Does that mean Apple has solved the permission-related problems in macOS, or was it something else? We’ll unravel this mystery and show you how disk permissions work on your Mac.
How Permissions Work in macOS
Every item on your Mac, whether it’s a file or folder, carries a set of permissions. These control which user accounts can access it and what kind of access they have. Permissions consist of three activities (read, write, and execute), performed by three types of user (owner, group, and everyone).
You can define privilege rules separately for each ownership tier. Permission, in combination with accounts and ownership, provides you security, enables controlled sharing, can set limited or no access to files, and maintains system integrity.
View File System Permissions
Any user can view the file and folder permissions using Finder’s Info window or the Terminal. In Finder, right-click a file or folder and choose Get Info from the context menu. Click the Sharing & Permissions triangle to expand the item permissions.
To view this information in the Terminal, type the following:
ls -l "path to your file"
The character after the dash is a lowercase L and reveals the ownership and permission of your file. On the command line, the abbreviation for the read permission is r, while write is w, and execute is x.
Owner, Group, and Everyone
Let’s break down the three types of users that appear in Mac permission fields:
Owner: An item owner is a user who creates the item or copied it to the Mac. Users usually own most of the items in their home folder. Group: Every item is also owned by a group. A group is a set of user accounts joined together so permissions can apply to all members. Everyone: Use this permission setting to define access for anyone, including local, sharing, and guest users. Read, Write, and Execute
Next, let’s look at the three types of permissions these users can have:
Read: User or group members can open a file but can’t save changes. If it’s a folder, you can browse the list of items. Write: User or group members can modify or delete the file. For a folder, you can make changes to folder contents. Execute: Files with the execute permission can behave as a program or script. In case of a folder, execute means someone can list its contents provided the read permission is also enabled. Factors That Cause Permission Problems
In OS X Yosemite and earlier, Disk Utility can verify and repair permissions on some files and folders. However, in actuality, the app doesn’t repair permissions. It simply resets them.
Further, to say Disk Utility repairs permissions makes it sound like permissions can go bad or become corrupted over time. But this is not true. Permissions stay the same until something or someone comes along and changes them. There are many reasons this can happen:
App Installers: Some installers change permissions on existing items as a necessary part of the installation process, but fails to return them to the proper settings. User error: If you’re fiddling with permissions in the Terminal or through a third-party app, mistakes can lead to problems. For example, improper use of the chmod command can change the permission setting of an item. Sharing a folder: All users on the computer have permission to access items in the Shared folder. If you’re using this folder as a repository for files in transit, then permission problems are unlikely. But if you store items for use by multiple people on a permanent basis, then issues can arise. Permissions on Copied Items: It’s difficult to predict what permissions macOS will assign when you copy files over an external volume, SMB, or FTP. You may need to employ some trial and error to solve this problem. What Happened After OS X El Capitan?
In OS X El Capitan, Apple introduced System Integrity Protection (SIP) to all system files, folders, and even bundled apps. It protects system contents from intentional and inadvertent tampering while also preserving default permission settings. SIP protects the following directories: /System, /usr, /bin, and /sbin.
When you update Apple apps or upgrade macOS, the installer will check and reset the permissions of any item if necessary. No third-party app (irrespective of its lousy behavior) can change permissions unless you disable SIP. We’ve dug into more about what SIP does if you’re curious.
What About the User and Home Folders?
System Integrity Protection does not protect items in the /Library folder, apps in /Applications, and everything in your Home folder. The ~/Library folder is especially important, because it consists of core system preference files, third-party app preferences, Keychain data, and more.
If the permissions were changed to any of these files or folders, you can expect a multitude of bizarre of problems on your Mac. Issues that can arise due to incorrect permissions include:
Changes that you make to Finder, System Preferences, or the Dock do not get saved. Windows that were open the last time you logged out or quit an app open again after you log in. You’re asked for an administrator password while moving certain items in the Home folder. You repeatedly get a message saying “macOS needs to repair your Library to run applications.” When saving a file, you’ll get a message that a file is locked or don’t have the necessary permissions. This happens a lot with Microsoft Office documents. Default or third-party apps could crash on launch. Some apps might even fail to update. Firefox or Chrome does not load your preferences and says “Unable to load your profile.” Photos and videos you import into Photos don’t appear in the app. Or you get a message to select a default Photos library every time you open the app. Reset Permissions for the Home Folder
From the Finder sidebar, right-click your Home folder and choose Get Info. Click the Sharing & Permissions dropdown triangle to view its permissions.
Click the Lock button at the bottom of the window and enter your administrator password. Then select the action menu button and choose Apply to enclosed items.
Click OK to confirm the action. The updated permissions will propagate through your Home folder.
Next, open the Terminal app and type the following:
diskutil resetUserPermissions / `id -u`
This option resets the user permission on the root volume (/) to the current user ID. If everything goes well, reboot your Mac.
But if you get error 69841, then follow these steps:
On macOS High Sierra or Earlier Open the Terminal app and enter the following: chflags -R nouchg ~ Then enter this command once more: diskutil resetUserPermissions / `id -u` Restart your Mac. On macOS Mojave and Later
The steps for Mojave and newer are the same as the above, but you must add Terminal to Full Disk Access before proceeding. To do this, go to System Preferences > Security & Privacy and click the Privacy tab. Click the Lock icon and enter your administrator password to make changes.
Next, select the Full Disk Access tab. Then click the Plus button and add the Terminal app.
After doing this, proceed through the above Terminal commands mentioned for High Sierra and earlier.
Understanding Mac User Accounts
When the option to repair disk permissions vanished from the Disk Utility app, we didn’t think much of it because it was never an important troubleshooting step. But seeing the type of problems you might encounter because of incorrect permissions, it’s clear that resetting permissions for your Home folder is the last resort when these issues crop up.
It’s surprising to see that Apple doesn’t include this option anymore. But remember, you should only apply these steps when necessary. Understanding permissions is a complex topic. If you understand how macOS user accounts work, it’ll become a lot simpler. Read this guide to setting up multiple user accounts on a Mac to learn more.
Read the full article: Mac Disk Permissions Explained: How to Repair macOS Permissions
#Mac #MacTips #Troubleshooting #Unix #UserAccountControl