I have a number of files in my home directory that somehow accumulated ACL entries out of the blue nowhere. Getting rid of these in the finder is a pain. It turns out that getting rid of them in the terminal is a
little bit easier, but not much.
MyComp:~ myUser$ cd Desktop
MyComp:Desktop myUser$ ll -e
total 144
drwxr-xr-x 8 myUser staff 272 Oct 31 08:04 .
drwxr-xr-x 37 myUser staff 1258 Oct 31 13:56 ..
-rwxr-xr-x@ 1 myUser staff 24580 Oct 31 09:12 .DS_Store
0: group:everyone deny delete
-rwxr-xr-x+ 1 myUser staff 0 Mar 29 2007 .localized
0: group:everyone deny delete
drwxr-xr-x@ 11 myUser staff 374 Oct 31 14:16 InBox
0: group:everyone deny delete
drwxr-xr-x@ 4 myUser staff 136 Oct 19 12:27 Out
0: group:everyone deny delete
-rwxr-xr-x@ 1 myUser staff 0 Oct 31 08:00 Pending
0: group:everyone deny delete
drwxr-xr-x@ 16 myUser staff 544 Oct 31 01:33 Transfer
MyComp:Desktop myUser$
See the ACL entries for each line? When I try to recursively chmod them to get rid of the ACL:
sudo chmod -R -a "group:everyone deny delete" mydirectoryname
You may have to force another add/remove cycle on some subdirectories, but it took me less than 20 minutes to clean out my home directory this way, and no recurring problems since.
Now if we could just do the -a and check if there IS an ACL first....
and I was hoping Apple would offer some help or post a fix. At first I thought
this was a 10.4 issue that was showing up in Leopard and this is why I called
it Tiger Droppings. I used the Update install and assumed the ACL's came from
my old hard drive. That was wrong assumption as I talked to someone on 1-Nov
that did a clean install and when he used the Disk Utility to repair permissions
was hit with all of the same ACL error messages and the DU could not clear them.
I hope the 10.5 Development Team at Apple is working on a fix for us. So far
no word from Apple.
I tried some of the command line fixes and they may help but do not solve the
problem. We need help from Apple on this one!
DESCRIPTION
The chmod utility modifies the file mode bits of the listed files as specified by the mode operand. It
may also be used to modify the Access Control Lists (ACLs) associated with the listed files.
The generic options are as follows:
-H If the -R option is specified, symbolic links on the command line are followed. (Symbolic
links encountered in the tree traversal are not followed by default.)
-L If the -R option is specified, all symbolic links are followed.
-P If the -R option is specified, no symbolic links are followed. This is the default.
-R Change the modes of the file hierarchies rooted in the files instead of just the files them-
selves.
-f Do not display a diagnostic message if chmod could not modify the mode for file.
-v Cause chmod to be verbose, showing filenames as the mode is modified. If the -v flag is speci-
fied more than once, the old and new modes of the file will also be printed, in both octal and
symbolic notation.
The -H, -L and -P options are ignored unless the -R option is specified. In addition, these options
override each other and the command's actions are determined by the last one specified.
Only the owner of a file or the super-user is permitted to change the mode of a file.
DIAGNOSTICS
The chmod utility exits 0 on success, and >0 if an error occurs.
MODES
Modes may be absolute or symbolic. An absolute mode is an octal number constructed from the sum of one
or more of the following values:
4000 (the set-user-ID-on-execution bit) Executable files with this bit set will run with
effective uid set to the uid of the file owner. Directories with the set-user-id bit set
will force all files and sub-directories created in them to be owned by the directory
owner and not by the uid of the creating process, if the underlying file system supports
this feature: see chmod(2) and the suiddir option to mount(8).
2000 (the set-group-ID-on-execution bit) Executable files with this bit set will run with
effective gid set to the gid of the file owner.
1000 (the sticky bit) See chmod(2) and sticky(8).
0400 Allow read by owner.
0200 Allow write by owner.
0100 For files, allow execution by owner. For directories, allow the owner to search in the
directory.
0040 Allow read by group members.
0020 Allow write by group members.
0010 For files, allow execution by group members. For directories, allow group members to
search in the directory.
0004 Allow read by others.
0002 Allow write by others.
0001 For files, allow execution by others. For directories allow others to search in the
directory.
For example, the absolute mode that permits read, write and execute by the owner, read and execute by
group members, read and execute by others, and no set-uid or set-gid behaviour is 755
(400
200+100+040+010+004001).
The symbolic mode is described by the following grammar:
mode ::= clause [, clause ...]
clause ::= [who ...] [action ...] action
action ::= op [perm ...]
who ::= a | u | g | o
op ::= + | - | =
perm ::= r | s | t | w | x | X | u | g | o
Operations upon the other permissions only (specified by the symbol ``o'' by itself), in combination
with the perm symbols ``s'' or ``t'', are ignored.
EXAMPLES OF VALID MODES
644 make a file readable by anyone and writable by the owner only.
go-w deny write permission to group and others.
=rw,+X set the read and write permissions to the usual defaults, but retain any execute permis-
sions that are currently set.
+X make a directory or file searchable/executable by everyone if it is already search-
able/executable by anyone.
755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone and writable by the owner only.
go= clear all mode bits for group and others.
g=u-w set the group bits equal to the user bits, but clear the group write bit.
ACL MANIPULATION OPTIONS
ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing
an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of per-
missions.
The following permissions are applicable to all filesystem objects:
delete Delete the item. Deletion may be granted by either this permission on an object or the
delete_child right on the containing directory.
readattr
Read an objects basic attributes. This is implicitly granted if the object can be looked
up and not explicitly denied.
writeattr
Write an object's basic attributes.
readextattr
Read extended attributes.
writeextattr
Write extended attributes.
readsecurity
Read an object's extended security information (ACL).
writesecurity
Write an object's security information (ownership, mode, ACL).
chown Change an object's ownership.
The following permissions are applicable to directories:
list List entries.
search Look up files by name.
add_file
Add a file.
add_subdirectory
Add a subdirectory.
delete_child
Delete a contained object. See the file delete permission above.
The following permissions are applicable to non-directory filesystem objects:
read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes into areas of the file not
previously written.
execute
Execute the file as a script or program.
ACL inheritance is controlled with the following permissions words, which may only be applied to direc-
tories:
file_inherit
Inherit to files.
directory_inherit
Inherit to directories.
limit_inherit
This flag is only relevant to entries inherited by subdirectories; it causes the direc-
tory_inherit flag to be cleared in the entry that is inherited, preventing further nested
subdirectories from also inheriting the entry.
only_inherit
The entry is inherited by created items but not considered when processing the ACL.
The ACL manipulation options are as follows:
+a The +a mode parses a new ACL entry from the next argument on the commandline and inserts it
into the canonical location in the ACL. If the supplied entry refers to an identity already
listed, the two entries are combined.
The +ai# mode may be used to insert inherited entries at a specific location. Note that these
modes allow non-canonical ACL ordering to be constructed.
-a The -a mode is used to delete ACL entries. All entries exactly matching the supplied entry will
be deleted. If the entry lists a subset of rights granted by an entry, only the rights listed
The who symbols ``u'', ``g'', and ``o'' specify the user, group, and other parts of the mode bits,
respectively. The who symbol ``a'' is equivalent to ``ugo''.
The perm symbols represent the portions of the mode bits as follows:
r The read bits.
s The set-user-ID-on-execution and set-group-ID-on-execution bits.
t The sticky bit.
w The write bits.
x The execute/search bits.
X The execute/search bits if the file is a directory or any of the execute/search bits are
set in the original (unmodified) mode. Operations with the perm symbol ``X'' are only
meaningful in conjunction with the op symbol ``+'', and are ignored in all other cases.
u The user permission bits in the original mode of the file.
g The group permission bits in the original mode of the file.
o The other permission bits in the original mode of the file.
The op symbols represent the operation performed, as follows:
+ If no value is supplied for perm, the ``+'' operation has no effect. If no value is supplied for
who, each permission bit specified in perm, for which the corresponding bit in the file mode cre-
ation mask is clear, is set. Otherwise, the mode bits represented by the specified who and perm
values are set.
- If no value is supplied for perm, the ``-'' operation has no effect. If no value is supplied for
who, each permission bit specified in perm, for which the corresponding bit in the file mode cre-
ation mask is clear, is cleared. Otherwise, the mode bits represented by the specified who and
perm values are cleared.
= The mode bits specified by the who value are cleared, or, if no who value is specified, the
owner, group and other mode bits are cleared. Then, if no value is supplied for who, each per-
mission bit specified in perm, for which the corresponding bit in the file mode creation mask is
clear, is set. Otherwise, the mode bits represented by the specified who and perm values are
set.
Each clause specifies one or more operations to be performed on the mode bits, and each operation is
applied to the mode bits in the order specified.
are removed. Entries may also be deleted by index using the -a# mode.
-E Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If
the information parses correctly, the existing information is replaced.
=a# Individual entries are rewritten using the =a# mode.
-E Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If
the information parses correctly, the existing information is replaced.
-C Returns false if any of the named files have ACLs in non-canonical order.
-i Removes the 'inherited' bit from all entries in the named file(s) ACLs.
-I Removes all inherited entries from the named file(s) ACL(s).
COMPATIBILITY
The -v option is non-standard and its use in scripts is not recommended.
SEE ALSO
chflags(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), symlink(7), chown(8),
mount(8), sticky(8)
STANDARDS
The chmod utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compatible with the exception of the
perm symbol ``t'' which is not included in that standard.
HISTORY
A chmod command appeared in Version 1 AT&T UNIX.
-E Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If the information
parses correctly, the existing information is replaced.
-C Returns false if any of the named files have ACLs in non-canonical order.
-i Removes the 'inherited' bit from all entries in the named file(s) ACLs.
-I Removes all inherited entries from the named file(s) ACL(s).
*-N Removes the ACL from the named file(s).*
COMPATIBILITY
The -v option is non-standard and its use in scripts is not recommended.
SEE ALSO
chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), symlink(7), chown(8), mount(8),
There is a Fix for the Repair Permissions/ACL errors problem! The Friday, 11/2/07 11:56 PM www.xlr8yourmac.com update listed a utility called Mac Pilot 2.3.7. Another user sent me a note that he used Mac Pilot and it cleared his ACL errors. I download Mac Pilot and went to the "Tools" icon in the menu bar, selected the "Disk & Files" and then clicked on the button that says "Wipe Access Control List Data." Mac Pilot did its thing for what seemed like forever but it worked. As a test I ran the Disk Utility/Verify Disk Permissions and received the "Permissions verification complete" message with no errors.
"I download Mac Pilot and went to the "Tools" icon in the menu bar, selected the "Disk & Files" and then clicked on the button that says "Wipe Access Control List Data." Mac Pilot did its thing for what seemed like forever but it worked. "
How long was "forever"? I started it about 6 hours ago and it's still running, using about 80-90% of the CPU.
Did you select the entire drive or just your user/library folders as the target? I selected the entire drive. Mebbe a mistake?
What is the date at the end of your chmod man page?
mine ends:
-N Removes the ACL from the named file(s).
COMPATIBILITY
The -v option is non-standard and its use in scripts is not recommended.
SEE ALSO
chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), symlink(7), chown(8), mount(8), sticky(8)
STANDARDS
The chmod utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compatible with the exception of the perm symbol ``t'' which is not included in that standard.
HISTORY
A chmod command appeared in Version 1 AT&T UNIX.
I stopped the process, then selected only the library folders in both users and system. MacPilot ran for under 30 minutes for each library and then I ran Repair Permission. All the ACL alerts were gone, however this message remained:
Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent" has been modified and will not be repaired.
I guess we'll have to wait for Apple for this one.
