Reset/repair permissions using PermissionScanner

One common cause of a whole range of problems, from failure to open App Store apps to preferences which won’t ‘stick’, is incorrect permission settings on key files or folders. Apple has recognised this for several years now, and maintains a Support Note which lists the problems this can cause, and recommends a solution.

RepairPermissions2

Apple’s recommended solution has the benefit of simplicity, but isn’t optimal, and could cause its own problems. This article looks at how you can do better than that, using my free utility PermissionScanner.

The first problem with Apple’s recommended solution is that it applies permission changes to the whole of your Home folder. This has three unfortunate consequences:

It gives read-only access to the whole of your Home folder to other users, albeit subject to normal privacy protection policy.
For many of the folders and files inside your Home folder, the recommended permissions aren’t correct, as the simple solution is too general.
In changing almost all the permissions in your Home folder, your next Time Machine backup is likely to contain the whole of your Home folder, which is wasteful of space on your backup volume.

Most of the folders inside your Home folder are under your direct control. You decide which files go into Documents, and whether you also use a custom folder for other documents. The major exception to this is its Library folder, which is normally hidden. The great majority of the problems caused by ‘incorrect’ permissions settings in your Home folder occur not in folders like Documents, but in that hidden Library folder. So the first aim of this approach to solving these problems is to concentrate on ~/Library rather than the whole Home folder.

There are several important folders inside ~/Library which are most likely to result in problems, but the one most often involved is Preferences, where apps and other software maintain Property List files containing settings. Unfortunately this has become more complicated with the introduction of two other folders, Containers and Group Containers, which are now used widely. Those two folders contain many links to other folders and files. To see this, select one of the folders inside Containers, then select the Data folder inside that, and you’ll see what appear to be duplicates of other folders like Documents and Library. Some of these are just links to the originals, and others contain many linked folders. Eventually you’ll find that most of those links lead back to original folders and files still in locations like ~/Library/Preferences.

It may appear at this stage that trying to do anything in this sort of labyrinth is going to be futile. That’s where PermissionScanner comes in.

PermissionScanner looks at every folder and file within a specified standard folder on your Mac, and checks whether you, the current user, can read that file or can write to it (your option). If you’re running Mojave or Catalina, the first thing you’ll need to do is add PermissionScanner to the Full Disk Access list in the Privacy pane. If you don’t do that, expect to see lots of errors.

The most basic check to run is the default when you open a new window in the app: that Home Preferences are writable. This reports all those files within ~/Library/Preferences which aren’t writable by you as a user. This should normally return no files; if one of your preferences files can’t be written to, it’s going to cause a problem somewhere.

permscan01

If this reveals that a Property List or other file in ~/Library/Preferences can’t be written to, that’s easy to correct in the Finder once you’ve made ~/Library visible (Command-Shift-.), or you can copy and paste the path directly into Terminal to correct it there if you prefer. All you should need to do is select the offending file, Command-I to Get Info, then set yourself, as the file’s owner, to have read and write access, and check that the file isn’t locked.

fixprefs03

You can expand that to cover all the individual Preferences folders in the Containers and Group Containers folders, and anywhere else in ~/Library, by changing the popup menu to Home All Prefs, then running a check that all are writable. This is more likely to discover a few files which aren’t writable. Look carefully at their paths and you should be able to work out whether this is fine, or a problem.

permscan02

In my case, the two files out of over 32,000 which were scanned are buried in some developer folders, so I presume that those permissions are correct.

Those two checks should cover almost all the problems which you’re likely to come across in practice, but PermissionScanner can do a great deal more. If you’re going to go further, you must be careful not to overreach: some of the scans should return thousands of hits, and you must interpret the results intelligently. Don’t blunder in and start changing permissions for the whole of Containers and Group Containers, for example, or you could easily end up having to perform a clean re-install of macOS to repair the damage you’ve done.

permscan00

The standard search folders offered are:

Home Preferences – ~/Library/Preferences, where all files should normally be writable.
Home All Prefs – ~/Library/Preferences, together with ~/Library/Containers, ~/Library/Group Containers, and elsewhere in ~/Library, but only for preference files found there. These may include a few files which aren’t writable, as shown above.
Home Library – the whole of ~/Library. Even looking for those which are only readable returns a very long list, including a great deal in the Containers folders. Don’t start messing with these unless you know what you’re doing.
Home folder – the whole of your Home folder at ~. This can be useful as it extends to Documents and other folders, but again be prepared for a very long list, and be extremely cautious in your actions.
/Library/Preferences – this covers a folder which Apple doesn’t include in its recommendations, but which can cause problems. Don’t look for writable files here, as most shouldn’t be writable even by an admin user. The readable listing should though be short, and typically include a few com.apple preferences. It sometimes reveals others written by third party software which may merit investigation.

Using PermissionScanner to check for incorrect permissions settings is more complicated than Apple’s simple solution. But it’s much more targeted, and used intelligently it helps you detect and fix problems without creating a whole load more. It’s available from its Product Page.

Postscript

When I wrote the original version of this article, I misunderstood the type of scan being performed. It doesn’t resolve or traverse symbolic links at all, although symbolic links are normally checked as part of a scan. I have corrected this above, and apologise for any confusion this may have caused.

12Comments

Add yours

1

Joss on February 20, 2020 at 9:23 am

I agree with one user’s comment in the other blog article: would be great to have app preferences where you have an option to “Follow links”, which you can tick/untick; would cover symlinks, bookmarks, Finder aliases. (And firmlinks, too?) And it would also be cool to be able to open a directory manually to scan that for non-writable/non-readable, e.g. just “~/Documents”, and not the whole home folder.

LikeLiked by 1 person
- 2
  
  Joss on February 20, 2020 at 9:25 am
  
  Another option for the app preferences would be to tick/untick “Omit containers from scan”, which would cover ~/Library/Containers. (And ~/Library/GroupContainers too?)
  
  LikeLiked by 1 person
3

Joss on February 20, 2020 at 9:30 am

The scanner might also check for the user immutable Unix flag: if a file is owned by, let’s say, 501, and the owner has read/write, but the immutable flag is set, then PermissionsScanner will list the file as not writable, which is technically correct, but easy to change. So maybe, the app could add a note to the listing, something like “[flag:immutable]”. You could do something similar with broken links: “[flag:broken]” etc.

LikeLiked by 1 person
- 4
  
  Joss on February 20, 2020 at 9:31 am
  
  Uhm, not “flag:broken”, of course, but “symlink:broken”, “bookmark:broken” etc.
  
  LikeLiked by 1 person
5

Adam C. Engst on February 21, 2020 at 6:29 pm

Curiously, when I do a Home Preferences writable scan, the four files that are identified all have the correct permissions (read/write for my user).

LikeLiked by 1 person
- 6
  
  hoakley on February 21, 2020 at 6:33 pm
  
  Thank you, Adam. Is that in 10.15.4 beta, or 10.15.3 release? I’ve had a similar report from the beta, and am wondering whether it’s just a stray issue. If this is the release version of macOS, that’s far more of a puzzle. As I’ll explain here on Sunday, I’m almost at the point of giving up trying to answer this simple question, which macOS appears unable to determine any more.
  Howard.
  
  LikeLike
  - 7
    
    Adam C. Engst on February 21, 2020 at 6:40 pm
    
    Ach, sorry, should have said. This is under 10.14.6 Mojave, with the latest version of PermissionScanner.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on February 21, 2020 at 6:44 pm
      
      Thank you.
      That’s even worse news! It looks like it’s simply impossible to determine with any reliability whether a file is readable or writable. No wonder apps are having permissions problems.
      I’m sorry – just trash the app. I think I’ll probably remove it as an abysmal failure.
      Howard.
      
      LikeLike
    - 9
      
      Adam C. Engst on February 21, 2020 at 6:50 pm
      
      Ach, sorry to be the bearer of bad news. The issue I was curious to test is that whenever I install a minor macOS update on this machine, the first boot after installing ignores my setting to NOT relaunch running apps. They all launch, and for some reason can’t authenticate before doing so, so I’m barraged with tons of auth requests. Even then, things don’t really work, so I have tor restart. On the second restart, everything is fine. We had a big discussion of it here.
      
      https://talk.tidbits.com/t/massive-login-failures-on-only-the-first-boot-after-a-macos-update/8414
      
      LikeLiked by 1 person
    - 10
      
      hoakley on February 21, 2020 at 8:24 pm
      
      OK: working on the principle of “don’t get mad, get even”, I have a new line to follow. I’d greatly appreciate it if you’d be kind enough to try version 1.6 which will be available next week. What macOS refuses to do reliably, I’ll just have to code myself, so we don’t get any false positives like this.
      I think the underlying problem is that File Manager isn’t able to provide any useful info about some files, so just returns a ‘false’ to the request, which is extremely unhelpful, thus becoming a spurious positive. It currently seems rare, though.
      Howard.
      
      LikeLike
    - 11
      
      Adam C. Engst on February 21, 2020 at 9:15 pm
      
      Happy to test for you next week!
      
      LikeLiked by 1 person
- 12
  
  John Gilbert on February 22, 2020 at 11:01 pm
  
  Adam, My understanding of PermissionScanner is that it checks whether each file is readable/writable, not the posix/unix permissions. There can be flags or ACLs which prevent you writing to a file. I use the terminal command ls -leaO to shows flags and ACLs as well as posix permissions.
  
  Of course, resetting posix permissions does not help if file access is blocked by ACL or flags.
  
  Howard won’t really appreciate this, but to be really comprehensive PermissionScanner needs to investigate why a file is not readable/writeable. Maybe adding the output of ls -leaO for unreadable/unwriteable files.
  
  LikeLiked by 1 person

Share this:

Like this:

Related