hoakley February 23, 2020 Macs, Technology

Last Week on My Mac: Quantum permissions?

It’s something that should be simple to answer: can an app running from this user account read or write this file? It’s been driving me to the depths of despair, to the point where I just want to give up. This issue is, of course, determining whether preference file permissions are correct.

In the beginning, this was simply a matter of permissions. If I as a user have read and write access to a file, then apps running as that user have too. Then came additional file system metadata, such as file locking, and immutable flags, which don’t change permissions but can just as effectively stop an app writing to that file. So merely checking permissions isn’t sufficient, there are other attributes to check too.

A year and a half ago, Apple complicated this further with its privacy protections, which have become even more protean in Catalina. Although everything else might be lined up correctly, if the accessing app isn’t allowed to see that folder, then it can’t even find out whether that file exists, let alone open it. So checking from an app which has Full Disk Access enabled could give a misleading picture. For the purposes of an app designed to check access to preference and similar files, it just has to make assumptions.

Thankfully, there are two operating system calls which should make this simpler, in Foundation’s File Manager: isWritableFile() and isReadableFile(). These each return a Boolean value, defined by Apple’s documentation as being “true if the current process has write privileges for the file at path; otherwise false if the process does not have write privileges or the existence of the file could not be determined.” (In the case of isWritableFile().)

There is a warning, though:
“Attempting to predicate behavior based on the current state of the file system or a particular file on the file system is not recommended. Doing so can cause odd behavior or race conditions. It’s far better to attempt an operation (such as loading a file or creating a directory), check for errors, and handle those errors gracefully than it is to try to figure out ahead of time whether the operation will succeed.”

Thankfully race conditions shouldn’t concern us here, but what Apple is saying is that you can’t rely on either of these calls to tell whether an app will have access to any given file, when it comes to try to access it. I can feel the rug being pulled from under my code here.

In any case, to scan a full ~/Library folder can involve checking more than a million files, in as short a time as possible. Trying to open every one of those for reading or writing would surely cause mayhem, and run exceedingly slow. Given that the exhaustive iteration through every nook and cranny of the directory hierarchy is already neither quick nor sparing of memory, that doesn’t seem a good way ahead either.

This all seemed like a fair compromise until two users informed me of four false positives: preference files which the Finder reports as being readable and writable as expected, but which fail to return true to isWritableFile(). At first I thought I could explain this away as being a temporary glitch in a beta-release, but the second user to report this isn’t even running Catalina, but Mojave. Maybe the answer is in that final phrase in the documentation; “false if […] the existence of the file could not be determined”.

To determine whether the existence of the file can’t be determined by the File Manager is a matter of making a different call, to fileExists(), which also returns false if the file’s existence “could not be determined” (as well as when the file doesn’t exist). But in these false positives, the Finder can find the file and pronounce on its permissions, so why can’t the File Manager? And if the File Manager can’t discover a basic fact about the file, what can?

It’s looking like checking whether file permissions are correct has now become an impossible task. No small wonder then that users encounter problems when their apps can’t change settings when they want. But writing any utility which attempts to check permissions is fast becoming a hiding to nothing. However you try to test files, macOS seems likely to return false positives and negatives. Perhaps I should just abandon this whole project as being a waste of time and effort? Maybe I’ll try releasing version 1.6 of PermissionScanner and see if I can guess my way around this.

I’m getting the feeling that macOS is no longer the crisply deterministic system we’d like to think it is. Anyone for quantum file permissions?

16Comments

Add yours

1

J. G. Vía on February 23, 2020 at 11:24 am

“I’m getting the feeling that macOS is no longer the crisply deterministic system we’d like to think it is”. BIG STATEMENT.
Well: let’s start to treat our mac with love, avoid upsetting it, avoid trauma, respect its feelings. Macs start behaving in a more human way. Just restrain curiosity and operate with care, be sympathetic, try to work in a more previsible way, simplify interaction, empathize and follow a more machine-like procedure in your interactions. Train yourself to be more comprehensive and start being careful at coexistence…
OMG!!!

LikeLiked by 1 person
2

alberic on February 23, 2020 at 5:52 pm

I am quite sure that the Macintosh is a finite state machine and as such is deterministic. I believe that the problem is that macOS is not completely understood and I am afraid that the engineers at Apple don’t quite control their creation…

LikeLiked by 2 people
- 3
  
  J. G. Vía on February 23, 2020 at 8:11 pm
  
  (Human brain is also a finite state machine… But it’s ok: all your sentences could fit in a psychological essay about Frankenstein’s monster behaviour…) 😀
  
  LikeLiked by 1 person
- 4
  
  hoakley on February 23, 2020 at 10:51 pm
  
  Thank you, Alberic.
  It’s a simple question to ask of it: is this file writable? It’s either returning an incorrect answer, or it’s saying that it can’t determine whether it is writable at all. If the latter, its determinism has failed.
  Howard.
  
  LikeLike
  - 5
    
    John Gilbert on February 24, 2020 at 6:59 am
    
    I suspect/guess:
    It can no longer tell you with absolute certainty whether a file is writable or not UNLESS you actually try to open it. My supposition is that this is because of there being so many potential security features (impediments) that it can not tell you without you doing an open.
    
    LikeLiked by 1 person
6

alberic on February 24, 2020 at 8:01 am

All I wanted to say is that quite a few software systems become overly complex. While I recognize – as Howard said – that I have no clues how to solve the “quantum” problem, maybe we should give some thoughts about this sort of “runaway”. I am off topic for sure.

LikeLiked by 1 person
- 7
  
  hoakley on February 24, 2020 at 10:52 pm
  
  Thank you, Alberic. I don’t think this is off-topic at all.
  One problem which strikes me here is that calls which return simple Booleans like this don’t help: if the call returns false, you don’t know whether that means the item isn’t read/write/exists, or the answer simply can’t be determined. Booleans are only good for describing variables which have exactly two states, they’re useless when there’s a third, particularly if that’s supposed to mean “don’t know”. Sometimes functions address that by returning nil, but that means you’ve then got to test every result to see whether it’s nil before assuming it’s either true or false.
  Is there really no better solution than a Boolean now?
  Howard.
  
  LikeLike
8

J. G. Vía on February 24, 2020 at 6:18 pm

…This named “quantum” kind of problem can appear here and there, in tech or science. It has to do (sometimes) with a needed complete redefinition of a concept. In my poor knowledge of deep computing, but reading you about all those “tags”, “flags”, permissions, and more arcane terms… it seems to me that a “file” is becoming something different to what we used to understand.
I’m confused, and believe a “file” in Catalina is not an independent and always complete piece of info, but kind of a “picture” or snapshot of info always related to an app or other component, in a concrete moment, place and system…
I mean: if the info about “file” you seek is not in possible reach, perhaps it’s because there’s a radical change in what a “file” is… I also suspect that other classic paradigms have substantially changed in Catalina.
(Just wondering… Sorry if this opinion seems full of ignorance; it is).

LikeLiked by 1 person
- 9
  
  hoakley on February 24, 2020 at 10:55 pm
  
  Thank you.
  I don’t have a problem with a result which could change at any moment. We all know that a file which is writable at one instant could be locked at another moment in time.
  Files in macOS – not just Catalina – have a lot of attributes and other metadata associated with them, and that is increasing all the time. But I don’t think that’s any excuse for indeterminate behaviour. Maybe it has all become too complex now.
  Howard.
  
  LikeLike
10

Tony on February 26, 2020 at 3:28 pm

I think there are hints here that ‘false’ being returned may also mean “you don’t have permission to ask the question”. That might be the reason Finder can, and another app can’t, “pronounce on … permissions”.

There is a clue in the definition of isWritableFile() where it says: “If the file at path is inaccessible to your app, perhaps because it does not have search privileges for one or more parent directories, this method returns false”. Exactly what “search privileges” are, I don’t know, but they could be the issue here; they could be planned for the future, partially implemented at present or inadequately documented.

LikeLiked by 1 person
- 11
  
  hoakley on February 26, 2020 at 5:06 pm
  
  Thank you, Tony.
  I don’t know, and in this context it doesn’t matter. The question is whether the permissions are set correctly for a user app to access those files. As my checker is already running with Full Disk Access enabled, it has that advantage over regular apps. If it can’t check the permissions on a file because macOS won’t allow it, what chance would a regular user app have of accessing that file?
  Howard.
  
  LikeLike
12

Tony on February 26, 2020 at 6:16 pm

I speculate that there may be a multitude of special cases that are intended to make an average app’s file usage work as expected; the ‘open file’ dialogue is a good example, where the system takes the user’s choice as licence to grant file access. It may be that preference files have some similar mechanism.

None of this helps your app, perhaps highlighting the inadequacy of either the current OS implementation or of the underlying concept. Maybe full disk access doesn’t give access to all the files on the disk. In other circumstances, I would suggest digging deeper into the documentation but I guess that isn’t going to help.

The reference to “search privileges” still makes me wonder if it’s just not finished yet. We have seen similar scenarios with APFS and, I recall, with Grand Central Dispatch, to name but two.

LikeLiked by 1 person
- 13
  
  hoakley on February 26, 2020 at 9:43 pm
  
  Apple did go into considerable detail at last year’s WWDC. Yes, this applies to the ~/Documents folder, but not ~/Library, let alone ~/Library/Preferences. It is bypassed by putting the Open or Save to the user in the appropriate dialog, but no app accesses its preferences file(s) that way. Instead, they use exactly the same File Manager or URL calls which this app does, without obtaining the user’s implied consent. If macOS has broken that – for whatever reason – we are all in deep trouble.
  Howard.
  
  LikeLike
14

Tony on February 26, 2020 at 11:23 pm

I wondered if the preferences-accessing code had intrinsic extra trust, analogous to the trust implicit in the Open etc dialogues that they will honestly report the user’s choice. Since an app would normally access its preferences using macOS’s library code (NSUserDefaults), not by using the file access level, this would work invisibly to the app.

Or have you already disproved this by directly accessing a preferences file?!

LikeLiked by 1 person
- 15
  
  hoakley on February 26, 2020 at 11:28 pm
  
  So far, I’ve only had two reports, one from 10.15 and one 10.14, which say that four well-known preferences files were not writable although the Finder showed their permissions were good.
  I’ve had none since releasing this latest version though.
  Howard
  
  LikeLike
  - 16
    
    hoakley on February 27, 2020 at 10:20 am
    
    I’ve just had my first report that errors are unchanged.
    That settles the question anyway: FileManager and/or the URL call are returning results which conflict with permissions shown in the Finder.
    Time for a new version of PermissionScanner, I think.
    Howard.
    
    LikeLike

·Comments are closed.

Share this:

Related