hoakley November 18, 2022 Macs, Technology

Repairing Home folder permissions: a mystery

Permissions are one of the fundamental controls in macOS, to determine what you can see and do with files and folders. Long before the introduction of the signed and sealed System volume (SSV), permissions could go astray in the System, causing havoc. That was mostly fixed with the introduction of System Integrity Protection (SIP), and finished for good with the SSV.

But permissions can still go wrong in sensitive parts of the Data volume, most importantly inside your Home folder. When they do, they can have protean effects, of which the most visible is being prompted to authenticate when trying to move or alter folders and files you should own and control. This article is about how to deal with that, and how Apple’s advice has changed.

Problems with Home folder permissions first became prominent in Sierra, when Apple quietly posted a support note (long since removed without being archived) recommending a new procedure to fix a long list of problems, including:

changes to preference settings, particularly those for System Preferences, do not ‘stick’;
changes made to the Dock do not ‘stick’;
you are asked to authenticate when trying to move or alter some folders in your Home folder;
when trying to save, you are told that the file is locked, or that you don’t have permission;
Preview, TextEdit, and App Store apps (which are sandboxed) may crash when opened;
alerts warning that the startup disk has no more space available for app memory;
Safari or SafariDAVClient use large amounts of resources (memory);
your Mac runs very slowly;
iTunes cannot sync a device;
problems with Photos or iPhoto libraries, including inability to import into the library, or forgetting the library each time the app is opened.

These largely result from broken permissions and related problems in ~/Library/Preferences. Repairing these required the diskutil command tool, and although it has never been mentioned in its man page, typing
diskutil resetUserPermissions
in Terminal used to elicit usage information. If you want to read a full account of the original procedure, this article explains all. Repairing permissions in this way became so popular, and effective, that I introduced my own tools to help, and diagrammed it.

RepairPermissions

Nearly three years ago, Apple changed its support note to recommend reinstallation of macOS rather than use of the diskutil command. As I noted at the time, that seemed rather drastic. I proposed alternatives in another chart.

RepairPermissions2

In March 2020, Apple changed the procedure again, to running a new tool named repairHomePermissions in Recovery mode, then reinstalling macOS. By June 2020, Apple had removed that support note too, silently erasing all trace of these procedures. At that time, I suspected that these pernicious problems had arisen because of bugs in the background service that manages preferences, cfprefsd. Once those had been fixed, Apple considered there should be no further need for such repairs.

Although Home folder permission problems in more recent versions of macOS are undoubtedly far less frequent, they do still occur. So what do you do now, in Big Sur or later, when you encounter them?

You can still follow my second chart, and if you wish to use PermissionScanner it’s available from its Product Page, and works a treat on Intel and Apple silicon Macs even in Ventura. With more modern systems you’ll have to be wary of the changes they’ve brought, though: don’t go blundering in changing everything without checking first.

The big mystery is the repairHomePermissions tool. While this is present in Ventura, it has no man page, no usage information, and proves to be a launcher for an app that doesn’t even exist outside Recovery mode. Neither can I find an Apple Support article that mentions it any more.

If you do have Home folder permission problems, you can indeed start up in Recovery, open Terminal there, type in
repairHomePermissions
and this secret app will invite you to select a user, then apparently repair permissions on that user’s Home folder. Exactly what it does, why it’s there, or whether we should even use it, are secrets known only to Apple. But when you run out of all other options, I suppose it is something to try. Just make sure that you have excellent and complete backups before doing so.

Thanks to Kirk, who reopened this can of worms.

35Comments

Add yours

1

EcleX on November 18, 2022 at 8:06 am

Thanks. Is is possible to repair permissions using an application with Graphical User Interface (GUI)? I mean, without using command-line Terminal.

LikeLiked by 1 person
- 2
  
  hoakley on November 18, 2022 at 8:11 am
  
  Yes, as described above, the Finder’s Get Info dialog gives you permission controls. I think that counts as a GUI app, doesn’t it?
  Howard.
  
  LikeLike
- 3
  
  EcleX on November 18, 2022 at 9:57 am
  
  Thanks. I did not notice that being in the picture. I have searched Internet and found that some applications can also repair permissions, like TinkerTool System, TechTool Pro and Drive Genius. Do you know if they are different (better or worse) than the Finder (Get Info) procedure?
  
  LikeLiked by 1 person
  - 4
    
    hoakley on November 18, 2022 at 10:52 am
    
    No. I have no idea, I’m afraid. However, as there’s no Apple tool to do this except in Recovery mode, I’d be extremely wary at any third-party claiming to be able to do so. Which is why my app doesn’t attempt to do that.
    Howard.
    
    LikeLike
5

Jerry on November 18, 2022 at 9:50 am

Good to be reminded of these things again! The problem with Repair Home Permissions is that it seemingly never worked … (as against the repair permission of the system, that often helped). Also, the setting of all permissions like at the root of the Home folder has never been how permissions are set in fact for all files under the home folder. The question one wants to know about is what the permissions “should have been” when you find discrepancies … I tested your tool now as I know I at some time back in history had to manually reset permissions here and there and wondering if maybe some errors was lingering there, but not having write access to absolutely all preferences (6 in my case) might not necessarily be a problem (a bit odd with universal access being one there) and one would have to double-check against a clean install … .

LikeLiked by 1 person
- 6
  
  Jerry on November 18, 2022 at 10:17 am
  
  76 files are not writable by default in the home folder (could vary a little depending on initial installation choices I guess) in macOS Monterey. 42 files are not readable. Results from your app. Gonna save that list for future reference!
  
  LikeLiked by 1 person
  - 7
    
    hoakley on November 18, 2022 at 10:56 am
    
    In that case it’s worth looking through a verbose account to see if there are files which you think have incorrect permissions. Does your Mac have any signs of permission problems, though, as you shouldn’t be trying to fix something that ain’t broke in the first place?
    Howard.
    
    LikeLike
    - 8
      
      Jerry on November 18, 2022 at 4:27 pm
      
      It is hard to tell 😉 … . I wish one could always determine the exact cause for any problem, but no one has the time or money for that. Anyway fixing permission problems has always been overrated, but remember once when every expert (you included, I am sure) would have told me it was of no use and it turned out to be … . I only know for sure that macOS have often (or mostly) behaved bad when it came to changing permissions, even ordinary Posix as you mention. Most people have problems all the time that they just do not know about and they may not be so bad that they cannot use their computer. What if no one had errors in the System logs … that is not likely to ever happen.
      
      LikeLiked by 1 person
    - 9
      
      hoakley on November 18, 2022 at 8:26 pm
      
      It’s interesting you should mention logs.
      One of the first things you notice when you’re starting to browse Mac logs is how many errors are recorded there, but never reported to the user. Then, as you gain deeper understanding, you realise that errors are normal, and don’t necessarily mean that anything’s wrong or needs to be fixed. The skill is in knowing which is which, telling apart the normal errors, and the significant ones.
      Howard.
      
      LikeLiked by 1 person
- 10
  
  hoakley on November 18, 2022 at 10:50 am
  
  Unfortunately Apple doesn’t provide any advice on what permissions should be.
  Howard.
  
  LikeLike
  - 11
    
    Jerry on November 18, 2022 at 11:00 am
    
    Well, was a bit curious since I mentioned in another thread problems I had recently with Safari (I found only a handful of photos and downloads with the wrong Permissions and changed them, even if not important), but I found an odd thing with Caches/com.apple.Safari – it is listed in your app as not being readable or writeable on my computer, but not so on a cleanly installed macOS Monterey. Funny thing though is that when checking the permissions in the Finder the folder and contents are not non-readable or non-writable. Trashed the folder to have it recreated, but it did not change anything … odd, so guess it can be hard even trusting the results of a Permission check … !
    
    LikeLiked by 1 person
12

Simon Simpson on November 18, 2022 at 11:41 am

I seem(ed) to have problems with Permissions every time I upgrade the OS, but this may have been down to the fact that at one time I had my data files on an external volume (but now reunited in my User folder on my internal drive). I found the quickest way to resolve these issues is simply to change the Permissions of the enclosing folder in ‘Get Info’ and ask it to apply this to the ‘enclosed items’. Seems to work.

I don’t know about tools claiming to repair permissions. I have used Cocktail for a very long time and it claims to repair permissions during its maintenance cycle but it doesn’t resolve the Permissions problems I alluded to above. But Howard put me right on this some time ago by surmising that it probably wasn’t doing what it claimed !

LikeLiked by 1 person
- 13
  
  Jerry on November 18, 2022 at 12:10 pm
  
  The BatChmod app used to be the only (somewhat) reliable way to change permission on the Mac – changing permissions in Finder often did not work on earlier systems, but has been working better lately.
  
  LikeLiked by 1 person
  - 14
    
    hoakley on November 18, 2022 at 4:13 pm
    
    Well, Finder can’t normally change ‘special’ permissions, I believe. But regular Posix permissions should work fine.
    Howard.
    
    LikeLike
- 15
  
  hoakley on November 18, 2022 at 4:11 pm
  
  That first method is the one recommended in the past by Apple. Where special permissions are set, it normally won’t alter those, which is where my app can help.
  Howard.
  
  LikeLike
16

Tommmr on November 19, 2022 at 1:26 am

Haha, and I was (slightly) worrying whether tagging you over there on the bird site had been too obtrusive 😀
Thanks as ever so often for explaining things I’d never understand otherwise.

LikeLiked by 1 person
- 17
  
  Tommmr on November 19, 2022 at 1:28 am
  
  (sry, just replying to myself, this time WITH the checkmark for notifications)
  
  LikeLiked by 1 person
- 18
  
  hoakley on November 19, 2022 at 6:54 am
  
  Thank you, although I’m not sure any of us really understands them. Maybe even Apple doesn’t any more?
  Howard.
  
  LikeLiked by 1 person
  - 19
    
    Tommmr on November 21, 2022 at 3:27 am
    
    Haha again, and “Oh my!”—I feel a little embarrassed, TBH, b/c I _did_ hesitate a moment before I wrote “things I’d never understand otherwise”, because, of course, I _still_ do not understand, but the time was short and the dog barked yadda yadda yadda anyway, I hesitated but clicked “Post Comment” anyway because I didn’t really know how to put it.
    
    Now, with little more time to think about it, I’d say …
    
    “Thanks as ever so often for explaining things—I get a whiff of understanding just how little I understand!”
    
    😉 But honestly, it _does_ feel as if I am learning tiny bits every time I read you, I just don’t know what exactly it is that I am learning … because you are teaching so much, and on several channels and levels at the same time. I rarely read people whom I instantly perceive as a true “sensei” 🙏 🙇‍♂️
    
    LikeLiked by 1 person
    - 20
      
      hoakley on November 21, 2022 at 12:42 pm
      
      Thank you.
      Howard.
      
      LikeLike
21

Tom Van Vleck on March 15, 2023 at 2:07 am

I have the opposite problem. I understand Unix permissions.
I wish to have folders containing HTML files backed up to iCloud
and also viewable by Apache on my machine. I am running Ventura13.2.1.
I put my files in $HOME/Documents/www but Apache could not serve them
because the permissions on Documents were 700. So I changed the permissions
with ‘sudo chmod 755 ~/Documents’ and it worked fine .. for a few minutes.
Then SOMETHING changed the permissions on Documents back to 700.
Is there a way to disable this?

LikeLiked by 1 person
- 22
  
  hoakley on March 15, 2023 at 8:17 am
  
  I’m sorry to hear that.
  I know of no background process in macOS that might go round changing permissions like that. I think you’d need to inspect the log to discover what did that.
  Howard.
  
  LikeLike
23

Tom Van Vleck on March 16, 2023 at 2:09 pm

Inspecting the log seems much more difficult in Ventura. I ended up searching
/var/log/system.log, nothing that explained the permission changes.
I wrote a Perl program to create a shadow copy of $HOME/Documents/www
and pointed Apache at that. Works ok. Have to re-generate the shadow before
looking at files locally.. think I can modify my Makefile.

LikeLiked by 1 person
- 24
  
  hoakley on March 16, 2023 at 5:56 pm
  
  No, I think you’ll need to check the Unified log for the answer. There’s been precious little of any use in system.log since El Capitan, as Sierra introduced the new Unified log.
  Howard.
  
  LikeLike
25

markboolootian on March 27, 2023 at 8:06 pm

I’ll note that the products page for PermissionScanner doesn’t actually mention Ventura, although you do in the above article.

Thanks and deep bows for your wisdom and tools,
mark

LikeLiked by 1 person
- 26
  
  hoakley on March 27, 2023 at 9:50 pm
  
  Thank you. I’m sorry, I’ve fallen behind on the admin. I’ll try to catch up soon.
  Howard.
  
  LikeLike
27

Tom Carpenter on March 29, 2023 at 2:16 pm

Does PermissionScanner also attempt to repair ACLs? I ran repairHomePermissions to try to restore the ACLs of a user profile but to no effect.

LikeLiked by 1 person
- 28
  
  hoakley on March 29, 2023 at 3:58 pm
  
  PermissionScanner doesn’t repair anything: it merely lists potential problems. As it doesn’t specifically look at ACLs, then I don’t know, but ACLs are supposed to be used extremely seldom. I can’t think why anything is setting them in ~/Library. Do you know of an app that does?
  Howard.
  
  LikeLike
  - 29
    
    Tom Carpenter on March 29, 2023 at 6:26 pm
    
    After upgrading a user’s system to Ventura and restoring their user profile I checked the permissions of “/Users/” which were “drwxr-w—” but newly created users get “drwxr-w—+”. Also, running “ls -le /Users” displays nothing for the user whose profile I restored whereas “0: group:everyone deny delete” is displayed for newly created users. I’m not aware of anything that’s deliberately changing ACLs; on very rare occasions I’ve used xattr to modify the ACLs of a few files but I generally leave ACLs alone.
    
    LikeLiked by 1 person
    - 30
      
      hoakley on March 29, 2023 at 6:56 pm
      
      Thank you.
      Repairing or restoring permissions isn’t about this, and is no longer recommended by Apple anyway. It has even removed the note referring to it.
      The problems used to occur not on higher level folders, but in the Property Lists in ~/Library/Preferences, in particular. I suspect it was actually the result of a bug in cfprefsd, which manages those files for apps. Those problems appear to have gone away now, which is probably why Apple has removed all reference to it. However, it does appear still possible to do this from Terminal in Recovery Mode. Whether you should ever use that I simply don’t know, and Apple isn’t telling us.
      Whether macOS now uses an ACL in top level folders in the Home folder, or the Home folder itself is another question. I don’t know, and I’m pretty sure that Apple hasn’t documented it. If these are causing problems, then I suggest that you contact Apple Support in the first instance. If they’re not causing any issues then I’d leave well alone – maybe something in Ventura relies on them, and removing the ACL would cause problems that aren’t there in the first place.
      Howard.
      
      LikeLike
31

Tom Carpenter on March 29, 2023 at 6:34 pm

Apologies: “I checked the permissions of “/Users/”” would have been clearer as “I checked the permissions of users’ profiles, i.e. /Users/username”

LikeLiked by 1 person
- 32
  
  Tom Carpenter on April 4, 2023 at 5:19 pm
  
  Our school’s Apple System Engineer suggested running “diskutil resetUserPermissions / $UserID” which seems to have restored the ACLs of the user’s profile I was trying to fix
  before running “diskutil resetUserPermissions / $UserID” the root directory of the user’s profile had the following permissions and ACL
  
  drwxr-x— \Domain Users
  
  after running “diskutil resetUserPermissions / $UserID” the permissions and ACL of the root directory of the user’s profile are
  
  drwxr-x—+ staff
  0: group:everyone deny delete
  
  Note, one side effect was that the group ownership of the root directory of the user profile was changed from Active Directory’s ‘Domain Users’ to macOS’ ‘staff’.
  
  LikeLiked by 1 person
  - 33
    
    Tom Carpenter on April 4, 2023 at 5:22 pm
    
    …sorry, I’m apparently not formatting my post in a way that results in all the info making its way into the post but enough was retained that I think I got the important points across.
    
    LikeLiked by 1 person
    - 34
      
      hoakley on April 4, 2023 at 9:15 pm
      
      No problems – it looks clear to me, thank you.
      Howard.
      
      LikeLike
  - 35
    
    hoakley on April 4, 2023 at 9:15 pm
    
    Thank you. While I’m delighted you appear to have found a resolution, it might repay reading the above article again, which explains how Apple has never documented that feature in diskutil, and has removed all reference to it in its support documentation. The last suggested remedy was performed in Recovery mode using a dedicated app, which is still present, but is apparently also undocumented and now unsupported.
    I’m also not clear what you mean by “user profile” in this context: the permissions in question have been those in ~/Library, particularly in the Preferences folder there. As that diskutil option and its equivalents remain undocumented, no one outside Apple knows exactly what they do change, and what to.
    This also begs the question as to how the incorrect ACL came to be applied in the first place, given how seldom ACLs are used or changed in macOS.
    Howard.
    
    LikeLike