Reset Home Folder Permissions To Default

You'll discover a number of people have very different opinions on these issues. Personally, I removed the "everyone:deny delete" ACLs from my home folder and its contents in both my regular account and my test account, and created a second test account "just as Apple makes it" in case I ever need it. I find the "everyone deny delete" ACL entry far more annoying than helpful. I recognize that ACLs can be useful, and do use special Access Control on a couple of things--but the entries are ones I chose for my reasons.

As far as I can tell the "deny delete" entries exist solely to keep inexperienced users from accidently destroying their picture, music, etc, files by trashing a directory. If neither you nor your wife are prone to throwing away entire directories and immediately emptying the trash, I wouldn't worry about it. OS X has existed for YEARS without the ACL entry for deny delete, and I personally have never lost a thing. If you do a nightly backup I wouldn't worry about it. If you are happy with the way things are working now I would suggest leaving well enough alone.

You can always set persmissions in your home folder and its contents to anything your heart desires. The easiest way to do so is, I think, to use the Terminal. The commands are simple enough, and I find it actually less confusing than the new Finder GUI for tinkering with them. But that may be just my own personal experience. I'm easily confused by some things.
Francine


Francine
Schwieder

you can reset the ACLs on your home folder by the following series of terminal commands. It's up to you if you want to do that. I personally like them but I hate the way the ACLs are implemented in leopard so that many ACLs are invisible from GUI and yet can be propagated by using "apply to enclosed items" button. That's a major No-No in my book.


Here are the commands (in bold). just copy and paste the commands (they are in bold).

*chmod -R -N ~*

this removes all ACLs from files in the home directory.

The following two commands put the necessary ACLs back where they belong.

*chmod +a "everyone deny delete" ~/ ~/Desktop ~/Documents ~/Downloads ~/Library ~/Movies ~/Music ~/Pictures ~/Public ~/Sites*

*chmod +a "`id -un` allow list,add file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit" ~/Public/Drop\ Box*

to add to my previous post, you can reset read+write permissions and the ACLs on system created folders in your home directory from the password utility on the leopard install DVD. However, that won't touch your own files so you should run the commands in my previous post afterwards.
Also, there is abug in that utility which changes group on those folders to wheel (to which you don't even belong).

Therefore, if you use that utility, run

*chgrp -R `id -gn` ~*

to reset the group on everything in your home folder.

there is abug in that utility which changes group on those folders to wheel

No kidding??? Wow! The nightmare continues.... Thanks for including that rather crucial piece of information. I don't think I have recommended that anyone do that, since I don't really believe in the default state, but I do see others recommend it. It's nice to know exactly what can go wrong (I didn't know something so grossly incorrect would happen. And, WOW, again.)
Francine


Francine
Schwieder

yep, I was quite surprised when I noticed this but it happens on all my leopard DVDs and others have confirmed it too. It may have been fixed in later versions of leopard DVDs (mine came with 10.5.0 and 10.5.1) but I have no way of checking that.

Just in case it wasn't clear, you'll need to boot form your Install DVD and launch "Password Reset Utility" to reset a Home folder permissions, though some files/folders may need manually adjusted..

http://docs.info.apple.com/article.html?artnum=25751

=====
Does Disk Utility check permissions on all files?

No. Files that aren't installed as part of an Apple-originated installer package are not listed in a receipt and therefore are not checked. For example, if you install an application using a non-Apple installer application, or by copying it from a disk image, network volume, or other disk instead of installing it via Installer, a receipt file isn't created. This is expected. Some applications are designed to be installed in one of those ways.

Also, certain files whose permissions can be changed during normal usage without affecting their function are intentionally not checked.

Tip: If you remove receipts from /Library/Receipts/, the files installed by those packages cannot be verified or repaired, which is why you shouldn't delete things from /Library/Receipts/ . See Disk Utility shows a "No Valid Packages" alert.

Mac OS X 10.5 Leopard note: While started from the Leopard Install DVD, a user's home directory permissions can be reset using the "Reset Password" utility.

you are basically correct. The only exception is the second command which sets the ACLs on your Drop Box. Drop Box will not function correctly without those ACLs. other than that, you can do as you like. you can do as Francine did and strip off those deny delete ACLs or you can add them back in for extra protection.

new-2-macs wrote:
Thank you Francine and V.K.!

You are welcome!

I find the Drop Box less useful than a folder I created in the Shared folder, and ran a custom set of ACLs on. Anything I drop in that folder can be accessed by any user on the computer, they can edit and save their edits to the files, they can delete and create folders, and so on. Just as if the stuff belonged to them. I called the folder "readwrite" and ran these two commands from Terminal:

chmod +a "staff allow write,append,writeattr,writeextattr,file inherit,directoryinherit" /Users/Shared/readwrite

chmod +a "staff allow add file,add_subdirectory,delete_child,writeattr,writeextattr,directoryinherit" /Users/Shared/readwrite

Perhaps V.K. would know how to accomplish all that in one fell swoop, but I couldn't get a single command to work. BTW, I was VERY relieved when V.K. showed up and began answering these sorts of questions, because while I can thrash around and get things to work, I never really wanted to know all the ins and outs of permissions, and until Leopard showed up I never had to. At first it seemed like no one wanted to handle this stuff so I felt I had to. Then V.K. appeared, riding to rescue. Thankfully!
Francine


Francine
Schwieder

Since Mac is basically a UNIX system it means you can do many things not available in the GUI interface. My example above is one of them. You can use the GetInfo interface for some things, such as changing the owner/group of an item and the basic read/write permissions. You can even add a basic ACL, and apply same to everything (which actually has seemed to lead to more people getting themselves into trouble than anything else). You can do even more with ACLs in the System Preferences->Sharing pane. But the trick with the Terminal command, of getting everything added to the folder to inherit the permissions, well, I don't think you can accomplish it any other way. Also, you don't have to root thru several different places using different methods to accomplish your goal. Everything you could need to do is right there--you just issue the commands.

If you are using the default Terminal shell, which is bash, any UNIX book about the bash shell will get you up to speed. Apple has added some special goodies of their own. AFAIK they never make any general announcement of this, I depend on other folks discovering and writing about them. For instance, one new command is "dot_clean" for getting rid of the ._files with which Macs litter UNIX and Windows servers, to everyone's annoyance. I heard about it here in Discussions, then saw it discussed in the UNIX section of MacWorld. One excellent place to start getting familiar with the Terminal and basic UNIX concepts is here:

http://www.osxfaq.com/Tutorials/LearningCenter/index.ws

One VERY nice thing about this all is that sooner or later anything available in Linux is available to the Mac. If you get a little sophisticated and install Developer Tools you can even download open source code and compile it yourself (even I did that once, just to see if I could). But things you are likely to be interested in are generally already available. The GIMP for instance--a free open source graphics program pretty much as powerful as Photoshop. That one is even available in several different flavors, from straight ahead X11-running-purity, to a version compiled and tinkered with to run in the Mac GUI and behave more like a Mac program.
Francine


Francine
Schwieder

To remove all ACL entries

sudo chmod -R -N FOLDERNAME
replace FOLDERNAME with the appropriate path
REMOVES ALL ACLS in the path.
-----------------------------------
To remove all ACL entries on a single folder

sudo chmod -N FOLDERNAME
replace FOLDERNAME with the appropriate path
----------------------------------------------
- REMOVING, ADDING OR CHANGING SINGLE ACL ENTRIES -

To remove this access control entry from individual files, type:

sudo chmod -a "everyone deny delete" FILENAME

For entire directories, replace FOLDERNAME with the appropriate path:

sudo chmod -R -a "everyone deny delete" FOLDERNAME
-----------------------------------------------
- REMOVING, ADDING OR CHANGING SINGLE ACL ENTRIES -

To add this access control entry from individual files, type:

sudo chmod +a "everyone deny delete" FILENAME

For entire directories, replace FOLDERNAME with the appropriate path:

sudo chmod -R +a "everyone deny delete" FOLDERNAME
---------------------------------------------------------------
Note - shared and public folders may require different permission settings
---------------------------------------------------------------
A FREE GUI TOOL THAT MIGHT HELP IS "SANDBOX"
http://www.mikey-san.net/sandbox/Sandbox22beta6.dmg

It's in Beta stage right now for leopard, but it seems to work pretty well.

Documentation for Leo ACL's can be found in Apple's Leo Server Docs section

I suggest reading them first before fiddling with ACL's.
http://images.apple.com/server/macosx/docs/CommandLine_Adminv10.5.pdf
http://images.apple.com/server/macosx/docs/FileServices_Adminv10.5.pdf

Mac OS X Server propagates ACL permissions at two well-defined times:
1. By the kernel at file or folder creation time—when you create a file or folder, the
kernel determines what permissions the file or folder inherits from its parent folder.
2. When initiated by administrator tools—for example, when using the Propagate
Permissions option in Server Admin.

So far I haven't been able to duplicate #2 in the standard leo version, but there is a less than ideal workaround of sorts:

Create another small Leo partition and use that to copy files to. Select the "Ignore ownership on this volume" box to share files.

There is an app called FileExaminer (a GUI) which only changes Posix permissions when you select "copy to enclosed" unlike finder which unwittingly copies ACL's along with the Posix permissions when that option is selected.

In closing, if your modifications fixed your sharing problems, then don't worry unless you think they may pose a security issue. That is the main reason Apple sets things the way they set them, is mostly because of security concerns (usually from the internet).

I myself use my computer (Desktop) mostly for website development purposes, so it would be a real pain in the rear to "try" to maintain security and usability at the same time, so I set up two (cascading) hardware firewalls between me and the internet so I wouldn't be driven insane trying to strike a balance between security and usability. I only have to worry about securing my lan connection which is a whole lot easier and can be done usually with just posix permissions and passwords and occasionally ACL's.

Kj