|
Replies
:
54
-
Pages
:
4
[
1
2
3
4
|
Next
]
-
Last Post
:
Feb 3, 2008 12:47 AM
by: ChoreoGraphics
|
|
|
Posts:
229
From:
Netherlands
Registered:
Mar 13, 2007
|
|
|
|
Leopard - File Permissions | ACLs | User Group issue - not fully resolved.
Posted:
Nov 3, 2007 12:32 PM
|
|
|
There has been much discussion about these topics. People have found various issues and some workarounds have been found.
One of these was related to the fact that in Leopard the default for user|group creation has changed. Previously - assuming the user name chosen by user was "FredN" (for Fred Nurk) - the user would be created with (short) user name of "FredN" and the group name of "FredN" was automatically created. If that user was the first user on the system the IDs for user and group were typically both number 501.
In Leopard new users are created with the default group being "staff" (GID = 20). Unfortunately for all of us upgrading to Leopard the upgrade script did not properly and cleanly (tsk tsk Apple) migrate user's files and set proper permissions. This resulted in various problems including Finder crashing because it did not recognise the user's original group, see...
http://discussions.apple.com/thread.jspa?threadID=1197971
So it was figured out how to change the group for the user's account
http://discussions.apple.com/thread.jspa?messageID=5668971#5668971
and how to update (in a bit of shotgun method) all files in a user's home folder to have instead being (using example above) FredN:FredN but the new style of FredN:staff
http://discussions.apple.com/thread.jspa?messageID=5670513�
http://discussions.apple.com/thread.jspa?messageID=5665571#5665571
Unfortunately... the story does not end there. The issue in Leopard is still not fully resolved even after applying the workarounds. To see/confirm on your own installation review and test the following.
Assumptions:
1) Upgrade from Tiger
2) Original user:group in this case was FredN:FredN with numeric IDs of 501:501
3) User's group has been changed via method above which basically entails going into:
System Preferences | Accounts | My Account "Fred Nurk" Admin (in my case)
selecting account, right click, choose "Advanced Options...", in dialog box set "Group ID" to 20, reboot.
Problem:
1) Run Automator, create simple workflow, save to Desktop, on file right click and "Get Info", see that group is "unknown".
2) Run TextEdit, create file, save to Desktop, get info, see same problem
3) If you have TextMate, create file, save to Desktop, get info, see that group is... "staff" (tsk tsk Apple, third party software works properly)
Check user and group permissions on files created (this requires using Terminal):
1) Run Terminal
2) run commands "cd Desktop" then "ls -lae", output example is:
-rw-r--r--@ 1 FredN FredN 5 3 Nov 19:04 TextEdit_created_file.txt
-rw-r--r--@ 1 FredN staff 12 3 Nov 19:05 TextMate_created_file.txt
it can be seen that TextEdit creates (in the same folder location) the file with the incorrect group.
To see problems with user and group settings (this requires using Terminal) it is necessary to run some new commands in Leopard - dscacheutil and dseditgroup. The "ds" stands for Directory Services. The command "dscacheutil" shows information. The command "dseditgroup" can query groups but also make changes, extreme care should be used with this command!
Run Terminal, and run following commands:
Goal:
To check user
Command (everything after the "$"):
$ dscacheutil -q user -a name FredN
Output:
name: FredN
password: ********
uid: 501
gid: 20
dir: /Users/FredN
shell: /bin/bash
gecos: Fred Nurk
Conclusion:
Looks OK, as expected
Command:
$ dscacheutil -q group -a name staff
Output:
name: staff
password: *
gid: 20
users: root test
Conclusion:
The user FredN is not in the group! But they have the group staff as their default group.
Command:
$ dscacheutil -q group -a name FredN
Output:
name: FredN
password: *
gid: 501
Conclusion:
The original group from Tiger was carried across to Leopard but is not used?
Command (this is run with sudo so password has to be entered):
sudo dseditgroup -o edit -a FredN -t user staff
Output:
The command completed OK
Command:
$ dscacheutil -q group -a name staff
Output:
name: staff
password: *
gid: 20
users: root test FredN
Next run tests again with TextEdit and TextMate, results : problem still there.
From this I conclude that there are still open issues with users, groups and file permissions in Leopard due to internal changes.
Mac Pro, 2 x 2.66 GHz Dual-Core Intel Xeon, 2GB RAM
Mac OS X (10.5)
AirPort Extreme (102.11n gbit ports)
|
|
Posts:
53
From:
Enschede, Netherlands
Registered:
Oct 31, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 4, 2007 3:20 PM
in response to: FromOZ
|
|
|
Perhaps you need to logout and back in for said changes to take effect ?
Thanks very much for your detailed instructions though. It's really helping a lot of upgraders i think.
Would be good if we could write an Applescript that could fix most of these issues for the users. I wrote something to reset the ACLs and permissions and owner/groups of a single homedir to those of a default Leopard installation, but I'm not sure if I can easily add things like this.
iMac Intel 2Ghz, iBook G4 1.2Ghz, Powermac G5 dual 1.8Ghz
Mac OS X (10.5)
|
|
Posts:
53
From:
Enschede, Netherlands
Registered:
Oct 31, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 4, 2007 3:36 PM
in response to: FromOZ
|
|
|
From: http://discussions.apple.com/thread.jspa?messageID=5668971#5668971
Alternative way to add yourself to the group "staff"
sudo dscl . append /Groups/staff GroupMembership myusername
Leaves setting the gid:
sudo dscl . create /users/myusername PrimaryGroupID 20
I think I can add all this to my Applescript, but i'm a tad afraid to throw it into the wild. Perhaps you could test it first for me ?
Message was edited by: djhartman
iMac Intel 2Ghz, iBook G4 1.2Ghz, Powermac G5 dual 1.8Ghz
Mac OS X (10.5)
|
|
Posts:
229
From:
Netherlands
Registered:
Mar 13, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 5, 2007 12:45 PM
in response to: djhartman
|
|
|
I'm a tad afraid to let loose scripts doing global changes on my machine 
I'm staying a bit cautious and waiting for Steve & Co. to bring out 10.5.1 where no doubt we'll see smarter people then ourselves (in Apple) write fixups for the ? busted permissions. My machine is working so I'm going to hold off and see.
Mac Pro, 2 x 2.66 GHz Dual-Core Intel Xeon, 2GB RAM
Mac OS X (10.5)
AirPort Extreme (102.11n gbit ports)
|
|
Posts:
5,765
From:
Southern Calif
Registered:
Oct 12, 2001
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 5, 2007 1:41 PM
in response to: FromOZ
|
|
|
Just wanted to add that I'm one of the upgrade victims. I discovered it when I realized that Spotlight was not indexing many files in my home directory, and when I examined the left-out files found they were all group unknown. So I started Doing Things to fix the situation, including many of the Terminal commands you mention, mass changes to the Group of files, and so on. Last night I used the option in Accounts to make myself a member of the group "francine" (there's a check box to tick), and now using the id command shows this:
NoobiX:~ francine$ id
uid=501(francine) gid=20(staff) groups=20(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),81(_appserveradm),
79(_appserverusr),80(admin),501(francine)
And the "dscacheutil -q group -a name staff" does indeed list me as a user in the Staff group. And group francine, with a gid of 501 now seems to exist.
But when I save files from some of Apple's applications (but not all) and do GetInfo, the file shows up with group unknown. So far all third party apps are now saving with group staff, as well as some Apple applications--I've tested iMovieHD, iPhoto and iTunes, and they all are saving as group Staff. Preview, Safari, ScriptEditor, Automator and TextEdit are saving as group unknown.
When I do a "ls -l" command on one of these unknown group files Terminal is showing them as group francine. And they are now all being indexed, and found, by Spotlight. So at this point I'm unsure what to think, but since everything seems to be working, I guess it is time to just leave well enought alone.
Francine
Francine
Schwieder
2x2.66 Dual Core MacPro; iBookG4; iPod
Mac OS X (10.5)
Cinema Display, Wacom Tablet
|
|
Posts:
4,007
Registered:
Sep 4, 2003
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 5, 2007 3:08 PM
in response to: Francine Schwie...
|
|
|
Hi All,
Just to provide a basis for comparison, perhaps to pinpoint where things are going awry, I will post my experience and findings using a "fresh" installation of Leopard, with manually migrated HOME folders...
After using an "Erase and Install" of Leopard, I used my standard method of migrating old user data. I use rsync to both backup and restore the user data, preserving all permissions, extended attributes, etc. On the new installation, accounts are created using the same usernames/short names associated with the old user date. The root account is then enabled and logged into, and the current content of /Users is trashed.
rsync is then used to restore the user data from backup, again using the options to preserve permissions and extended attributes, etc. (rsync -avE /Volumes/...source.../Users/ /Users ).
Upon logging into the migrated accounts and doing some initial exploration, I quickly discovered the changes in POSIX settings for file system objects. It didn't take too long to discover that my new group was "staff" (talk about flashing back!!). Noticing that the "unknown" group was appearing in many places, I simply chowned my HOME folders (chown -R username:staff /Users/HOME )
, without waiting to see what, if any, problems this would cause.
Previously, my favorite method of querying permissions was ls -aol . What I now find is that this command no longer yields group ownership, reflecting the same omission in Getinfo's display. Instead, the @ flag appears to indicate the presence of ACLs. This indicates to me that POSIX is being deprecated in favor of ACL.
I can state that, under a "fresh" installation, everything works consistently, and (I assume) as intended. New files automatically gain a proper ACL, and use of ls -lae (as described by the OP) reveals that group "staff" is applied properly, and consistently.
I know none of this provides and direct help to those that upgraded, and who are experiencing problems as a result, but I hope it does shed a bit of light. At the very least, at least it will reassure you that the new paradigms do work properly, with no "bugs," under a "clean" installation of Leopard. What bugs exist are rooted in the upgrade, not the paradigms.
Scott
17" Macbook Pro, HAL 9000
Mac OS X (10.4.10)
|
|
Posts:
5,765
From:
Southern Calif
Registered:
Oct 12, 2001
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 5, 2007 3:32 PM
in response to: Scott Radloff
|
|
|
Thanks for the info Scott. I intend to keep looking into the subject and pondering what I find out.
I generally do something similar to what you do--this is the first time I've ever done an upgrade install of a major OS update. But I had a fresh custom install of Tiger on my brand new MacPro and figured I would give it try, rather than fuss around re-doing a bunch of stuff from scratch (as that would be the third time in as many weeks of doing it, and the prospect was beginning to be boring). From what you are saying I gather I would have still run into some oddities.
And speaking of oddities: I just now went to save this page as a webarchive out of Safari, checked the group, and...dang... it was STAFF. Saved it as Source. Staff. Saved it as PDF. Staff. Thinking perhaps the Mac had healed itself, I copied and pasted into TextEdit, saved, but that is still showing int the Finder as group unknown. Ah well.
Francine
Francine
Schwieder
PS--While "ls -aol" doesn't show group, the plain "ls -l" does:
NoobiX:~ francine$ ls -l /Users/francine/Desktop/francine
-rwxr-xr-x@ 1 francine staff 0 Oct 29 16:26 /Users/francine/Desktop/francine
Message was edited by: Francine Schwieder
2x2.66 Dual Core MacPro; iBookG4; iPod
Mac OS X (10.5)
Cinema Display, Wacom Tablet
|
|
Posts:
53
From:
Enschede, Netherlands
Registered:
Oct 31, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 5, 2007 4:31 PM
in response to: FromOZ
|
|
|
OK, I have tested this a couple of times, and although I'm not 100% sure of course, the following script does seem to work. Please use it as a LAST resort on accounts that you have back-upped before you upgraded to Leopard. It should do all of the steps listed above in a few clicks. I do not advice this script for anyone but those who have some more experience with Mac OS X.
Disclaimer: NO GUARANTEES.
The following is a link to an Applescript that (when run) will update your Tiger account to bring it in line with Leopard conventions I think. It sets permissions and ownership like those of a new Leopard account. Beware that the permissions of all files in your homedirectory will change. This can take quite some time, and there is no progress bar, your computer might be a bit unresponsive, especially the script itself during this time. DO NOT KILL THE SCRIPT !! It will also generate a load of work for the spotlight indexer if you have a large homedirectory, so you should see some computer load after the script is done.
Files in your Sites and Public folder will be readable by everyone, don't forget about that if you had it set in another way before you ran the script. It will only run for the useraccount under which you are currently working, so you will have to execute it for each of your useraccounts.
It is NOT intended to be used by "Archive & Install" upgrades or clean installations of Leopard.
This is the script:
http://deneb.student.utwente.nl/~hartman/fixpermissions.app
If you know how to work Script Editor then you can choose to download the sourcecode of the script instead:
http://deneb.student.utwente.nl/~hartman/fixpermissions.scpt
If the links no longer work, then I have probably removed them because someone had an issue with the script and I want to protect other users.
iMac Intel 2Ghz, iBook G4 1.2Ghz, Powermac G5 dual 1.8Ghz
Mac OS X (10.5)
|
|
Posts:
4,007
Registered:
Sep 4, 2003
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 6, 2007 11:48 AM
in response to: djhartman
|
|
|
Hello again All,
I don't know what this has to do with this "upgrade" issue, and I don't know how one would take advantage of this after an upgrade, but there are two new (I think) scripts in Leopard:
/System/Library/Core Services/UpgradeUser
and
/System/Library/Core Services/UserAccountUpdater
Perhaps these have relevance to the issues outlined in this thread, perhaps not.
Scott
17" Macbook Pro, HAL 9000
Mac OS X (10.4.10)
|
|
Posts:
222
Registered:
Mar 12, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 6, 2007 12:21 PM
in response to: Scott Radloff
|
|
|
Okay
I am not taking ANY responsibility if this screws up YOUR machine. BUT, I tried running disk permission repair with Leopard disk utility and found some permission errors like everyone else. Specifically those -rw blah blah blah should be something very similar with different dash quantities...blah blah blah.
I am not a techie. Can you tell? But what I did do was download the ONYX Leopard Beta (I had great experiences with the previous ONYX utility) and ran a full system cache clean, (including the garage band, audio stuff, etc..), optimization and disk permission fixes.
IT FIXED THE PERMISSIONS THAT LEOPARD DID NOT. GO FIGURE.
I reloaded desktop wallpaper (that I thought was slowing my machine, it wasn't) and ran Cinebench 10 tests to check graphics performance. Everything is honkey dorey regarding finder and these tests. If I toggle cover flow in finder, performance seems to take a hit.
As a precaution, I ran disk utility after ONYX and it found no permission errors with the exception of the famed XXXXAGENT thing that almost all Leopard users are getting. I am not on my machine now, but I will check more about this later....and see if I can confirm my user settings in system preferences for a directory vs. finder's settings.
imac 24" 2.16
Mac OS X (10.5)
Leopard....for now....
|
|
Posts:
229
From:
Netherlands
Registered:
Mar 13, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 6, 2007 12:41 PM
in response to: lovinmymac
|
|
|
You're a brave man running a beta of a system update utility 
I see that Apple is already working on the 10.5.1 update. I hope they have been reading all the forum postings
Mac Pro, 2 x 2.66 GHz Dual-Core Intel Xeon, 2GB RAM
Mac OS X (10.5)
AirPort Extreme (102.11n gbit ports)
|
|
Posts:
50
Registered:
Oct 30, 2003
|
|
|
Posts:
15
From:
Salford, United Kingdom
Registered:
Nov 20, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 20, 2007 4:27 PM
in response to: FromOZ
|
|
|
Hi. I got the update to Mac OS 10.5.1 and it has not fixed any of my Finder problems. I'm not very technical with Mac OSX / UNIX based stuff, and am really struggling to fix this. 
Thanks to all of you for your help and suggestions on this, I can see it's going to have to be a very steep learning curve for me here!
Cheers,
Richard
Mac Mini 1.66GHz Intel Core Duo
Mac OS X (10.5.1)
USA model, 2GB ram upgrade, Iomega MiniMax 500GB FW ext.HDD
|
|
Posts:
25
From:
Japan
Registered:
Nov 19, 2007
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 20, 2007 4:54 PM
in response to: FromOZ
|
|
|
The 10.5.1 release does not appear to fix anything about the problems discussed in this post.
Sorry people, there's still no fix from Apple.
iBook G4, MacBook (early model)
Mac OS X (10.5.1)
iBook has 768 MB RAM, MacBook 1gb
|
|
Posts:
50
Registered:
Oct 30, 2003
|
|
|
|
Re: Leopard - File Permissions | ACLs | User Group issue - not fully resol
Posted:
Nov 27, 2007 2:06 PM
in response to: MithrilFox
|
|
|
Guys, did you try the fix in <http://discussions.apple.com/thread.jspa?threadID=1228363&start=0&tstart=0>? That should fix the issue of textedit saving files with wrong group along with the other changes here (changing the default group to 20 and add the users to the staff group). If you have done both of those, these issues should be corrected.
Mac OS X (10.5)
|
|
|
