User profile for user: nikisweeting
nikisweeting Author
User level: Level 1
12 points

iCloud Recovery Contacts can't be read or modified when home directory is located on external drive

  • macOS Version: Sonoma 14.6.1 (23G93)
  • Hardware: M1 Mac Studio
  • Other context: SIP disabled, home folder located at /Volumes/NVME/Users/squash


If your home directory is located on an external drive, it appears a sandboxing issue prevents appleaccountd from writing files to ~/Library/com.apple.appleaccountd.


This leads to a number of issues, including:

  • getting constant UI notifications to "Update your recovery contacts"
  • System Settings > iCloud > Advanced Data Protection > Account Recovery > Set Up... pane fails to load existing recovery contacts and doesn't let you add new ones "Unable to Add Recovery Contact"
  • Lots of permissions errors in Console.app whenever you do try to change recovery contacts (see below)


Failed to save record <redacted> with error: Error Domain=NSCocoaErrorDomain Code=513 "You don’t have permission to save the file “<redacted>” in the folder “CustodianRecord”." UserInfo={NSURL=file:///Volumes/NVME/Users/squash/Library/com.apple.appleaccountd/CustodianRecord/<redacted>, NSUserStringVariant=Folder, NSUnderlyingError=0x121b0d8d0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}
Error adding record to LocalCache: Error Domain=NSCocoaErrorDomain Code=513 "You don’t have permission to save the file “<redacted>” in the folder “CustodianRecord”." UserInfo={NSURL=file:///Volumes/NVME/Users/squash/Library/com.apple.appleaccountd/CustodianRecord/<redacted>, NSUserStringVariant=Folder, NSUnderlyingError=0x12180d770 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}
Failed to delete <redacted> with error: Error Domain=AACustodianErrors Code=-7003 "(null)"


It seems it's able to create the folder structure in ~/Library/com.apple.appleaccountd but when it tries to write/delete any files it fails with a 513 permissions/sandbox error.


The entitlements on /usr/libexec/appleaccountd show that it should have write permissions to that dir:

<key>com.apple.security.exception.files.home-relative-path.read-write</key>
<array>
  <string>/Library/com.apple.appleaccountd/</string></array> ...


So I think it's a bug related to how that entitlement is handled for certain atomic writes when the User's home folder is on an external volume. Maybe the same underlying cause as this issue:

https://github.com/swiftlang/swift-package-manager/issues/6948#issuecomment-1747196926


I tried disabling SIP + giving the appleaccountd, AppleIDSettings, and cloudd binaries "Full Disk Access" in System Settings as a hack to give them write access with no luck.



Does anyone know how to fix this or how to temporarily run appleaccountd with no quarantine/MAC/entitlement restrictions?

Mac Studio

Posted on Aug 15, 2024 7:44 PM

Reply
5 replies
User profile for user: steve626
steve626
User level: Level 6
14,229 points

Aug 17, 2024 8:30 PM in response to nikisweeting

nikisweeting wrote:

Home directories on external drives have been supported for over a decade

I don't believe that is entirely true. In the past, having the home directories on external drives appeared to work, but I do not believe that Apple formally supports it. Most recently, it can be made to work partially but some behaviors are wrong.


In particular, some iCloud functionality doesn't work in that configuration, in particular the recovery key, which you have discovered on your own. And creating a shared folder as well. Also performing System updates can cause it to stop working when the user home folder is on a drive different from the System. Some third party software will never work with that setup. Getting the permissions right might be a never ending project ...


In Advanced Options under Users and Groups, Apple provides guidance on renaming the user home directory ... and also warns "Changing these settings may damage this account and prevent the user from logging on."

Reply
User profile for user: leroydouglas
leroydouglas
User level: Level 10
199,656 points

Aug 16, 2024 5:19 PM in response to nikisweeting

nikisweeting wrote:

iCloud Recovery Contacts can't be read or modified when home directory is located on external drive

• macOS Version: Sonoma 14.6.1 (23G93)
• Hardware: M1 Mac Studio
• Other context: SIP disabled, home folder located at /Volumes/NVME/Users/squash

If your home directory is located on an external drive, it appears a sandboxing issue prevents appleaccountd from writing files to• ~/Library/com.apple.appleaccountd.
....

Does anyone know how to fix this or how to temporarily run appleaccountd with no quarantine/MAC/entitlement restrictions?



I do not think it is ever advisable to move your home directory to an external drive without creating untold complications.



To be proactive you can file a bug report / submit your Apple Feedback here: Product Feedback - Apple



Reply
User profile for user: etresoft
etresoft
User level: Level 9
56,846 points

Aug 16, 2024 5:31 PM in response to nikisweeting

Since you've already hacked around with SIP and changing permissions, all bets are off. No one on the planet can tell you what is going to happen or why it's broken or how to fix it.


This could have been caused by having permissions disabled on the external volume. That's the default setting but it needs to be changed to having permissions enabled if you are using it for a home directory. But as I mentioned about, there's no way to test this. If you change the permissions setting and it now works perfectly, then great - it's fixed. But if you change permissions setting and it still doesn't work, that means nothing. You may have broken it with the SIP changes and can't fix it now. If this is the case you'll need to wipe the drive and start over.


In the future, don't shortchange yourself. Apple really doesn't support things like external boot volumes or moving home directories. Yes, yes, yes. I know how expensive Apple SSDs are. It's a Mac. It's a status device. If you truly need 1 TB of storage in your home directory, then you'll need to pay for it.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
56,846 points

Aug 17, 2024 6:09 PM in response to nikisweeting

nikisweeting wrote:

I disabled SIP *after* this happened (to verify it wasn't causing this), it's always been enabled before. Permissions have always been enabled on the external drive.

It doesn't matter. If you disable SIP and change permissions, the drive is toast. No one, not inside Apple or elsewhere, knows how the system will react. Erase the entire disk and reinstall the operating system. This is your only option.

Home directories on external drives have been supported for over a decade

Not anymore.

Reply
User profile for user: nikisweeting
nikisweeting Author
User level: Level 1
12 points

Aug 17, 2024 1:02 PM in response to etresoft

I disabled SIP *after* this happened (to verify it wasn't causing this), it's always been enabled before. Permissions have always been enabled on the external drive.


Home directories on external drives have been supported for over a decade, and the entitlements system specifically supports home directories anywhere, that's why paths in entitlements are always relative to home dir location.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iCloud Recovery Contacts can't be read or modified when home directory is located on external drive

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up