OS X is a user-based operating system where each user that access the system has a separate account that holds preferences and other settings for the user account to run, and also allows the system to implement security by using permissions to restrict filesystem access. While by default you might think of a user account as a human user, many background services like Web servers or database servers, run under special user accounts. These might be called “www,” “http,” or similar, and you can see some of these if you open Activity Monitor.
As with any human user, this approach allows the system to limit access only to folders these services need to run. However, there may be times when you want to change this configuration.

You can see the mysql daemon process (the background server that runs the MySQL database), is running under the special user account called “mysql,” and not under root or the current user account (tkessler).
One example of this can be shown with a basic installation of MySQL, where upon installing, the database will have default access to the folder structure it sets up when installing, but will be limited from accessing other folders. This may hinder the use of some functions, such as the following basic SQL query (don’t worry if you do not understand it):
SELECT * INTO OUTFILE '~/outfile' FROM tablename
Unfortunately this routine may not work, because the account under which MySQL is running (called “mysql” by default) does not have access to resources in your home folder, and therefore you get an error.
While I’ve outlined this problem with MySQL, it may happen for any other service you have configured, be it a Web server, file server, database server, or anything else.
There are several solutions for this type of problem, including changing the user account under which the service is running, but a quick option is to change the permissions for the target folder such that it allows access from the hidden account under which your service is running. Unfortunately in OS X, the quick and default way of doing this using the Finder information window may not work:
- Create a new destination folder for the service to access (I’m using a folder called “Data” in my user account).
- Select the folder and press Command-i to get information on it.
At this point you will see a list of users and groups that have access to the folder. However, if you click the plus button you will only see human user accounts listed, and not system accounts that services use. Therefore, you will not see the accounts such as “www” and “mysql” listed as options, even if you search for them.
To add these accounts, you will have to use the Terminal to create an access control list entry for them. This is a second type of permission entry for OS X, that grants more customized access options to hard drive files and folders, over the default (and classic) permissions settings. As one of many alternative permissions settings, access control lists support permissions entries for different user accounts, which is what we will do here to give access to the “mysql” account under which our database is running:
- Open the OS X Terminal utility
- Type the following command:
chmod +a "mysql:allow:write" ~/Data
- Be sure to change the account name from “mysql” to that for your specific service, and also change the folder destination from “~/Data” to the one you are trying to modify for access.
- Keep the Finder information window open, and press Enter to execute the command, and you will see the “mysql” account appear in the window. You can now use the info window options to grant read, write, or both to this account (if you find this approach easer than doing so in the Terminal).
Note that if upon executing this command you get a “Permission Denied” error, you can run “sudo !!” (two exclamation points) to re-run the prior command under root privileges if your current user account is administrator. Enter your password when prompted (it will not show) and it should complete as desired (the use of “sudo” should not be required for folders in which your current account has both read and write access).
When done, you can re-run your service functions, such as the SQL query above, and it should complete without an access denial error.
If you are familiar with hard drive permissions, then you may be wondering why not simply grant the default “everyone” group full read and write access. After all, doing so would give the “mysql” account full privileges to write to this folder. Though doing so would certainly be a valid solution, it does mean any account (and not just the “mysql” account) will be granted access to this folder, which may pose it may be a security risk in some circumstances. The overall message here is how to take a hidden system user account grant it special access to a folder on your system.
Presumably this doesn’t get around sandboxing?