🍏 macOS Filesystem and Permissions
macOS filesystem architecture combines traditional Unix permissions with Apple-specific security features. Understanding these concepts is crucial for effective system administration and secure application development.
🎯 Filesystem Architecture
APFS - Apple File System
APFS became the default filesystem in macOS High Sierra (10.13) and later, replacing HFS+ with modern features.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 | # APFS management
diskutil list # List all disks and volumes
diskutil apfs list # List APFS containers
diskutil apfs listVolumes containerID # List volumes in container
# APFS volume management
diskutil apfs addVolume containerID APFS "VolumeName" # Add volume
diskutil apfs deleteVolume volumeName # Delete volume
# APFS snapshots
tmutil localsnapshot # Create local snapshot
tmutil listlocalsnapshots / # List local snapshots
tmutil deletelocalsnapshots snapshot # Delete snapshot
# APFS clone operations
cp -c source destination # Clone file (copy-on-write)
ditto --clone source destination # Clone with metadata
|
HFS+ - Hierarchical File System Plus
Legacy filesystem used in older macOS versions, still supported for compatibility.
| # HFS+ management
diskutil list # Show all volumes
hfsck # Check HFS+ filesystem (deprecated)
fsck_hfs # HFS+ filesystem check
# HFS+ attributes
/Developer/Tools/SetFile # Set file attributes (old)
mdls filename # Show Spotlight metadata
|
Filesystem Hierarchy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 | # macOS filesystem structure
/ # Root directory
/Applications # Applications
/Library # System-wide libraries
/System # System files
/Users # User home directories
/Volumes # Mounted volumes
/private # Private system directories
/tmp # Temporary files
/var # Variable data
# Symbolic links for compatibility
/bin -> /private/bin # Binary executables
/dev -> /private/dev # Device files
/etc -> /private/etc # Configuration files
/tmp -> /private/tmp # Temporary files
/var -> /private/var # Variable data
|
🔧 File Permissions and Attributes
Traditional Unix Permissions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25 | # View file permissions
ls -l filename # Basic permissions
ls -la directory/ # All files with permissions
stat filename # Detailed file information
# Permission bits explanation
# drwxr-xr-x 1 user group 1024 Jan 1 12:00 filename
# |||||||||| | | | | | |
# |||||||||| | | | | | +-- Filename
# |||||||||| | | | | +-- Modification time
# |||||||||| | | | +-- Size
# |||||||||| | | +-- Group
# |||||||||| | +-- Owner
# |||||||||| +-- Link count
# ||||||||||
# |||||||||+-- Others execute
# ||||||||+-- Others write
# |||||||+-- Others read
# ||||||+-- Group execute
# |||||+-- Group write
# ||||+-- Group read
# |||+-- Owner execute
# ||+-- Owner write
# |+-- Owner read
# +-- Directory flag (d) or regular file (-)
|
Changing Permissions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | # Basic permission changes
chmod 755 filename # Set rwxr-xr-x
chmod u+x filename # Add execute for owner
chmod g-w,o-r filename # Remove write for group, read for others
chmod a+r filename # Add read for all (ugo)
# Recursive changes
chmod -R 755 directory/ # Recursively set permissions
find /path -type f -exec chmod 644 {} \; # Set 644 for all files
find /path -type d -exec chmod 755 {} \; # Set 755 for all directories
# Ownership changes
chown user:group filename # Change owner and group
chown user filename # Change owner only
chgrp group filename # Change group only
chown -R user:group directory/ # Recursive ownership change
|
🛡️ macOS-Specific Security Features
System Integrity Protection (SIP)
SIP protects critical system files and directories from modification, even by root.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24 | # Check SIP status
csrutil status # Show SIP status
# SIP-protected locations
/System # System files
/usr # User binaries (except /usr/local)
/bin # Essential binaries
/sbin # System binaries
/Applications # System applications
# Temporarily disable SIP (requires recovery mode)
# 1. Boot into Recovery Mode (Cmd+R)
# 2. Open Terminal from Utilities menu
# 3. Run: csrutil disable
# 4. Reboot normally
# Re-enable SIP
# 1. Boot into Recovery Mode
# 2. Open Terminal
# 3. Run: csrutil enable
# 4. Reboot normally
# Partial SIP control
csrutil enable --without debug # Disable specific components
|
Gatekeeper and Code Signing
Gatekeeper ensures only trusted applications can run on macOS.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | # Gatekeeper status
spctl --status # Show Gatekeeper status
# Allow applications from identified developers
spctl --add /path/to/app # Allow specific app
spctl --remove /path/to/app # Remove allowance
# Check code signature
codesign -v /path/to/app # Verify signature
codesign -dvv /path/to/app # Detailed signature information
# Sign applications (requires Developer ID)
codesign -s "Developer ID Application: Name" /path/to/app
# Notarization (required for distribution)
xcrun altool --notarize-app --primary-bundle-id "com.example.app" --username "user" --password "@keychain:AC_PASSWORD" --file app.zip
|
Extended Attributes
macOS supports extended attributes for additional file metadata.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 | # View extended attributes
xattr -l filename # List all extended attributes
xattr -l directory/ # List attributes for directory
# Common extended attributes
com.apple.quarantine # Quarantine flag (downloaded files)
com.apple.metadata:kMDItemWhereFroms # Download source
com.apple.FinderInfo # Finder-specific information
# Manipulate extended attributes
xattr -w key value filename # Write attribute
xattr -p key filename # Print attribute value
xattr -d key filename # Delete attribute
xattr -c filename # Clear all attributes
# Quarantine management
xattr -d com.apple.quarantine downloaded-file.dmg # Remove quarantine
xattr -p com.apple.quarantine downloaded-file.dmg # Check quarantine status
|
Spotlight indexes file metadata for fast searching.
1
2
3
4
5
6
7
8
9
10
11
12
13 | # View Spotlight metadata
mdls filename # Show all metadata
mdls -name kMDItemContentType filename # Show specific attribute
mdls -raw filename # Raw metadata output
# Search using Spotlight
mdfind "kMDItemDisplayName == 'filename'" # Search by name
mdfind "kMDItemContentType == 'public.jpeg'" # Search by type
mdfind -onlyin /path "query" # Search in specific directory
# Rebuild Spotlight index
sudo mdutil -E / # Erase and rebuild index
mdimport filename # Import file into Spotlight
|
🎨 File Flags and Immutable Files
File Flags
BSD-style file flags provide additional protection mechanisms.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25 | # View file flags
ls -lO filename # Show file flags with ls
stat -f "%Sf" filename # Show flags with stat
# Common file flags
uchg # User immutable (can't modify)
schg # System immutable (root can't modify)
uappnd # User append-only
sappnd # System append-only
hidden # Hidden from GUI
opaque # Directory opacity
# Set file flags
chflags uchg filename # Set user immutable
chflags schg filename # Set system immutable
chflags hidden filename # Hide from GUI
chflags nohidden filename # Unhide from GUI
# Remove file flags
chflags nouchg filename # Remove user immutable
chflags noschg filename # Remove system immutable
# Check flags on directories
ls -lO / # Show root directory flags
ls -laO ~/.ssh/ # Show SSH directory flags
|
🔍 Access Control Lists (ACLs)
ACL Management
macOS supports POSIX ACLs for fine-grained access control.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25 | # View ACLs
ls -le filename # Show ACL with ls
ls -lE directory/ # Show ACL for directory
# ACL entry format
# user:username:permission
# group:groupname:permission
# everyone:permission
# Common permissions
# read, write, execute, delete, append, delete_child, readattr, writeattr, readextattr, writeextattr, readsecurity, writesecurity, chown, sync
# Add ACL entries
chmod +a "user:username allow read" filename # Add read permission
chmod +a "group:groupname deny write" filename # Deny write permission
# Remove ACL entries
chmod -a# 0 filename # Remove first ACL entry
chmod -a "user:username allow read" filename # Remove specific entry
# Set ACL from file
chmod -A /path/to/aclfile filename # Apply ACL from file
# Inherit ACLs
chmod +a# "group:staff allow list,add_file,search,delete_child,add_subdirectory,delete_child,file_inherit,directory_inherit" directory/
|
🧪 File Operations and Security
Secure File Operations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 | # Atomic file operations
# Use mktemp for temporary files
temp_file=$(mktemp) # Create temporary file
temp_dir=$(mktemp -d) # Create temporary directory
# Secure cleanup
trap 'rm -rf "$temp_file" "$temp_dir"' EXIT
# Secure file copying
ditto --rsrc source dest # Copy with resource forks
cp -p source dest # Preserve permissions and timestamps
rsync -av source/ dest/ # Sync with preservation
# File integrity checking
shasum -a 256 filename # SHA-256 checksum
md5 filename # MD5 checksum
openssl dgst -sha256 filename # OpenSSL SHA-256
|
File Monitoring and Auditing
1
2
3
4
5
6
7
8
9
10
11
12 | # File access monitoring
fs_usage -w -f filesys # Monitor filesystem activity
opensnoop # Monitor file opens
accesschk # Check file access (if installed)
# Audit file changes
audit -n # Show audit status
audit -s # Start audit daemon
praudit /dev/auditpipe # View audit records
# File integrity monitoring
# Tripwire or similar tools for production systems
|
🗃️ Special Directories and Files
Important System Directories
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 | # Protected system directories
/System # System files (SIP protected)
/usr # User binaries (SIP protected)
/bin # Essential binaries (SIP protected)
/sbin # System binaries (SIP protected)
/Applications # System applications (SIP protected)
# User directories
/Users/username # Home directory
/Users/username/Library # User preferences and caches
/Users/username/Documents # Documents directory
# Special directories
/private # Contains /etc, /tmp, /var
/Volumes # Mounted volumes
/cores # Core dumps
/net # Network mounts
/Network # Network resources
# Temporary directories
/tmp # System temporary files
/var/tmp # Persistent temporary files
$TMPDIR # User temporary directory
|
Configuration and Preference Files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 | # System configuration
/etc/passwd # User account information
/etc/group # Group information
/etc/hosts # Hostname resolution
/etc/paths # System PATH directories
/etc/shells # Valid login shells
# User preferences
~/Library/Preferences/ # Application preferences (plist files)
~/Library/Application Support/ # Application data
~/Library/Caches/ # Application caches
~/Library/Logs/ # Application logs
# Launch services
~/Library/LaunchAgents/ # User agents
/Library/LaunchDaemons/ # System daemons
/System/Library/LaunchDaemons/ # System agents
|
🧾 Summary Commands
Essential File Management Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 | # Permission management
chmod 755 filename # Set permissions
chown user:group filename # Change ownership
chflags uchg filename # Set immutable flag
# File information
ls -la filename # Detailed listing
stat filename # File statistics
mdls filename # Spotlight metadata
# Extended attributes
xattr -l filename # List extended attributes
xattr -d attr filename # Delete attribute
# APFS management
diskutil apfs list # List APFS containers
tmutil localsnapshot # Create snapshot
# Security features
csrutil status # SIP status
spctl --status # Gatekeeper status
|
Security Best Practices
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33 | # Secure file operations template
secure_file_operation() {
local temp_dir
temp_dir=$(mktemp -d)
# Cleanup on exit
trap 'rm -rf "$temp_dir"' EXIT
# Perform operations in temporary directory
# ...
# Move final result to destination with proper permissions
mv "$temp_dir/result" /destination/
chmod 644 /destination/result
chown user:group /destination/result
}
# Permission audit script
audit_permissions() {
echo "=== Permission Audit ==="
# Check for world-writable files
find /Users -type f -perm -002 -ls
# Check for SUID/SGID files
find /usr -type f \( -perm -4000 -o -perm -2000 \) -ls
# Check important directory permissions
ls -ld /Users /tmp /var/tmp
# Check SSH directory security
ls -la ~/.ssh/
}
|
🧾 See Also