Tags showing up in another user account as aliases

Seeing the same thing. What to do?

Check the permissions per Andy_Ball's post and let us know what you see.

Exactly the same as in his post, for both users. But I'm not sure what do about it.

And yes, this machine is restored/migrated from a time machine backup.

I cleared all caches and rebuild the spotlight index already.

No, I want you to check the ACLs on your Home folders. I have see what Andy describes on a test Mac. That could be the cause.

copy/paste the following into Terminal.

ls -del ~/

It will List all the folders in the root of your Home directory with any ACLs. If it does have the ACE to allow _spotlight access, that is likely how it is showing the information from the other users.

I'm also seeing this problem. If one user creates a tag "Foo" and tags 10 files with it, other users on the same machine will see the tag "Foo" in the Finder, and will be able to see the names and other information about the 10 files. This is despite the fact that the file permissions have been locked down so as not to allow access to these files by other users.

Here's what I get when I check the ACLs.

Andrews-Computer:~ andrew$ ls -del ~/

drwxr-xr-x@ 97 andrew staff 3298 Nov 19 13:36 /Users/andrew/

0: group:everyone deny delete

1: user:_spotlight inherited allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit

Andrews-Computer:~ andrew$

I'm guessing that tags are pretty much a hack and that Apple just throws everything into a global database. That would really be a shame if it's true. Hopefully Apple will fix it.

Okay I fixed the issue.

First I used Onyx (free program) to rebuild the spotlight index.

Then I ran 'Restore Home Folder Permissions and ACL"

I would suggest you follow Nijntje's fix.

There are other ways to remove the ACLs without OnyX, but they are a little more convoluted.

chmod -RI ~

from each affected account,

removes all that were added here, save a .DS_Store in /Users

Okay, did that. We'll see if it works long term.

Possibly related question: what's the role of the _spotlight user? It shows up with read permissions on some files/folders, but not all. Should I be deleting those permissions from files/folders that I don't want to be visible globally? I do still want files/folders to be indexed, but I want the indexes to respect permissions, so a spotlight search from one account shouldn't show items from other accounts that have their permissions locked down.

I have no idea why they are appearing for various files and folders, but I have only seen it happen on migrated accounts. I don't think it is supposed to be there.

As to the spotlight user, there are many "users" in unix. They each perform functions with very limited permissions, just enough to get the job done, but no more. The spotlight user handles Spotlight search requests.

So far the Onyx fix is mostly working. I've just found one case where information leaks out via tags.

I have an external hard disk with the following permissions:

• User A: Read & Write
• system: Read & Write
• wheel: Read & Write
• everyone: No Access

The individual items on the hard disk have similar permissions. None of the items allow access by "everyone" or by User B.

When I log in as User B I can't in general access any items on the hard disk. That's correct. However, when I view the standard system tags in the Finder (Red, Orange, etc), the listing of tagged items includes files and folders from the external drive. These are files and folders that are owned by User A and that User B shouldn't know anything about.

This only happens for the built-in tags, and it only happens on this external drive. Not a show stopper, but it would be nice to fix it, too.

What are the posix permissions on the external drive?

ls -ale /Volumes/nameOfDrive

See if the spotlight ACL has been added.

Andrews-Computer:~ assets$ ls -ale /Volumes/Assets

total 48

drwxrwx---+ 11 root wheel 442 Nov 15 15:14 .

0: user:assets allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity

drwxrwxrwt@ 4 root admin 136 Nov 25 23:14 ..

0: group:everyone deny add_file,add_subdirectory,directory_inherit,only_inherit

-rw-r--r--@ 1 assets staff 21508 Nov 25 16:56 .DS_Store

d--x--x--x 7 root wheel 238 Nov 25 23:14 .DocumentRevisions-V100

drwx------ 5 assets staff 170 Nov 15 13:23 .Spotlight-V100

drwxrwxrwt@ 4 root wheel 136 Nov 20 21:01 .TemporaryItems

d-wx-wx-wt 2 assets staff 68 Nov 25 17:10 .Trashes

drwx------ 87 assets staff 2958 Nov 25 17:10 .fseventsd

drwx------@ 28 assets wheel 952 Nov 25 16:54 All Documents

Andrews-Computer:~ assets$

How does this tell us whether the Spotlight ACL has been added?

(Thanks very much for the help, too.)

How does this tell us whether the Spotlight ACL has been added?

(Thanks very much for the help, too.)

No, it doesn't have the spotlight ACL.

Any user that is part of the wheel group can read and write to the root of Assets. However, only user assets can see inside the All Documents folder. So, user B should not be able to see what is in there.

So, at this point, I don't know why that happens with the Tags. I'll have to experiment after the holidays and see if I can replicate that.

Just got my Mac back from repair. Restored from Time Capsule. Issue has returned and I'm not able to fix it 😟