages for more details.