One common cause of a whole range of problems, from failure to open App Store apps to preferences which won’t ‘stick’, is incorrect permission settings on key files or folders. Apple has recognised this for several years now, and maintains a Support Note which lists the problems this can cause, and recommends a solution.
Apple’s recommended solution has the benefit of simplicity, but isn’t optimal, and could cause its own problems. This article looks at how you can do better than that, using my free utility PermissionScanner.
The first problem with Apple’s recommended solution is that it applies permission changes to the whole of your Home folder. This has three unfortunate consequences:
- It gives read-only access to the whole of your Home folder to other users, albeit subject to normal privacy protection policy.
- For many of the folders and files inside your Home folder, the recommended permissions aren’t correct, as the simple solution is too general.
- In changing almost all the permissions in your Home folder, your next Time Machine backup is likely to contain the whole of your Home folder, which is wasteful of space on your backup volume.
Most of the folders inside your Home folder are under your direct control. You decide which files go into Documents, and whether you also use a custom folder for other documents. The major exception to this is its Library folder, which is normally hidden. The great majority of the problems caused by ‘incorrect’ permissions settings in your Home folder occur not in folders like Documents, but in that hidden Library folder. So the first aim of this approach to solving these problems is to concentrate on ~/Library rather than the whole Home folder.
There are several important folders inside ~/Library which are most likely to result in problems, but the one most often involved is Preferences, where apps and other software maintain Property List files containing settings. Unfortunately this has become more complicated with the introduction of two other folders, Containers and Group Containers, which are now used widely. Those two folders contain many links to other folders and files. To see this, select one of the folders inside Containers, then select the Data folder inside that, and you’ll see what appear to be duplicates of other folders like Documents and Library. Some of these are just links to the originals, and others contain many linked folders. Eventually you’ll find that most of those links lead back to original folders and files still in locations like ~/Library/Preferences.
It may appear at this stage that trying to do anything in this sort of labyrinth is going to be futile. That’s where PermissionScanner comes in.
PermissionScanner looks at every folder and file within a specified standard folder on your Mac, and checks whether you, the current user, can read that file or can write to it (your option). If you’re running Mojave or Catalina, the first thing you’ll need to do is add PermissionScanner to the Full Disk Access list in the Privacy pane. If you don’t do that, expect to see lots of errors.
The most basic check to run is the default when you open a new window in the app: that Home Preferences are writable. This reports all those files within ~/Library/Preferences which aren’t writable by you as a user. This should normally return no files; if one of your preferences files can’t be written to, it’s going to cause a problem somewhere.
If this reveals that a Property List or other file in ~/Library/Preferences can’t be written to, that’s easy to correct in the Finder once you’ve made ~/Library visible (Command-Shift-.), or you can copy and paste the path directly into Terminal to correct it there if you prefer. All you should need to do is select the offending file, Command-I to Get Info, then set yourself, as the file’s owner, to have read and write access, and check that the file isn’t locked.
You can expand that to cover all the individual Preferences folders in the Containers and Group Containers folders, and anywhere else in ~/Library, by changing the popup menu to Home All Prefs, then running a check that all are writable. This is more likely to discover a few files which aren’t writable. Look carefully at their paths and you should be able to work out whether this is fine, or a problem.
In my case, the two files out of over 32,000 which were scanned are buried in some developer folders, so I presume that those permissions are correct.
Those two checks should cover almost all the problems which you’re likely to come across in practice, but PermissionScanner can do a great deal more. If you’re going to go further, you must be careful not to overreach: some of the scans should return thousands of hits, and you must interpret the results intelligently. Don’t blunder in and start changing permissions for the whole of Containers and Group Containers, for example, or you could easily end up having to perform a clean re-install of macOS to repair the damage you’ve done.
The standard search folders offered are:
- Home Preferences – ~/Library/Preferences, where all files should normally be writable.
- Home All Prefs – ~/Library/Preferences, together with ~/Library/Containers, ~/Library/Group Containers, and elsewhere in ~/Library, but only for preference files found there. These may include a few files which aren’t writable, as shown above.
- Home Library – the whole of ~/Library. Even looking for those which are only readable returns a very long list, including a great deal in the Containers folders. Don’t start messing with these unless you know what you’re doing.
- Home folder – the whole of your Home folder at ~. This can be useful as it extends to Documents and other folders, but again be prepared for a very long list, and be extremely cautious in your actions.
- /Library/Preferences – this covers a folder which Apple doesn’t include in its recommendations, but which can cause problems. Don’t look for writable files here, as most shouldn’t be writable even by an admin user. The readable listing should though be short, and typically include a few com.apple preferences. It sometimes reveals others written by third party software which may merit investigation.
Using PermissionScanner to check for incorrect permissions settings is more complicated than Apple’s simple solution. But it’s much more targeted, and used intelligently it helps you detect and fix problems without creating a whole load more. It’s available from its Product Page.
When I wrote the original version of this article, I misunderstood the type of scan being performed. It doesn’t resolve or traverse symbolic links at all, although symbolic links are normally checked as part of a scan. I have corrected this above, and apologise for any confusion this may have caused.