Permissions are annoyingly complicated, often because of Access Control Lists.
PathFinder from CocoaTech provides more extensive info on permissions than Finder, and has a trial period, but basically Terminal is required to get complete information.
There are actually three levels of obstruction to complete file control in OS X: permissions, access control lists and flags. The "ls" binary program ("list directory contents [Unix equivalent to Windows "dir"]) requires command line flags to show all restrictions. After starting Terminal, type:
cd /Volumes
/bin/ls -AFleO
This shows the current permissions, flags and Access Control List entries for each volume attached to the OS. On my system, this produces:
drwxr-xr-x 30 root wheel - 1088 May 6 23:17 AltBoot/
drwxrwxrwx 46 root wheel - 1632 May 16 11:43 BackGround1/
drwxrwxrwx+ 37 root admin - 1326 May 24 14:07 BackGround2/
0: EBC292CE-0E64-4416-A676-288A96E46764 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
lrwxr-xr-x 1 root admin - 1 May 14 20:40 Ground@ -> /
drwxrwxrwx+ 13 xxxxxx staff - 510 Feb 22 17:46 GroundTM/
0: EBC292CE-0E64-4416-A676-288A96E46764 allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
drwxrwxrwx 11 xxxxxx staff - 442 Feb 22 17:46 VMware4/
That long list of characters after "BackGround2/" is an ACL entry. The dashes on the file line are where any flags would be listed. The system flag can be set in multiuser mode, but can ONLY be unset in single user mode. My father managed to get that flag set on some of his pictures, and it took me a long time to find out why I couldn't delete or change the owner on those files. And he would never touch Terminal in any way.
Use the manual page command man chflags
to get more info on how to set and unset the flags. If all you see is dashes, then no flags are set.
To remove the ACL entries, the command for my example would be "sudo /bin/chmod -NR Background2/
", which would ask for an administrator password. CAUTION ! Bad things can happen when you are the super user. See man chmod
for more info on ACL entries. (I am putting /bin/ before the commands because only the Apple supplied programs in the /bin directory can affect ACLs. There are GNU programs which can be added to OS X and have the same names, but cannot present or modify ACL entries. These are available from MacPorts MacPorts.org.
I wouldn't recommend that you try to put in such a scheme. If you wish to use restrictions, you would generally not want the restricted user to install any application either (for security reasons).
Normally, a non-admin user cannot install applications in the system applications folder at /Applications
since it's owned by user root
and group admin
. However, a non-admin user can install applications under the home directories (~/Applications
), but those applications would be available only to that specific user (certain applications that are designed to be in /Applications
or those using installer packages to write into system locations may not work well in such a case).
If you wish to allow a non-admin user to install applications into /Applications
, then you can add that user to the admin
group from Terminal.app
(instead of going to System Preferences and allowing the user to be an administrator). Keep in mind that a user who can install applications into /Applications
can also remove applications from there (intentionally or unintentionally).
Best Answer
There might be a way to modify the standard behaviour by doing some fancy low-level unixy stuff like creating the "root" account and logging in as that which would cause the authentication dialogues to not be so intrusive, but for the average user, the answer is "no".
A non-administrator account will be presented with an authentication dialogue in some situations where an administrator account would not have been presented one (such as when modifying items in the /Applications folder), so perhaps doing system updates might be easier when logged in as an administrator. You can change any non-administrator account into an administrator account by selecting the “Allow user to administer this computer” box in the “System Preferences” -> “Users & Groups” settings window.