File ownership in Mac OS X is based directly on the underlying BSD Unix layer and inherits its strengths (as well as a few quirks) from that legacy. On Unix systems, a file has two owners: a user and a group. Each of these owners is separate from the other; there’s no requirement that a user who owns a file be a member of the group that owns that same file. This split in ownership is intended to let you be as flexible as possible in the way that you structure access to files. By allowing groups as well as individual users to be associated with a file, you can give users access to an entire set of files simply by adding them to a group, and you can take away access just as easily.

You can see the owner and group for a file in the Finder using the File → Get Info (-I) menu and unfolding the Ownership & Permissions section and the Details subsection, as shown in Figure 8-4. The Inspector tells you what the owner of a file, the users in the group that owns the file, and everybody else can do with the file. In the case of this image file, jldera can both read and write to the file (which makes sense), and only members of the group jldera can read the files, while everyone else cannot access the file.

Since the file ownership model in Mac OS X comes from Unix, it follows that there is a way to view these permissions from the command line. Example 8-7 shows the use of the ...