28

Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder and file permissions. In Mac OS X, folders or files include POSIX permissions for entities such as:

ÂOwner

ÂGroup

ÂEveryone else

Because GUIDs are 128-bit values, duplicate GUIDs are extremely unlikely. Unlike ACL permissions, POSIX permissions can cause file-ownership and group-membership issues when multiple users have identical short names or user IDs. When using GUIDs, users with the same short name or user ID can have different ACL permissions.

The introduction of GUIDs does not change or remove POSIX permissions, so it does not affect the interoperability of Mac OS X with legacy UNIX systems or other operating systems.

Folder and File Owner Access

When a folder or file is created, the file system stores the user ID of the user who created the file or folder as its owner. By default, when a user with that user ID accesses the folder or file, he or she can read and write to it. Also, any process started by the user who creates the file or folder can read and write to any files associated with that same user ID.

If you change a user ID, the user may not be able to modify or access files and folders he or she created. Likewise, if the user logs in as a user whose user ID is different from the user ID he or she used to create the files and folders, the user no longer has owner permissions for those files and folders.

Folder and File Access by Other Users

The use of GUIDs in conjuction with ACLs determines the files that users and groups can access. Also, the user ID, in conjunction with a group ID, is used to control access.

Every user belongs to a primary group. The primary group ID for a user is stored in the user’s account. When a user accesses a folder or file and the user isn’t the owner, the file system checks the file’s group permissions, and the following occurs:

ÂIf the user’s primary group ID matches the ID of the group associated with the file, the user inherits group permissions.

ÂIf the user’s primary group ID doesn’t match the file’s group ID, Mac OS X searches for the group account that has permission to access the file. When the group is found, all members of that group and subsequent hierarchical groups are given permission to that file.

ÂIf neither of these cases apply, the user’s access permissions default to the generic “everyone.”

Chapter 1 User Management Overview

Page 27 Page 29
Page 28
Image 28
Apple 10.5 Leapard manual Folder and File Owner Access
Page 27 Page 29
Top Page Image Contents