1:16 PM - Fixing Leopard permissions problems with ACLs
From Cyrus Shafai:
I have fixed the Leopard permissions problem for my iMac !! It is caused by the ACL permissions issue that a few people have mentioned, and it is an easy fix. It is not a solution, as the problem is caused by Leopard, but it appears easy to fix when it happens.
1. What creates the problem?
You can see it in action by creating a new user account (admin access), and create some dummy files in it. Try to change the names of these files, and no problem you can do so easily. Now go to up one directory level to your user folder, open a Get Info window on the new account you just made. You will see several users in the permission section, most likely "user", "staff", and "everyone".
Now use Get Info to apply a permission change to this new user account. For example, change the permission for "everyone" to Read Only. Then select "apply to enclosed items". Now go back to your home directory and try to change the file name of items in that account, and you will find you can't. Do a Get info on one of the files and in the permission section it says "You have custom access", instead of "You have read and write access".
You can also easily create the problem from the Terminal window, instead of the Get Info window. For example, go to your users folder using the Terminal application, and type the following in the terminal window.
chmod -R =rw,+X username
This will force Leopard to set the read and write permissions to the usual default to your user folder and to all files/folders recursively (this is what the -R is for) in your user folder (the +X will retain any execute permissions that are currently set). After doing this you will again create the problem.
2. What causes the problem?
Run the Terminal application (you should be in your home directory) and type:
ls -le
This will list all your files and folders in your home directory, along with the ACL extensions to the file permissions. On my machine I get under each "permission affected" files or folders the following additional information.
0: group:everyone deny delete
So this "everyone" person is not allowed to delete any files (or rename them). And this "everyone" person is a "group" that includes EVERYONE including the user as well. Thus, since "everyone" can't change files, neither can the user. This part is confusing at first to realize what is going on since in Unix terminology normally "everyone" only refers to the outside world, and not the user himself. I believe Apple tried to use the ACL extension to prevent certain files/folder that Leopard would not want the user to rename/delete (i.e. Pictures directory), but for some reason Leopard is applying this to all files, folder, and contents of folders.
3. The solution the solution is simple. Remove this ACL condition for all files or folders in your home directory.
3a. You typically can easily do this from the user folder level in Terminal, since the affected account also has the same ACL condition applied to it. Type ls -le to see if this condition is present for the affected user folder account itself. If it is, then all you have to do is type is:
chmod -R -a# 0 username
This will remove the ACL condition (numbered 0) from the user account folder, and all files or folders in it (the -R condition causes this recursive fix of all contents of all folders).
3b. You may not be able to do this from the user folder level in Terminal if the user folder itself does not have this ACL condition. In this case, simply go to your home directory in Terminal, and fix to each file or folder within your home directory individually, and do this recursively to all contents of folders so you don't have to do it for the contents of the folders in your home directory. Type ls -le, and find which files/folders are affected, and for each affected file/folder type the following to remove their ACL condition:
chmod -R -a# 0 file_or_folder_name
After doing this, if you type " ls -le " in Terminal window you will see that the ACL condition is gone from every fixed file or folder. Also, if you do a Get Info in Finder on any fixed file/folder you will see in the permission section the phrase "You can read and write".
Should the permission problem be fixed this way by canceling the ACL conditions, I am not sure. But it is now fixed on my machine (not solved, but fixed) and I again have full access to all my files.