What is the file permission between the Root and Admin account

I'm a bit confuse on the file permission between root and admin account.

I'm developing the background user agent process, and I created the agent plist file with the permission R&W for my admin account.

When I tried to load my agent process with launchd, it said the plist file permission is not right. Only after I change the plist file owner to root chown root my.plist, did everything work.

From the above situation, it seems that the root user cannot access files that are only authorized to the admin user.

Admin account also can't access files authorized only to root, unless you add sudo or enter the password when the request admin password box pops up. But by sudo or password, it just temporarily converts your account from admin to root account.

So am I right in my speculation?

Up vote post of Ere0n Down vote post of Ere0n
161 views
Posted by
Ere0n
Reply
Add a Comment

Accepted Reply

From the above situation, it seems that the root user cannot access files that are only authorized to the admin user.

No. This is a custom check within launchd: If a launchd property list file is installed globally, it must be owned by root. [I think there are other checks, but I don’t have time to look them up right now.]

Note that macOS is different from other Unix-y systems when it comes to file system permission. Historically, a process running as root could read any file [1]. That’s not true on modern versions of macOS. See On File System Permissions for more on that topic.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, except for the weird network file system edge case, but the process could call seteuid and then read the file.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

From the above situation, it seems that the root user cannot access files that are only authorized to the admin user.

No. This is a custom check within launchd: If a launchd property list file is installed globally, it must be owned by root. [I think there are other checks, but I don’t have time to look them up right now.]

Note that macOS is different from other Unix-y systems when it comes to file system permission. Historically, a process running as root could read any file [1]. That’s not true on modern versions of macOS. See On File System Permissions for more on that topic.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, except for the weird network file system edge case, but the process could call seteuid and then read the file.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment