Mac里的用户及其他

There are multiple user accounts in every UNIX system. Most of these accounts are associated with actual, human users. For example, you created an account when you supplied a username and password upon installing Mac OS X. Every process and application is associated with a user. So when you start an application after logging in, that application will be associated with your username.

UNIX systems also have accounts that are not associated with any person logging into the system; rather, they are built into the system. Five accounts are installed by default in Mac OS X: daemon, nobody, root, unknown, and www. To understand the full significance of these accounts, you'll need to understand UNIX permissions, which will be discussed shortly. For now, keep in mind that www is the account used by the built-in web server, unknown and nobody provide minimal permissions, and daemon runs system services that need some permissions.

The root account is very special — it has no restrictions. Any application or process running with the privileges of the root user can read, write, or delete any file on the system; stop or start any application on the system; or do anything else it pleases. There is nothing the root user cannot do. Consequently, guarding access to the root account is very, very important.

In addition to users, UNIX has a concept of groups. A UNIX group is a collection of individual accounts. In the UNIX file permission scheme, which will be discussed shortly, you can grant permissions to a group. This provides a way of allowing a selected set of users to have identical access to files, directories, and applications, while denying access to other users. Individual user accounts belong to a default group and may be given membership in other groups.

If you've worked with file sharing in previous versions of the Mac OS, what you've read so far about users and groups should be familiar. Like the older versions of Mac OS, each object in UNIX systems (a file or folder) is owned by a user and is associated with a group. For each object, specific permissions can be granted to the owner, to the group, and to everyone else.

There are three basic permissions: read, write, and execute. The meanings of read and write are fairly straightforward; execute, however has different meanings depending on whether the object is a file or a directory. For a file, execute means the file is executable (that is, it's an application or a script), but if the object is a directory, execute means that the class (owner, group, or everyone) has permission to search the directory.

You can view the permissions associated with any file by opening up the Terminal application and using the ls command.

G4-OSX 1% ls -Fla
total 32
drwx------   9 eric  users   512 Mar  1 15:01 ./
drwxr-xr-x  16 eric  users  2048 Mar 11 18:06 ../
drwxr-x---   3 eric  users   512 Jan 12 13:02 Apple/
 drwxr-xr-x   2 eric  users   512 Feb 19 15:15 OpenBSD/
-rw-r--r--   1 eric  users  2525 Mar  1 15:01 file_listings
-rw-r--r--   1 eric  users  2408 Mar  1 15:00 file_listings.2
lrwxr-xr-x   1 eric  users    15 Jan 12 12:54 symbolic_link_example@ -> Apple 
drwxr-xr-x   3 eric  users   512 Feb  4 11:22 foobar/
drwxr-xr-x   2 eric  users   512 Jan 18 18:02 honeynet/
drwxr-xr-x   3 eric  users   512 Feb  2 13:56 ipf_howto/
drwxr-xr-x   3 eric  users   512 Feb 16 23:20 upgrades/ 
G4-OSX 2%=20

The collection of letters and hyphens furthest to left indicates exactly what each element is and the permissions for that element. The first column of each line indicates the element's type: d for directory, - for a regular file, and l for a symbolic link, which is essentially the same as an alias in Mac OS 9.x. The next three columns (rwx) show the permissions for the owner, the next three for the group associated with the file, and the last three for everyone. A - in any position indicates a lack of that permission. For example, rw- indicates read and write permissions, but no execute permission, and r-x indicates read and execute permission, but no write access.

For the third listing above (Apple/), you can look at the permissions (drwxr-x — -) and know that this is a directory (the first letter is d) that has read, write, and execute permissions for the owner ( rwx), read and execute permissions for the group (r-x) and no permissions for everyone ( — -).

The owner (eric) and the group (users) are both shown here, as well as the file size in bytes, the last modified date, and the filename. Also shown are the current directory (symbolized by a single dot) and the parent directory (symbolized by two dots).

UNIX Networking

UNIX systems are designed to be used in network environments. Frequently, UNIX systems host network services, such as Web servers, file sharing, and database servers. Although there's no need to run these services on your Mac OS X box, you do have the option. You can run, for example, the Apache Web server with PHP and Perl and the MySQL database server in your development environment.

UNIX systems natively speak the various protocols of what is commonly referred to as the TCP/IP suite. Each network service will be associated with the IP address assigned to your machine. Additionally, each service will be associated with a TCP or UDP port. Ports are a feature of TCP and UDP that allow many processes on a single host access to TCP and UDP services simultaneously. Ports are numeric in the range of 1 to 65535, some of which are, by convention, assigned to specific services. For example, the HTTP services is commonly assigned to TCP port 80. There are a number of such assigned ports, but there are a far greater number of unassigned ports — that is, ports that are not commonly bound to a service or application.

The combination of an IP address and a port makes a socket, and a pair of sockets define a connection. Applications that provide network services listen for connections on a socket. For example, a secure web server commonly listens on the socket formed by the IP address of the server and TCP port 443.

The more sockets that are active on your machine, the greater the opportunity for an intruder to break into your box. More on this later.