User profile for user: Demetrios
Demetrios Author
User level: Level 2
221 points

Understanding underscore "_" in group permissions & external drives

Some time ago I followed these instructions to get my Mac working properly after a migration from an older version of Mac OS... I'm moving along on "same" Mac...and things have been basically OK...except now I am seeing some weird behavior.


I have an external hard disk that I would like permissions to enforced on. Getting Info on the drive itself in the Finder shows me basically:


NamePrivilege
bob (Me)Read & Write
_bobRead & Write
everyoneRead only

Ignore ownership is NOT checked


But, when I log into the GUEST account on this machine the guest can read and write to the external drive!?! Getting Info on the external drive from the Guest's account shows:


NamePrivilege
Guest (Me)Read & Write

_guest

Read & Write
everyone Read only

Ignore ownership is NOT checked <- and this is now grayed out and un-selectable


So, I guess my question is...how do I prevent anyone else from making changes to this external drive? And what is this underscore group name (_bob & _guest) all about? Is it normal?

Posted on Apr 21, 2011 1:04 PM

Reply
5 replies
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,935 points

Apr 24, 2011 10:03 AM in response to Demetrios

The underscore is the group associated with that username. In OS X for each user there is a corresponding group, and that group's short name is the same as the username, except that it has the underscore in front of it. For instance, on my system my username is "tkessler" and there is a hidden group for my account called "tkessler". I'm not sure why the system sometimes puts an underscore in front of the name, but it happens. The underscore name should still reference the same group as the non-underscore version of it (ie, the "_guest" name for the guest group is synonimous with the name "guest").


To make the drive so only you have write access, you can remove all entries except the first one and "Everyone", set your name to be the first one with read and write access, and then set everyone to "read only" and then use the gear menu at the bottom of the info window to propagate the permissions to the enclosed files and folders on the drive.

Reply
User profile for user: Demetrios
Demetrios Author
User level: Level 2
221 points

Apr 26, 2011 1:12 PM in response to Topher Kessler

OK, I tried what you recommended on a subfolder on this external drive. I removed ➖ the "group" permission that was "_bob"...and propagated it through enclosed subfolders. Leaving me with ONLY:


NamePrivilege
bob (Me)Read & Write
everyoneRead only


Before:

$ ls -l

drwxr-xr-x 13 bob _bob 442 Oct 15 2004 TestFolder


After:

$ ls -l

drwx---r-x 13 bob wheel 442 Oct 15 2004 TestFolder


bold added by me for emphasis


So it would seem that by removing the group...I've effectively assigned the folder the default group of "wheel" which I as I recall is all users who can 'su' to root!?! So, what happens when another admin user (member of 'wheel') tries to access this folder...will they be denied or will they fall back to "everyone's" privileges?!? Something tells me I should chmod 755 this folder now to make it drwxr-xr-x so members of wheel also have r+x privileges!?! hmm…

Reply
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,935 points

Apr 26, 2011 1:42 PM in response to Demetrios

The wheel group is the default group for people with access to using the "sudo" or "su" commands. Currently your user and group permissions are set so you have full access and the group has no access, so other admins will be denied unless they invoke admin privileges to alter the directory's permissions or view it as root.


Currently, however, you also have the "Everyone" group set for read only, which will allow other users to read the folder's contents. If you do not want this then set it so they will not have read or write access.


If you use the chmod setting as you described, then it will set the folder so everyone can read from it, but only you will be able to write to it.


Do you have more than one admin account on the system? If not then there is no need to worry about the wheel group priveleges.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Understanding underscore "_" in group permissions & external drives

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up