hoakley February 16, 2022 Macs, Technology

Permissions and ACLs

Regular POSIX (Unix) permissions are crude controls. Each file and directory has settings for its owner, group, and everyone else, which determine whether they can read, write or (where appropriate) execute that item. That lacks control over important subtleties, which could limit who can list folder contents, change extended attributes, permissions and ownership. For those we have to turn to ACLs, Access Control Lists, which have been supported in OS X since 10.4, but have been little used until recently.

Select your Home folder, for example, and Get Info on it. In the lowermost section Sharing & Permissions, it should state that you have “custom access”, while confirming that you have Read & Write privileges. You probably haven’t noticed it, but custom access is relatively recent, and indicates that, in addition to regular POSIX permissions, access to your Home folder is controlled by an ACL. Only the Finder can’t tell you any more than that.

To discover the additional restrictions placed on your Home folder, you’ll need to use a command like
ls -led ~
which should respond with something like
drwxr-xr-x+ 106 hoakley staff 3392 10 Feb 14:59 /Users/hoakley 0: group:everyone deny delete
where that second line is the ACE (Access Control Entry) in its ACL. In this case, it prevents those in the everyone group from deleting that directory, which is handy protection for a Home folder to have. You’ll also find this propagates to all your standard folders within that, such as Documents, but not to the folders you’ve created inside those.

Before you wonder what this has to do with you, like all access controls, sometimes they get fiddled with or go wrong and stop working in the way that you expect. In the case of ACLs on your Home folder, they could cause normal operations like creating or deleting a custom folder to go wrong. They also explain why doing anything with special folders isn’t straightforward.

Just when we thought we could forget the panacea of repairing permissions on our Home folder, here’s another reason that you could experience permission-related problems. If that sounds far fetched, I’ve already heard of several users who have ended up with strange ACLs set for their Home folders which have resulted in problems.

Each ACL consists of a list of ACEs, the individual access controls, which are like simple sentences in that they allow or deny a specified user/group an access privilege. For instance,
group:everyone deny delete prevents those in the everyone group from deleting that item;
user:hoakley deny read,write prevents the user hoakley from reading or writing that item;
user:hoakley allow append allows the user hoakley to append data to that item.

Used together, those last two ACEs in the same ACL would allow me (and all my processes) to append data to an existing file, but not to read that file or replace its contents. The rules given in each ACE in the list are applied in order until they allow the given action, so their order is important.

Because ACLs aren’t readily seen, can normally only be inspected in the command line, and would normally be changed using the command chmod, when they go wrong it’s hard to discover and fix. Unless you’re a command line wizard, of course. Thankfully, some GUI tools give good access to ACLs, and my favourite remains TinkerTool System, which has excellent support for them, and much more besides.

acls1

Use its Show or Set Permissions view to inspect any item to see whether it has an ACL, and to edit it if necessary.

acls2

Where TinkerTool System is invaluable is displaying Effective Permissions. Drop the item at the top, select any user from its popup menu, and the ticks and crosses show exactly what that user can and can’t do according to the ACL set.

So what do you do if you discover that the current ACLs are getting in your way? If you can, try correcting those ACLs manually, starting at the top of the tree. If that looks too complex, TinkerTool System does offer the option to Reset Home, which is the new repairing permissions, perhaps. Although it may seem tempting to perform a test run, note very carefully the warning given at the bottom of the window: even a test run will change the modification dates on all folders. Do that with your Home folder, and that might cause confusion. But if you have little choice, this could save you from ongoing chaos.

acls3

Apple provides further details of ACLs as supported in macOS in this old guide to file system programming.

Years ago, before macOS took to using ACLs, they were just an optional extra for those experts who knew how to use them. Now that macOS sets ACLs on user Home folders, they’re something every Mac user needs to know about. Just don’t fiddle with them unnecessarily unless you know what you’re doing: like regular POSIX permissions, it’s so easy to cause chaos.

30Comments

Add yours

1

Joss on February 16, 2022 at 9:44 am

On fresh systems I always add deny delete ACEs (sometimes including limit + inherit) to a few special directories – e.g. ~/Applications ~/.local ~/.config ~/.cache … or my “Office” folder in ~/Documents, or the “Projects” folder in ~/Music. For individual files or folders I also use my own solution, having mapped CMD-BACKSPACE to a script that checks files/folders for a proprietary extended attribute first, and if that XA is present, move-to-trash or permanently-delete is blocked unless I manually “liberate” the file (remove the XA) with another key command. Why did I do that? Because I think we need an easier & better way to lock files (prevent accidental file deletions) than via ACLs or ticking “locked” in the Finder info window, because that won’t let you edit or move those files anymore… and I think XAs would be the way to do it. PS: I agree, TinkerToolSystem is imho the best solution for managing ACLs in the GUI.

LikeLiked by 2 people
- 2
  
  hoakley on February 16, 2022 at 11:33 am
  
  Thank you. Do you make your xattr persist across volumes etc.?
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Joss on February 16, 2022 at 12:08 pm
    
    Yes. Here’s a “protected” example file… I’ve added the #PS to the XA for persistence. The user tag is the second component, named “protected”, so that Spotlight can find every protected file with “tag:protected”. On volumes without Spotlight I use a command-line script, because it only works with `find -xattrname` … not with `mdfind`. https://i.imgur.com/J84gQDz.png
    
    LikeLiked by 2 people
  - 4
    
    Joss on February 16, 2022 at 12:13 pm
    
    The problem is that this whole thing wouldn’t work in Finder, because afaik you can’t remap CMD-DEL and other keyboard shortcuts. So in Finder you’d have to stick to Unix flags and ACEs and live with the disadvantages. I have yet to find a software that can override baked-in Finder key commands. (But I use Nimble Commander, so it isn’t an important problem.)
    
    LikeLiked by 2 people
5

stillwilling on February 16, 2022 at 12:46 pm

Thank you, Howard, as this is a real issue. I’ve been using BatchMod for years.
It is donateware. Using it to clear ACLs when running into issues. by Renaud Boisjoly rboisjoly@lagente.ca http://www.lagentesoft.com

LikeLiked by 2 people
- 6
  
  hoakley on February 16, 2022 at 5:31 pm
  
  Thank you.
  Howard.
  
  LikeLike
- 7
  
  John Gilbert on February 18, 2022 at 10:53 pm
  
  The instruction page for BatChmod is enough to put me off. A tool which has single tick boxes to remove all ACLs and all xattrs on a file is a recipe for unintended consequences. ACLs (and xattrs) have important usages and should be blindly removed.
  
  LikeLiked by 1 person
8

Duncan on February 16, 2022 at 2:30 pm

I have never used Novell Netware (remember when that was THE standard for Windows networks?) but I believe it had far richer permission/access controls than anything else at the time. With great flexibility comes great complexity, unfortunately, and we’re running up against that now with MacOS. In Netware’s favor, all of that complexity was presented through a unified interface, unlike this arcane GUI/command-line mess that MacOS has straggled into.

LikeLiked by 2 people
- 9
  
  hoakley on February 16, 2022 at 5:33 pm
  
  Well, yes, but life was far simpler in those days, even in Netware. System 7 was a breeze, although it didn’t feel like it at the time, but almost nothing in it was secure, and so on.
  Howard.
  
  LikeLiked by 1 person
10

Dakotamoons on February 16, 2022 at 7:52 pm

One interesting side-effect of permissions, attributes, and extended attributes, are the effects upon file and folder icon badges and alias icon badges. To this day I do not have a comprehensive understanding, and could never find any documentation whatsoever on the subject. Through a few arcane trial and error “tricks” I can usually get the custom badge that I want, and they normally “stick,” even under the the heavy hand of my Synology NAS which uses Btrfs.

As noted in Howard’s article as well as in some of the comments, some elements of backward’s compatibility, changing OS evolution, and differing file architectures of course have a play in this (custom icon badges).

Oddly, the one place where I can create custom icon alias icon badges is easily on my desktop, but the will not survive a reboot and revert back to the stock “blue folder” icon badges. I have drilled down as far as I can go but still, at least in Cat 10.15.7 can’t get these custom icon badges to stick. Perhaps I need to take another look using TinkerTool, which I already have installed and have used in the past.

Any ideas welcome. TIA.

LikeLiked by 1 person
- 11
  
  hoakley on February 16, 2022 at 11:15 pm
  
  Thank you. I think most of those issues rest with other parts of macOS like the Finder, rather than permissions or ACLs. And being ‘cosmetic’, I don’t think their bugs get high priority among Apple’s engineers.
  Howard.
  
  LikeLiked by 1 person
12

baron on February 17, 2022 at 12:19 am

Just to say that these ACE are not as new: in SnowLeopard, I have same results as you for the Finder>Get Info and Terminal list -led – tests.

LikeLiked by 1 person
- 13
  
  hoakley on February 17, 2022 at 6:49 am
  
  Thank you. Such is the state of Apple’s documentation that we don’t even know when they were added to standard folders like the Home folder, nor that they’re there still. We’re just left to discover these important features.
  Howard.
  
  LikeLiked by 1 person
14

Jimmy on February 17, 2022 at 1:10 am

I’ve also used BatchMod for years. I’ll grab TinkerTool asap. Another good read.

LikeLiked by 2 people
- 15
  
  hoakley on February 17, 2022 at 6:49 am
  
  Thank you.
  Howard.
  
  LikeLike
- 16
  
  artiste212 on February 17, 2022 at 4:14 pm
  
  I’ve also used this for years, but not recently, as my version was old and I didn’t want to mess things up (hard to know what has changed in the system!)
  
  LikeLiked by 2 people
17

Chris Ridd on February 24, 2022 at 8:27 am

Interestingly, ls -led ~ on my M1 system does not reveal any ACLs, even though Finder reports “custom access”. More experimentation is required.

There are several ACL flavours around. Original POSIX ACLs are, I think, still present on some systems e.g. Linux, but nobody really uses them.

NFSv4 introduced another ACL scheme based on Windows NT’s ACLs. ZFS uses those NFSv4 ACLs, and I *think* when Apple toyed with ZFS support that’s when they got the NFSv4 ACL code from BSD.

LikeLiked by 1 person
- 18
  
  John Gilbert on February 24, 2022 at 10:01 am
  
  What about ls -led ~/*
  
  My 2019 iMac has “group:everyone deny delete” on ~, and its Library, Documents, Desktop, Pictures, Public and Sites folders. I believe these are defaults. Some of those folders also have com.apple.sharepoint.group.x ACEs – something to do with network shares(?).
  
  TinkerTool System doesn’t help with these as it reports the ACEs as having ‘custom’ permissions. I also don’t understand the groups com.apple.sharepoint.group.x (where x is a number) as they are not present in the Directory Utility.
  
  Just to confirm, ls -led shows:
  drwxr-x—+ 105 gilby staff 3360 23 Feb 13:09 /Users/gilby/
  0: group:everyone deny delete
  and ls -led ~/Desktop shows:
  drwx——@ 20 gilby staff 640 24 Feb 09:24 /Users/gilby/Desktop
  0: group:everyone deny delete
  1: group:com.apple.sharepoint.group.17 allow search
  and similarly for a few others.
  
  LikeLiked by 1 person
  - 19
    
    hoakley on February 24, 2022 at 12:02 pm
    
    Thank you.
    It’s so wonderful when Apple documents these matters clearly.
    Howard.
    
    LikeLike
  - 20
    
    Chris Ridd on February 24, 2022 at 8:06 pm
    
    There is an ACL on the subordinate folders Pictures, Library, .Trash, Music, Public, Desktop, Documents, Downloads, but nothing on my home directory itself.
    
    The ACLs are all the same:
    
    drwxr-xr-x+ 4 cjr staff 128 29 Nov 16:40 /Users/cjr/Public
    0: group:everyone deny delete
    
    I installed this machine without using migration assistant. Did you migrate from Big Sur?
    
    LikeLiked by 1 person
    - 21
      
      hoakley on February 24, 2022 at 10:03 pm
      
      I have that ACL on my Home folder on my M1 Pro MacBook Pro, which has never run Big Sur, and was set up from scratch.
      Howard.
      
      LikeLike
    - 22
      
      Chris Ridd on February 25, 2022 at 1:59 pm
      
      The machine I’ve just upgraded from Big Sur has the expected ACL on my home directory.
      
      I may manually add the ACL on my M1 machine, using chmod.
      
      LikeLiked by 1 person
23

markbot2zero on March 30, 2022 at 1:21 pm

Dear Howard,

I’m coming in late on this subject but here goes:

1. TinkerTool System

Beautifully engineered and documented, a boatload of useful utilities. Just reading the docs is something of a graduate course in Macs. And it’s a bargain to boot, especially when compared to the 75+ “cleaners” (I actually counted them on MacUpdate, and listed them whenever a new one popped up — which happens about twice a week — until MU stopped me) on the market

Creator Marcel Bresink responds quickly to questions and suggestions.

Among many other things, TTS has a function to remove applications, and I’m guessing it’s far more effective and accurate than the 75+.

(A useful trick: under the “View” menu, you can pull in the panes from plain vanilla Tinkertool, another “must have” utility.)

And I’m curious, Howard, what you recommend for non App Store app removal.

(I’m under the impression that Launchpad is the best way to remove App Store apps.)

2. ACL Hell

My typical client often has thousands of files all over the Mac, and tons of duplicates. iCloud Drive, to which some people sync their Desktop and Downloads folders, can be a huge offender, particularly when they’ve used it, stopped using it, and restarted again. When turned off, it copies the files into an Archive in the Home Folder on the Mac (not bad in itself), which most users are completely unaware of. (Bad in itself.)

One of my clients who did this had tons of duplicates, including THREE iCloud Drive Archives. I bought a couple of duplicate hunters from the App Store, which I thought she would be able to use.

“Duplicate File Finder” was a bust. It will find duplicates but not let you delete them until you upgrade to pro, for about $20. I hate it when they do that, and that the App store doesn’t make it obvious that the standard “free” app doesn’t do anything useful. And then, it totally hung on ACLs and Read Only files, including just about everything in those iCloud Archives. The “Get Info” window seems to want to thwart any permission changes, with options greyed out or appearing to be non-functional.

CleverFiles Duplicates Finder was much better, at about a tenth of the price, but still hung on ACLs.

(Everything was backup up before we started. Some Mac user are petrified at the thought of losing any of their files — like that 2012 picture of their dog — even when they have three or four duplicates.)

And you can’t load TinkerTool System to tweak ACLs on every client computer.

Anyway, thank you, Howard, for reading. (This is Mac Therapy for me.)

-Mark

LikeLiked by 1 person
- 24
  
  hoakley on March 30, 2022 at 5:17 pm
  
  Thank you.
  App removal is getting simpler now: all good apps which stray outside the app itself should have uninstallers. These are mandatory for apps which rely on kernel or system extensions, of course, which are the tricky things. Beyond that, manual is the only proven and reliable solution. Even then you can get caught out removing something another app relies on, and missing something that’s tucked away.
  The best answer with iCloud is never, ever put Desktop and Documents in iCloud unless your Mac and setup are small and extremely simple. Otherwise it’s a disaster somewhere along the line.
  Howard.
  
  LikeLike
25

Josh on May 11, 2022 at 10:45 pm

I have a related question and I hope you don’t mind me leaning on the expertise.

Does it cause any problems if I change ~/ and all subfolders to `700` (Only I can read, write, or execute)?

As noted, the default POSIX permissions are `700` on Library, Documents, and some others, but non-Apple folders get `644` (everyone can read) or even `755` (everyone can read and execute)

I know there are ACLs as well, but there’s a certain peace of mind of seeing `600` and `700` for all the contents of my home folder.

LikeLiked by 1 person
- 26
  
  hoakley on May 11, 2022 at 10:54 pm
  
  For non-standard folders, you can set them to whatever you want. One caution is that, if you propagate those permissions down through the contents, the next TM backup will probably contain the whole of the tree, as a change in permissions is a trigger for a fresh backup.
  Howard
  
  LikeLike
  - 27
    
    Josh on May 11, 2022 at 11:19 pm
    
    Triggering a full TM backup is something I would not have considered.
    Thanks for the quick reply and the head’s up
    
    LikeLiked by 1 person
- 28
  
  John Gilbert on May 11, 2022 at 11:13 pm
  
  “Does it cause any problems if I change ~/ and all subfolders to `700` (Only I can read, write, or execute)?”
  
  Two problems:
  
  1) Don’t change any permissions inside ~/Library. Or not without inspecting all the current permissions and considering consequences of any change.
  
  2) You may not use it, but ~/Public/Dropbox is intended as a place where other users can write (but not change) files.
  
  LikeLiked by 1 person
  - 29
    
    hoakley on May 11, 2022 at 11:20 pm
    
    Thank you.
    Don’t change any permissions in the standard folders. And don’t change any in Photos libraries and similar which should be in one of the standard folders.
    But in a custom folder, anything goes as it’s not part of the defined structure of the Home folder, so nothing will make assumptions about access.
    Howard
    
    LikeLike
  - 30
    
    Josh on May 11, 2022 at 11:23 pm
    
    1) Good call. In my experience Apple is most comfortable when `~/Library` is treated like a black box.
    2) Definitely do not. We have network shares for that sort of thing.
    
    LikeLiked by 1 person