Snow Leopard Plays Fast and Loose with UNIX File Permissions, Part I

Any computer operating system has the facility to make files read-only. A read-only file must be protected by the OS from being altered by any user except the root user. However, Snow Leopard allows any user of TextEdit to not only write to certain read-only files without warning, but also silently alter the ownership.

The first mention of this problem, that I know of, was at rixstep.com. An article there pointed out, with copious sarcasm, the fundamentals of the problem. However, there wasn't much follow-up investigation. After some trials, I confirmed the following:

  • in Snow Leopard,
  • using TextEdit 1.6 (264),
  • for a file that's owned by the current user
  • that resides in a directory the current user owns
  • that has read-only UNIX permissions (444)

 

test file

Sample text file, read-only

...that one can load the file, edit it, and save (CMD-S). There is no warning thrown up, yet the permissions of the file remain read-only.

Secondly, if a read-only file with the same state as defined above is owned by another user on the system, the file is altered and the UNIX owner is changed to the current user without warning. Read that all again, because it doesn't apply to system files owned by root.  It's a very specific situation.

This is different than the behavior in Leopard. In Leopard, with TextEdit 1.5 (244), a dialog box is thrown up stating that the file is read-only. The user can elect to override that protection upon that notice. From testing so far, this is independent of whether the user is a Mac OS X admin user or a standard, unprivileged user.

Leopard Warning

 

TextEdit warning in Leopard

I compared this behavior to Linux (Fedora 10, running under Parallels 4) and the result was as expected. If a file is read-only, an alert is displayed, and it can't be written to no-way, no-how (despite the invitation to try.) And the owner certainly cannot be changed with a simple save command. That requires command line action by the owner or root.

 

Fedora warning

Fedora's Warning

There are some interesting things to note here. First, the handling of the situation appears to depend on the application. For example, BBEdit, when confronted with the same read-only file, will alert the user at the first attempt to modify and offers the opportunity to make it writable. If the file is owned by another user, changes are blocked.

BBEdit warning(2)

BEdit's warning

Secondly, the operation Save As... always offers the opportunity to save the contents of the read only file to a new file owned by the current user, with the default permissions (rw-r-r). That's as it should be.

Thirdly, but most importantly, any application's behavior should be dictated by the protections and policies of the OS. That is, independent of the app's philosophy and handling, the OS should enforce certain minimum standards that the app cannot circumvent. (Subject to philosophical considerations about the friendliness of a UNIX OS.)

It's the policies and API's of Snow Leopard that are of first blush interest here. That is, no matter how TextEdit is coded, it should be impossible, by normal UNIX conventions, for a non-root user to write to a read-only file. (The Rixstep article linked above discusses an affordance in Cocoa that facilitates how Snow Leopard can actually do what it does.) Other apps besides TextEdit may invoke a direct recognition of the file permissions and elect to honor them, but TextEdit appears to be invoking an OS facility that can be expected to make UNIX greybeards howl.

I am working on a comparison chart, for Part II, to document how other Mac OS X applications behave.

Note the restrictions above. The test file is in a directory that the user owns. If that's not true, then Snow Leopard strictly honors standard UNIX protocols for the protection of the file.

Apple was officially contacted about this issue on September 30th, but has not responded.

It is tempting to suggest that there is a usability concession made here by Apple, but because so many apps tested so far have different behavior, it could be that what Snow Leopard's does, compared to Leopard, could be a bug rather than a feature. As a result, I am going to defer further discussion until experts have weighed in.