Skip navigation

Permissions not being reset in LION

3066 Views 31 Replies Latest reply: Jul 1, 2012 7:35 PM by Riccardo Di Roberto RSS
  • Alberto Ravasio Level 4 Level 4 (3,160 points)
    Currently Being Moderated
    May 6, 2012 1:16 PM (in response to BillyRayValentine)

    BillyRayValentine wrote:

     

    But once it leaves the USER folder moving it around the rest of the HD requires Authentication.

     

    That is what expected.

     

    The root folder (Macintosh HD) has (r)ead (w)rite e(x)ecute permission for root user and

    (r)ead e(x)ecute permission for the group weel and others.

    If you, as a user, want to write something into the root directory, you must authenticate.

     

    Let's make an example with folder ABC you create on your desktop.

    Now you move folder ABC into Macintosh HD.

    The Finder asks you to authenticate because of what I explained earlier.

    The folder ABC is now in Macintosh HD with the following permission rwxr-xr-x, owner your user, group staff.

    You can copy, create, delete whatever you want inside ABC without authenticate.

    Let's say you want to move folder ABC back to your desktop or wherever you want. Even though the folder is yours, and you have full privilegies, you must authenticate once more, because that folder resides inside the root folder that has root user as owner, whose ABC depends on.

  • Király Level 6 Level 6 (9,460 points)
    Currently Being Moderated
    May 6, 2012 4:34 PM (in response to BillyRayValentine)

    As Alberto says, this has changed in Lion and is now normal. Nothing to worry about. The top level of the hard drive is not a place to store data anyway, so there is no need to move files there. Use your home folder, or put files in /Users/Shared if you wish to give other users access to them.

  • jsd2 Level 5 Level 5 (6,200 points)
    Currently Being Moderated
    May 6, 2012 5:14 PM (in response to BillyRayValentine)

    The new user account works fine.... However, the admin account (my original account does not).

     

    Although it is now "normal" in Lion for access outside the home folder to be restricted, you should still have free access within the home folder, and  it sounds like you are having permission issues within the home folder of one user account but not a different user. The Terminal output you posted did not rule out the presence of ACLs on the user-created items there,  and specifically, an "everyone deny delete" ACL could cause the behavior you are observing.

     

    Despite its name the “Reset Home Directory Permissions and ACLs” tool will not remove ACLs from user-created items within the home folder - it corrects the ownership of everything in the home folder, but only corrects the ACLs on the home folder itself and on the main subfolders such as Documents, Desktop, etc. 

     

    I would try a slight modification of the diagnostic Terminal command you ran earlier from the affected account, this time looking for ACLs and flags on the user-created  files and folders that were listed before. Again, this will not change anything. Post back the response:

     

    ls -leO@ ~

     

    If such an ACL is indeed the problem, you could then remove all the ACLs by running  this command:

    chmod -RN ~

    followed by re-running the “Reset Home Directory Permissions and ACLs” tool to put back those ACLs on the main folders that actually belong there.

     

    But first just post back the response you get from

    ls -leO@ ~

  • Király Level 6 Level 6 (9,460 points)
    Currently Being Moderated
    May 6, 2012 5:38 PM (in response to BillyRayValentine)

    You are mistaken about an admin user ever having full and unrestricted access to every folder on the Macintosh HD, with the ability to move, trash, anything without the need to authenticate. Only the root user could ever do that.

     

    Normal (non-admin) users only had write access to their own home folders, and to the /Users/Shared folder. Doing anything else required admin authentication.

     

    Up until Lion, admin users had access to more of the system without the need to authenticate, such as to / (the top level), and /Library. But the /System folder was always off limits even to them, and required authentication (i.o.w. escalation to root privileges) to modify.

     

    In Lion, Apple has locked down even more of the system from users in the admin group. /Library and / now require authentication to modify, similar to how it is for non-admin users.

     

    Why Apple made this change is anyone's guess. But it is true that many users have been ignoring Apple's security configuration guidelines and running all the time as admin users, which you seem to have been doing, and which is a security risk. Apple says to log in to admin accounts only for tasks that cannot be done while logged in to a non-admin account (there are hardly any), and to do all other tasks in a non-admin account. Apple even goes so far as to say to never browse the web or check email while logged in to a non-admin account.

     

    My guess is that Apple has accepted that people are doing it anyway, and as such, they may as well lock down everything to increase the security of people who are running their Macs less securely than they should.

     

    What files are you moving around outside of your home folder that is causing this to become an issue?

  • jsd2 Level 5 Level 5 (6,200 points)
    Currently Being Moderated
    May 6, 2012 6:47 PM (in response to BillyRayValentine)

    If you download this Apple document:

    http://developer.apple.com/library/mac/releasenotes/MacOSX/WhatsNewInOSX/WhatsNe wInOSX.pdf

     

    You will find these changes for Lion on page 18:

    ------------------------------------------------

    Folder Permissions and Ownership

     

    A number of folders in the System and Local file system domains now have different ownership and permissions.

    Specifically:

     

    Many folders in the System domain that were previously owned by the admin group are now owned by the wheel group.

     

    Permissions for the root directory (/) are now mode 755 (writable only by root) instead of mode 775 (writable by the admin group).

     

    Permissions for /Applications/Utilities are now mode 755 (writable only by root) instead of mode 775 (writable by the admin group).

    .

    .

    --------------------------------------------------

     

    Within your home folder, you should still be able to move, rename, and delete things freely.

    Mac mini (Late 2009), Mac OS X (10.6.8), dual-boot Lion OS X 10.7.3
  • Király Level 6 Level 6 (9,460 points)
    Currently Being Moderated
    May 6, 2012 7:19 PM (in response to BillyRayValentine)

    All you need to do is stop using the top level of the hard drive for file storage. This has never been a good place for file storage. The top level is a System area; user data should not go there. Keep it inside your home folder and/or inside the /Users/Shared folder if you need to. That's what the Shared folder and your home folder are for, to stash your files.

  • Király Level 6 Level 6 (9,460 points)
    Currently Being Moderated
    May 6, 2012 7:29 PM (in response to BillyRayValentine)

    If you wish to stay with Lion there is no other solution. Sorry.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.