Folder Permissions and Ownership

A number of folders in the System and Local file system domains now have different ownership and permissions. Specifically:

• Many folders in the System domain that were previously owned by the admin group are now owned by the wheel group.
• Permissions for the root directory (/) are now mode 755 (writable only by root) instead of mode 775 (writable by the admin group).
• Permissions for /Applications/Utilities are now mode 755 (writable only by root) instead of mode 775 (writable by the admin group).
• Permissions for /Library are now mode 755 (writable only by root) instead of mode 775 (writable by the admin group), no longer sticky.
• All subdirectories within /Library now have mode 755 (writable only by root) permissions instead of mode 775 (writable by the admin group) except:

° /Library/Caches
° /Library/Fonts
° /Library/Java
° /Library/QuickTimeStreaming
° /Library/Receipts
° /Library/Tomcat

• The subdirectories listed above have the same permissions as in previous versions of Mac OS X (usually mode 775, sometimes with the sticky bit set).
• Permissions for /Network/Applications and /Network/Library are now mode 555 (unwritable even by root) instead of mode 755 (writable only by root).
• Permissions for /var/log/DiagnosticMessages are slightly more lax, with mode 770 (writable by the admin group, unreadable by non-admin users) instead of mode 750 (writable only by root, unreadable by non-admin users).

Vertraue bitte niemals Zugriffsrechte, die der Finder anzeigt.

"wheel" und "admin" sind Gruppen für Systembenutzer wie zum Beispiel dem root.
Genauere Informationen zu "admin" und "wheel" folgen sicher von anderen Mitgliedern des Forums.

Mac OS X

This section discusses how Mac OS X uses BSD permissions.

The Root User

The root user owns many of the primary system processes and has unlimited access to the file system objects on the devices attached to the computer. For example, the root user can:

• Read, write, and execute any file
• Copy, move, and rename any file or folder
• Transfer ownership and reset permissions for any file

A major difference between standard BSD permission semantics and the Mac OS X implementation is that in Mac OS X the root user is disabled after system installation. In most cases, it is not necessary for an administrator to run as root (see “The Admin Group”). You may also assume root power by using the sudo utility. Although the sudo utility does not require you to enable the root user, you can use it only from the Terminal application; that is, you must have physical access to the machine to use it. See the sudo man page for more information on its use.

The root user should not be enabled on user systems. If your application needs to perform operations as the root user, you must use Authorization Services. For more information, see Authorization Services C Reference and Authorization Services Programming Guide in Security Documentation.

Note: In almost all cases you can run as a member of the admin group or use sudo rather than enabling the root user. If you absolutely must enable the root user, run the NetInfo Manager utility and authenticate yourself as the local administrator. Then choose Enable Root User from the Security menu. This menu item is enabled only if you are a member of the local admin group — a group with special administrative privileges—and you have been previously authenticated in the local domain. Once you’ve enabled the root user, the password is blank, so you should give the root user a password by selecting Change Root Password from the Security menu. After you’ve completed the task requiring root access, you should relinquish root user privileges by choosing Disable Root User from the Security menu.

Whereas most user permissions apply across networks, setuid and setgid are often ignored on network volumes, as is the concept of a root user.

For example, when accessing remote volumes over NFS, by default, the root user is mapped to nobody — a special user with very little access. This prevents the root user on one computer from becoming the root user on another computer.

The Wheel Group

There is a special group in BSD called the wheel group. Membership in the wheel group confers on users the ability to become the root user by using the su utility on the command line. Users who are not in the wheel group can’t become the root user, even if they have the correct password.

In Mac OS X v 10.3 and later, the wheel group is not used. Its functions have been assumed by the admin group.

The Admin Group

Mac OS X provides the admin group in place of the root user. A member of the admin group (referred to as an administrator) can perform almost all functions the root user can, and can do them using the Finder—that is, without resorting to the command line. The only thing the administrator is prevented from doing is directly adding, modifying, or deleting files in the system domain. An administrator can use special applications such as Installer or Software Update for this purpose, however.

The user who installs Mac OS X on a system becomes automatically the first administrator for the system. Thereafter, this user (or any other administrator) can use Accounts preferences to create accounts on the local system for new users and can grant administrative privileges to any user on the system.

Users who are not in the wheel group can’t become the root user, even if they have the correct password.

Also wenn ich das richtig verstehe, dann kann man unter Lion also nicht mehr als root user tätig werden da man dazu ersteinmal in der wheel group sein muss diese aber read only ist. Richtig?