RE: Xcode default "Install Permissions", clean "permission denied"
RE: Xcode default "Install Permissions", clean "permission denied"
- Subject: RE: Xcode default "Install Permissions", clean "permission denied"
- From: Greg Guerin <email@hidden>
- Date: Mon, 27 Aug 2007 12:19:31 -0700
Alex Sheh wrote:
>I wanted to go with 555 because this would prevent users from writing to
>my executable, but it looks like 775 is the way to go.
Permissions don't work the way you seem to be implying when you say you
want to "prevent users" from changing files. You should read this page,
especially the part oabout BSD permissions (URL will wrap):
<http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/
Concepts/chapter_3_section_9.html#//apple_ref/doc/uid/TP30000976-CH203-CHDCDCID>
Unless the "users" you want to prevent are either the owner (root?) or a
member of the owning group (i.e. admin group), then they can't modify your
installed app when the permissions are 775. If the permissions were 777,
then they could, but no one is suggesting that.
In any case, the owner (i.e. the user who owns the files) can change
permissions at any time, even if writing to that file or its directory is
forbidden. You cannot prevent this: it's fundamental to Unix-style
permissions. And root can change permissions (or ownership) at any time,
which you can't prevent either.
>However, I tried deleting an
>executable that had permissions 555 root:admin, and was able to delete
>it via the Finder.
Deletion is controlled by the write permission on the enclosing directory.
Essentially, deletion is removing a named entry from the directory, i.e.
the container. This writes to the container, not to the contents (the file
being deleted).
And the Finder will authenticate before certain deletions, even ones where
you don't have direct permission.
-- GG
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden