[Bread]

After downloading the program BatCHMOD from http://homepage.mac.com/arbysoft, I was disturbed to learn that OS X lets any administrator change ownership and privileges of files! In a UNIX based OS, the only users that should be able to change the privileges of a file are the owner and root. How can this changing settings through a simple program be prevented?

[Bernard Ducamp]

r.e. Changing Permissions: I am a relative newcomer to UNIX, but here is my take on Administrator.

Apple decided to create Administrator to give a person access to all the files and directories (like root has) EXCEPT the System folder. Apple wanted to protect OS X system files from unintended consequenses. So they created a "tame" version of root and called it Administrator. The Administrator can, in turn, create other administrators or users, if desired.

root can be enabled. Apple just doesn't make it obvious. root has access to everything.

[rantweasel]

Originally posted by Bread:
<STRONG>...I was disturbed to learn that OS X lets any administrator change ownership and privileges of files! In a UNIX based OS, the only users that should be able to change the privileges of a file are the owner and root.</STRONG>

Admin users are equivalent to root. Essentially, being admin is like having a mask that looks like root - when the computer checks to see if you have root privs (and you are actively trying to use them), admin users look like root. Technically, they are members of the wheel group, and the wheel group is allowed to assume root priveleges via setuid programs such as sudo and su. You should not give admin privs to anyone you wouldn't trust with everything on the system.