Beating the permissions game for single folks

Can someone give a single person an overview on how to beat the permission nightmare?

I'm single, no kids, no one here. No one touches my computer.

Yet even after doing a repair permissions and rebooting, my mac HD internal everything permission wise is grayed out. And I can't figure out how to change that.

and On one external drive ownership and permissions is grayed out.

I'm exasperated.

I would pay triple for and OS for single people.

Ps:
10.4.1

You really need to be more specific. What on earth do you mean by "my mac HD internal everything permission wise is grayed out"?

That's an illusion.

You are connected to the internet. If you were to log your connection to the outside world, you'd find that hundreds, if not thousands, of people are *trying* to touch your machine all the time.

Granted, most of them are looking for certain Windows exploits, but there's always the chance that some *BSD vulnerability might not yet be patched, and should that ever happen, it would probably be a rather stupid idea to have made the attacker's job easier by disabling permissions...

You've already lost the game if you think the goal is to "beat" permissions. Understand them and the need for them first; then you won't have any problems.

Actually, there's more to it than even that. Go into the NetInfo Manager -it's in /Applications/Utilities- and click "Users" to see how many users are really on your machine. On my laptop, I counted some 18-20, and that's just by default.

You are, perhaps, the only human who uses your machine. I'm the only human who uses my laptop. You are not, however, the only user of your machine. The division of responsibilities and roles is an important part of why OSX is as secure as it is. You have access to everything you need access to.

Out of curiosity, what part of the permissions are you trying to change?

If you just want to have your files permission-free, add a second hard drive, or create a second partition on your existing drive, and use the Get Info box to set "Ignore ownership on this volume." You can move your data to it, but not your OS or applications. I run my machines this way so that multiple users can access the same photos, music, etc. And I keep my firewall ON.

I really, really, really think it's not a good idea to send new users to NetInfo Manager. That is a dangerous app.

You can find out what users are on your machine just as easily simply by doing a Get Info on any file in the Finder and checking out the Owner menu under Ownership and Permissions.

Ok, I had that box checked to ignore ownership, but then that was causing havoc when trying to clone. So I've unchecked that all my HDS.

thanks for insightful replies.
Let me be more specific.
I have mac internal drive and two external FW Lacies.
Right now:
Mac internal:
ownership and Permissions, you can read and right : this is grayed out. the dropdown I cannot even access or pull down.

Below that Details:
it says system, not my user name.
group says admin.

On external HD 1, everything looks better.
ownership and permissions says read and write and is not grey out.
details:
says kevs access read and write
group kevs same things.

But if this was grayed out what do you do? I don't know how to get the first drop down to be black and available when it's grayed out.

And then I have certain folders that everything is grayed out as described with my internal Mac HD. I can't even copy stuff into them.

I guess I'm asking what is the trick to let the machine know that is me, Kevs , here and that all folders and HD, should be able to read and write.

You can change ownership after clicking the little padlock icon.

That's correct for the boot volume. You should not change that.
You know that you are supposed to save your personal data inside your home folder? Whether you are alone or not, you home is where you live.

You wouldn't want to be able to write into the System folder.

That line of thinking is one of the big reasons Windows is completely and utterly insecure.

Seems right for the behavior of the internal drive to me if it's your boot drive.
And it makes perfect sense have directories not writable to as a user (admin or otherwise) on the boot drive. It is dangerous to modify permissions if you have no idea what the right permissions should be.

Type in your password. This is called authentication, and it's how the computer knows that you are the one giving commands.
But you shouldn't be able to read and write all of those folders under ordinary circumstances. This is called authorization; once the computer knows who is giving it commands, it determines if that person has been allowed to perform the action they're trying to do. The difference between authentication and authorization can be subtle, to the point where it's lost on many people. However, understanding it is key to understanding security.

In this case, however, the permissions you are running into have another effect besides security: they help improve the system's stability by ensuring that important files are not going to be messed with. If you cannot modify a file, then neither can any app you run, including Trojan horses and spyware or even innocent bugs in legitimate software. Certain software can get around this if you enter an admin password, but that is a mixed blessing: it lets installers and the like work properly, but it also makes the system vulnerable to bugs in those programs.

Warning: If you do what I think you're trying to do, you will make your computer non-bootable. There are certain files and folders in the system that need to have certain permissions. If you change them, they will not function properly.

Don't believe me? Read about the end result for yourself (ignore the flame war that occurs later in that thread).

Basically, you don't need write access to /System. If you do need to modify it at some time for whatever reason (say if the Extensions.mkext file gets corrupted, or some installer sticks something in /System/Library/Extensions that is causing problems), the Finder will let you do it with a quick type of your admin password, even if you don't have write access to the folder.

Some days I think the system folder should be the .system folder...

If that were the case, it would be a big pain in the ass for developers, because all the system frameworks are in there. Also, some third-party installers put kernel extensions in /System/Library/Extensions (why there isn't a /Library/Extensions is beyond me), and some of them forget to delete the Extensions.mkext file so you have to do it yourself (*cough* MOTU MIDI Drivers *cough*). Of course, there are other installers that inexplicably put things in other bizarre locations in /System, besides Extensions, too. Then there are the people who like to do things like the BootX modification around the time of Jaguar's release that let you put back the old smiley Mac icon on startup, things that are clearly done at your own risk, but still enjoyable to some. Lastly, having huge invisible items just adds to the whole "I have several GBs less than my hard drive is supposed to be - where did all that extra space go?" problem. I do not support making stuff invisible willy-nilly, but at the same time people need to understand that if something is set to be read-only by the system, there's a reason for it, and you should not be going in and changing all that. If you have a specific reason to do something in /System, use the "Authenticate" button. If you don't have a specific reason, then why do you need to write in there in the first place?

Thanks for insightful replies.
Here is a quickie, excuse my ignorance.
I'm trying to delete a folder on a external drive but it says I don't have sufficient prileges (even though I'm the only one in universe who knows about this folder)

anyway: it says owner is system. I change it to kevs, I click apply to enclosed items. I think comes up saysing it's appying permissions. I try to delete. message says are you sure?. I say yes, but still says can't delete it, and then the owner goes back to system.

The Finder has a few bugs with regard to changing permissions. If you do it from the terminal it should stick. You might also consider changing the permission, then logging out and back in.

Chris

I stay away from terminal. thanks. anyone else?
BTW, reparing permissions is only for mac boot HD, right? always greyed out for not boots ones for me.

Repairing permissions only applies to hard drives that have 10.2 or later installed on them. Otherwise, the proper permissions are undefined. This isn't like repairing a directory structure. The permissions on the boot drive are critical for booting the machine.

I still don't think you get what's going on here. It doesn't matter if you own a folder or not. On 10.3, the Finder pops up a dialog asking for your password if you don't have permission to do something.

And BTW, when it says that the group is admin, that means YOU. The owner is a member of admin. That's why it says you can read and write on the boot volume. You don't own it, but you can change it however you please. What difference does it make if you own it?

Charles, I know you are a developer too... but I don't see how it would be a pain. It wouldn't be any harder regardless of whether or not it's visible in the Finder or with a simple ls command. ls -a will pull it up. In wxWidgets, it would be wxDir(_("/.system")) instead of wxDir(_("/System")). I can't imagine this would be any harder in Carbon or Cocoa (I don't do Carbon and haven't had to do this in Cocoa). It would not be good if users were expected to drag stuff there, but that could be fixed by making Finder show invisible files.

I don't see how that's worse than /usr (where the standard libraries and headers are) being invisible, and we manage to deal with that all right.

Not talking about accessing things in code, which you don't really have to do that much anyway in the case of /System. I'm talking about adding frameworks such as DiscRecording.framework, Security.framework, etc. in Xcode. Having to type /System each time would be annoying.

It pissed me off in 10.0 that they made /usr invisible too. One of the first things I did was make a visible symlink to it so I could get in there without typing.

With that said, though, for Cocoa/Carbon development I seem to be manually adding frameworks from /System/Library/Frameworks more often than the libraries in /usr/lib, although I realize that this will vary depending on what you are doing, and also /usr is fewer keystrokes than /System. Regarding the headers, I usually read them either in the Terminal or using Spotlight (which I had to do some messing around with to get it to index /usr... argh...).

Perhaps it's the permissions of the enclosing folder that don't let you modify the contents.

There's a great app called BatChmod that lets you change permissions graphically.

True. I've got /usr and /System/Library/Frameworks stuck in my sidebar anyway, since the first is invisible and navigating through /System/Library all the time is kind of a pain.

Anyway, to get back on topic, if you're using 10.3 or later (and you say you're using 10.4.1), then the message that tells you that you don't have permission to drag the folder into the Trash should have an "Authenticate" button on it. Just click that button, enter your password, and voilà, it'll move the folder to the Trash regardless of what its permissions were, unless the external drive you mention is something read-only like a CD-ROM.

Or you could just get info on the folder or app and do it.

Or, you could just drag it to the Trash and click Authenticate.

Why make this harder than it needs to be?

:D :thumbsup:

thanks:
Is batchamod good for Tiger?

Was talking to Apple rep today. I just started doing backup clones from one external FW HD to another, and it seems on the backup clone, there are some folders that I cannot change permissions no matter what.

Do you think that could have been the fault of the back up software?? (retrospect)

The Apple guy thinks that my entire net info data is bad and I should do a full erase install (not an archive and install)

that would be a hellofa lot of work. Thanks for great comments here.

You can boot, and you can log in, right? Your Netinfo database is not likely to be bad. Also, an archive and install WOULD replace the netinfo database as long as you don't tell it to preserve users and network settings. Your files will still be there, but you'll have to do some work to get them back where you want them.

If you suspect that the problem is with your external drive, I see little benefit in erasing the internal drive.

Have you tried running DiskWarrior if you have it, or Disk Utility's First Aid feature if you don't, on the external drive?

I'd actually prefer to have the likes of /usr visible. It can be made visible easily enough, but those hidden directories end up being ghosted in a strange way.

Here's my situation (by now everybody knows what I think about permissions and privileges so I'll refrain from talking about the philosophycal part of it again):

Both my girlfriend and I are designers and share the same computer at home. Each one has its own account, I like this a lot since I prefer to have my general preferences, Desktop and palette layouts in applications untouched by anyone else, etc.
Sometimes we get freelance assignments where we both have to work on the same project. She works in her profile, I like to work in mine.

Now here's the problem.

We can't find a way of working in the same files without permissions and privileges getting in our way all the freaking time.

I thought that by putting everything in Users/Shared we wouldn't have to deal with that nightmare but I was wrong. Files or folders that one user creates are Read Only by the other which completely defies the purpose of a “shared” folder.

I heard something once about creating a new group and making all users part of that group with read and write privileges. Is that the solution? If so, how do I create a new group? I'd rather have a simpler less geeky more efficient solution, of course....thanks in advance.

Is hers an admin account? If so, she should be in the admin group. When you make a new folder, get info on it and make sure the group is set to admin, and that group has read and write permission. I don't know how to make new folders' groups admin by default, though.

If she's not in the admin group, you can put her in it with the NetInfo Manager in /Applications/Utilities.

Thanks wataru. I checked Users/Shared (which is where we've been putting all our stuff) and its group is wheel. Should I change that to admin?

Uh, you can also put her in the admin group much more easily by checking "Allow user to administer this computer" in System Preferences -> Accounts.

Another thing you could try that wouldn't require making your girlfriend an admin would be to make a disk image in /Users/Shared, mount it, get info on the mounted disk image, and check the "Ignore ownership on this volume" check box. Now you have a little sandbox that either of you can write in.

That's not necessary because /Users/Shared is RW for world by default (at least that's what it is on my machine, and I haven't customized anything in that area).

Incidentally, it looks like the wheel group only includes root by default.
Is that actually equivalent to adding the user to the admin group? Somehow I thought there would be more involved in making a regular user an admin.

That's likely a problem with the Finder. If you're trying to do it with Get Info you will have problems due to a Finder bug. Do it from the terminal and it will work.

Chris

I think this is the best solution. Create a group in which you both belong. Then make that group the owner of the folder in /Users/Shared. Give the group members read and write permissions.

To create a group, use
Sharepoints.

Chris

Yep, the "Allow user to administer this computer" check box does exactly what it says it does, and is quite a bit less dangerous than the NetInfo Manager app.

And now, for solution #312749: Folder Actions! Grab this little AppleScript that I wrote, save it in /Library/Scripts/Folder Action Scripts, right-click on your /Users/Shared folder, choose "Attach Folder Action", and choose the script. Then, every file you put in that folder should be made writable to everyone.

Detrius: thanks. yes I can boot and log in -- so why is apple guy saying to do an erase and install (not archive and install -- he wants erase and install) -- becasue after creating a new user, and all, some problems still remain. is he right or wrong?


Charles:
thanks, don't think it's the external drive. I just notice that the backup external has some folders that wont let me change permissions. why, I have no idea. I'm sure the drive is ok. was wondering: why would the source drive be ok, but then you clone, and the target drive has a folder say you cannot change access to it -- the Apple guy says he think net info database is bad-- concur?

I don't concur. That really doesn't sound like an OS problem. If there were something wrong with the NetInfo database, quite likely you wouldn't be able to log in.

What happens if you drag the folder to the Trash, then click the "Authenticate" button and enter your password?

If the external hard drive is where the problem is, and it's for backups, why don't you just format that drive (i.e. wipe it completely), and re-clone it?

When you re-clone your main drive, DON'T use Retrospect. Use Disk Utility or Carbon Copy Cloner, or SuperDuper instead.

Also, once you've recloned your system, then if you're still having other problems with your system, you should do an erase and install and start over from scratch. You can boot from your clone in the meantime to do everyday work while you're redoing your system.

CharlesS, thanks for the script!
I'll try it tonight, thanks.

CCC is still not updated for 10.4. I'm now oficially a fan of Deja Vu.

CCC will work if you run it as root. (Found that out from somebody else here... can't remember who though)

Charles:
this folder just wont let me have permission, I try everyting etc, just wont let me in. So I think I do what
Person man says and erase it.
Is it much better to erase a drive with disc utility, than just selecting everything and clicking erase?
also, I just got super duper a bit after I got retrospect. Why do you think it's better for cloning?

"won't let me in" :lol:

You're not saying very much.
What are you DOING?
What DOES happen when you do that?

When attempting to trash a folder you don't own,
you should get a dialog window titled Authenticate,
saying (quote): "Finder requires that you type your password."
So... are you seeing that, or not?

Describe exactly what you do and what happens.
(Pretend we can't see your computer)

You would rather erase everything, than
learn to use a few Terminal commands?
Good luck... let me know how it turns out.

^ Indeed. This is about the point where if it were someone I knew, I'd start asking him to turn VNC on.