An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
Permissions Horror, Apple inserting Read only into
#14539 03/05/11 01:25 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
I could not do a save for Office files for a couple of weeks via my laptop through sharing.

My imac has the base files and folders.

It turns out the OS was adding an "everyone" to permissions to many folders and saying read only.

Why does it does this? Has anyone else seen this?

Permissions is the real bane for someone who is the only one on his computers. thanks

Re: Permissions Horror, Apple inserting Read only into
kevs #14541 03/05/11 01:52 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: kevs
Why does it does this? Has anyone else seen this?

We probably have, but you'd have to tell us which folders before we can tell you for sure.

Originally Posted By: kevs
Permissions is the real bane for someone who is the only one on his computers. thanks

First off, you aren't the only one using your computer. Apple also uses it (to install software on), and many of its security policies are geared towards keeping their software on your computer functioning.

Second, though, people who say they're the only one using their computer often mean they're the only one who uses their computer daily. What about when the kinfolk come to visit over the holidays, and innocently ask "Is that an Apple computer? What's so special about it?" or "Hey Uncle Kev, do you have any games on your computer? Can I play one?" or "Cousin Kev, can I just real quick-like check my email?"

Security becomes a lot easier to understand once you have a goal in mind to focus your attention on. Consider setting up a "Kinfolk" user account. (Or "Friend" or "Show Off My Mac", if you don't have any kinfolk.) Decide what you want them to access (your games and other apps, including Safari) and what's off limits to them (your email, saved passwords). Configure your permissions accordingly.

Even if you never actually use that account (which should not be an admin account, of course), its mere existence will make security much more understandable.

Even as a "throwaway" account, it needs a strong password. Don't make the mistake I made, of setting the password to my "Friend" account to "friend". I discovered to my chagrin that even Macs can get hacked if you lower your guard.

Which, by the way, is why it behooves you to understand security. Do not write it off as something that doesn't concern you.

Re: Permissions Horror, Apple inserting Read only into
ganbustein #14549 03/05/11 03:53 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Around here the going rate for "decontaminating" a Windows PC — removing viruses, spyware, malware, etc. — is roughly $300. I have PC using friends who regularly have this done twice a year and they too are the only users of their PC. (Although as ganbustein so eloquently points out you are never the only user of a Mac running OS X.) Permissions and passwords may seem to you to be a pain, but they are lynchpins in the OS X security model and a major part of the reason Mac users aren't having to take their Macs in to have them decontaminated.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Permissions Horror, Apple inserting Read only into
joemikeb #14552 03/05/11 06:57 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks Guys, good info.
But any idea why I was not able to save on my network for a few days even though all my folders and documents were read/write?

And any idea why the OS was adding the "everyone" folder to all my folders with read only?


Re: Permissions Horror, Apple inserting Read only into
kevs #14558 03/06/11 01:27 AM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
I have no idea what your network problem was but the everyone read only is as far as I know the default for most folders in OS X with the exception of folders within a specific user's folder where everyone has no access.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Permissions Horror, Apple inserting Read only into
joemikeb #14560 03/06/11 02:02 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, the folders had:
Kevs (me) Read and WRite
everyone Read and Write

these are on one external hard drive attached to a new imac

-----
all the files in those folders were read and write as well. All the parent folders were read and write, and yet--

on my laptop in the same room all the files were coming up as read only.

this continued for a few days.

Then I saw another "everyone" added to all the subfolders suddenly that was read only.

Then I deleted these new read only everyone, and the problem was solved.

1) why was the problem occurring when the new added everyone/ read only was not even there yet? when everything permission wise seemed perfect.
2) Why did the new everyone read only suddenly appear in 15 sub-folders of a parent folder.

I don't think Columbo could solve it, but I have seen you come up with some great ideas and solutions!

(no one but me touches these computers)

Re: Permissions Horror, Apple inserting Read only into
kevs #14562 03/06/11 04:31 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: kevs
Joe, the folders had:
Kevs (me) Read and WRite
everyone Read and Write

these are on one external hard drive attached to a new imac

Get Info on the disk volume. At the bottom of the info window is a checkbox labeled "Ignore ownership on this volume". Uncheck it.

By default, the checkbox is checked (that is, ownership is ignored) for any disk volume that is not the startup volume. You have to uncheck it to make OS X pay attention to ownership on the volume.

The idea is that external disks are, in practice, usually used like large floppies, for carrying files from one machine to another by sneakernet. The Unix security model is an extremely poor fit to this usage. Unix permissions identify users by a numerical userid, and the numbering on one machine has no relationship with the numbering on another. Even a user who has the same user name on two machines may have different userids on those machines. It would be irritating at best if files the user put on the disk from one machine couldn't be read from another machine just because the numeric userids didn't match. For that matter, if you're really just sneakernetting files, you expect that whomever you give the disk to should be able to read it, even if they're not you.

The way this works is that everything created on or copied to a disk volume with "Ignore ownership" turned on is marked as owned by the special user with userid 99, whose name is usually "unknown" or "_unknown". The group of the file is set to group 99 (also usually named "unknown" or "_unknown"). Don't confuse either of these with "(Unknown)", with parentheses. That's the name Finder attaches to a numeric userid or groupid that it doesn't recognize.

If you try to access a file or folder on a disk volume with "Ignore ownership" turned on, it behaves as is it were owned by this same "unknown" user and group, even if it isn't really.

What makes "unknown" magical is that it's a chameleon. Any user except the superuser who looks at a file owned by "unknown" always sees it as if it were owned by whoever is doing the asking. Likewise for group: a file with group 99 behaves like it's in the primary group of whoever is asking (except, again, when the superuser asks—nobody lies to the superuser).


One important thing to keep in mind is that the setting of the "Ignore ownership" flag is not stored on the disk. Each computer (actually, each startup volume) keeps a list of all the disk volumes it has ever seen, and what setting that flag has for that disk from that machine. A new never-before-seen disk volume starts off with the flag set.

Thus, the flag can easily have different values on different computers, even for the same disk, so something that's read/write on one machine may be read only on another. If you erase the disk, the flag turns on again on all computers, because they see it as a new disk volume.

The reason this works well with sneakernetting is that if either machine has elected to ignore ownership, files automatically appear to be owned by whomever is looking, and users invariable give themselves read-write access to their own files.


As for the "everyone" line... That's part of the standard Unix permissions model. In the standard model, every file (and folder) has an owner and a group. (A group is a collection of users. A group can contain zero or more users, and a user can be in one or more groups. Groups are useful to conveniently share files between users on the same computer; put the users together in a group, and mark the shared files with that common group.)

In addition to a (numeric) owner and group, each file also has 9 permission bits, 3 for the owner, 3 for the group, and 3 for everyone else. Those three bits grant read access, write access, and execute access.

When the owner of a file tries to access a file, the 3 owner bits are consulted and the others are ignored. If a non-owner tries to access a file, if the non-owner is in the same group as the file, the 3 group bits are used. Otherwise, the 3 everyone-else bits are used.

That's why, when you look at permissions in Get Info, there will always be a line for "everyone". That's part of the standard Unix permissions model. And I repeat, it applies only to the users who are not the owner of the file (which Finder lists as the last "one-head" line) and also are not in the group of the file (which Finder lists in an optional "two-head" line following the owner line). The "everyone" line is the "three-head" line at the bottom.

BTW: any lines that Finder shows before the owner (last "one-head" line) correspond to ACLs, a topic you are invited to research elsewhere. If one of those is a "two-head" line for everyone, in addition to the "three-head" line at the bottom, that's probably a mismatch between the OS X versions on the two machines. One of them is showing an ACL that the other is hiding. If that's the case, we can talk. This post is long enough already.


As for why "everyone" has write access, you'd have to look at the progeny for the files. By default, most files are born read-only to group and everyone, but it's really easy to get that write access attached. When files are copied, their permissions are usually carried across to the copy. (But the owner is usually changed to the user doing the copy, and the group is taken from the group of the destination folder. Usually.)

Re: Permissions Horror, Apple inserting Read only into
ganbustein #14564 03/06/11 05:19 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Dan, let's wait for Joe to answer. His answers are very laconic and easy to digest. I understand little of your posts.

Ignore was unchecked.

Re: Permissions Horror, Apple inserting Read only into
kevs #14575 03/06/11 11:50 AM
Joined: Aug 2009
Likes: 3
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 3

Quote:
I understand little of your posts.

Really? I thought ganbustein's last reply described a confusing set of issues in a remarkably clear and straightforward way.

Maybe you should try reading through it a few times.



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: Permissions Horror, Apple inserting Read only into
dkmarsh #14577 03/06/11 03:19 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: dkmarsh
I thought ganbustein's last reply described a confusing set of issues in a remarkably clear and straightforward way.

And I.

I now know a lot more than I did before about the topic....and I admit to being one of the folks who, on some of the "technical stuff", usually needs a couple of reads to "get it". But that's what makes FineTunedMac a good place to get help. There are people here who will take the time to lay it all out.

ryck

Last edited by ryck; 03/06/11 03:27 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Permissions Horror, Apple inserting Read only into
ryck #14579 03/06/11 04:22 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks, Dan has a great spirit, but it's a bit over my low- fi head. I find Joe's posts are just really laconic and easy to read.

Re: Permissions Horror, Apple inserting Read only into
kevs #14587 03/06/11 07:49 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: keys
these are on one external hard drive attached to a new imac

That is the missing piece of the puzzle.

As ganbustein has so eloquently pointed out the rules are different for the boot volume than for other volumes on the system. I am intentionally using the term "volume" instead of "drive" because there may be more than one "volume" (a.k.a. partition) on any given drive. There is no "ignore permissions" setting for the boot volume. In fact it is possible to render a boot volume un-bootable by dinking around with the permissions on that volume.

The possibilities are too numerous for me to even begin to speculate on how or why the differing permission appeared and/or disappeared on your external volume. It would take a lot more information than certainly I have and probably more than you can recall to fill in the blanks Suffice it to say none of this violates the standard Unix/OS X rules, none represents system problems, none are the result of errors (with the possible exception of those human errors we are all prone too grin ), and none are cause for concern.

I Googled for a good article for you to read on Unix Permissions and could not come up with any that were concise, comprehensible, or would be likely to shed any light on what transpired in your case. Ignoring the concise and comprehensible criteria I came up with the File System Overview and Security Overview from Apple's Mac OS X Reference Library. The next time you have a bout of insomnia you might want to wade into these two tombs. The best I can offer in a short article is re-reading ganbustein's informative post in this thread.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Permissions Horror, Apple inserting Read only into
dkmarsh #14592 03/06/11 08:33 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
I'm reminded of the movie Amadeus when the emperor grumbled about "too many notes".

Re: Permissions Horror, Apple inserting Read only into
kevs #14593 03/06/11 09:12 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: kevs
Dan, let's wait for Joe to answer. His answers are very laconic and easy to digest. I understand little of your posts.

Ignore was unchecked.

Sorry, I said that backwards. If you want free access to the files on the disk volume, check ignore ownwership.

Generally, you want it checked for volumes on a disk that moves from computer to computer, and unchecked for a volume that stays always on the same computer.

If you have multiple bootable partitions, remember that each one has its own list of "ownership ignored" volumes.

And, who's Dan?

Re: Permissions Horror, Apple inserting Read only into
joemikeb #14595 03/06/11 11:21 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Quote:
The next time you have a bout of insomnia you might want to wade into these two tombs. (Emphasis added)

If that ain't a brilliant typo, it's a brilliant [sic]! grin


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Permissions Horror, Apple inserting Read only into
artie505 #14597 03/07/11 12:05 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
thanks guys, I meant Gan -- appreciate these comments!

I leave it unchecked, I was told years ago to have it unchecked.

That checking that could create chaos. Although I love the idea I'd be free of these Gremlins in the future. What think?

Yeah, why this all happened I have no idea, and why new "everyone" read on comes aboard to many folders I have no idea.

But it's working ok for now....(was lot of grief until it went away)

Re: Permissions Horror, Apple inserting Read only into
kevs #14953 04/01/11 09:38 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Guys, today, I'm in the middle of an email blast with my email software and could not save the file, so I had to force quit -- said I don't have permissions.
I go to the file and is says, "eveyone" is read only.

Now why does this happen?

I see it happen a lot also with excel files that I set everyone to read write. Time goes by and everyone is now read only.

How does this happen? thanks.

Re: Permissions Horror, Apple inserting Read only into
kevs #14959 04/02/11 03:31 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
It is normal for "everyone" to be read only.

It's easy to mistake the "everyone" to mean that you have read-only access, but that's not necessarily the case. The permissions can be thought about as "you," "the group you belong to," and "everyone else." So if it says that you have read and write and everybody has read only, it means that the account oyu're logged in with right now has read and write, not read only.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Permissions Horror, Apple inserting Read only into
tacit #14963 04/02/11 02:47 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
May be worth noting a similar discussion from a year ago:
Anyway to get read/write for everyone as default? tongue

...which itself branched off into:
Permissions Nightmare, need help

Last edited by Hal Itosis; 04/02/11 02:50 PM.
Re: Permissions Horror, Apple inserting Read only into
tacit #14965 04/03/11 02:24 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Tacit, that went over my head. sorry.
But suffice it to say, let me ask you this.
Permissions issue:

I'm on my home network. My laptop cannot access or save a read only file.

or the email blast same issue I cannot save it.

How do I solve this?

I go back to the desktop and do a command i on the problem file.

I change everyone to read/write. Problem solved. I'm a happy guy.

But here is my main question.

Why a month or months later, do these file revert to everyone read only? and the cycle continues?

Re: Permissions Horror, Apple inserting Read only into
kevs #14966 04/03/11 05:05 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: kevs
I'm on my home network. My laptop cannot access or save a read only file.

or the email blast same issue I cannot save it.

How do I solve this?

I go back to the desktop and do a command i on the problem file.

I change everyone to read/write. Problem solved. I'm a happy guy.

But here is my main question.

Why a month or months later, do these file revert to everyone read only? and the cycle continues?

As was already suggested by ganbustein (over a year ago), the first step to overriding OSX's default behavior is to tweak the umask.

These two articles provide alternative methods (to the launchctl 000 syntax he gave back then): Note in particular this section from the first link:

Originally Posted By: Apple support doc HT2202
Umask for user applications

In Mac OS X v10.5.3 and later, you can create the file /etc/launchd-user.conf with the contents "umask nnn". Do not include the quotation marks and replace nnn with the desired umask value, such as 027 or 002.

This will set the user's umask for all applications they launch, such as Finder, TextEdit, or Final Cut Pro, and control the permissions set on new files created by any of these applications.

So... have you tweaked your umask yet?
If you run this:
umask
in Terminal, does the result look like:
0000
or:
0022
?

If you haven't tweaked the umask, then you'll see 0022... meaning, you're still running with OSX's default behavior (which itself is a reasonable compromise between somewhat friendly sharing and somewhat secure operation).

Another way would be to use group access and add some ACLs to do the sharing. ACLs can be added via the chmod command in terminal and possibly (to a more limited extent) via Finder Get Info windows. [i don't think Finder can set permission inheritance for example.]

But we have been told very little about your network, so it's impossible to know where to begin. (how are users logging in? as registered accounts or guests? which group do they ALL belong to? what are the precise permissions [including ACLs, if any] on the directory where this file-sharing takes place? what is the pathname of that shared folder? etc).

You seem to think folks can help you without knowing such details. They can't.

Your unwillingness to use Terminal.app hampers both conveying and resolving this situation. In case you change your mind, here is the method i would recommend to tweak the umask...
  1. run this command:

    sudo sh -c 'echo "umask 000" > /etc/launchd-user.conf'

    That will create the file launchd-user.conf in the /etc/ folder, and insert the text "umask 000" inside it.

  2. restart.
[those two steps will need to be done on all Macs from which users will be editing and saving files.]

Obviously, giving 'everyone' write access by default is risky business (by its very nature). Pluswhich, tweaking the umask still potentially leaves us at the mercy of the behavior of the applications themselves. If (for example) Microsoft Office is designed such that it sets its own POSIX permissions every time it saves file edits [i.e., if it deliberately removes world (or group) write access], then the only recourse would be to reset them to our liking... by writing a script and running it manually and/or periodically. [if we knew more specifics about the pathnames to your shared folder, writing such a script would be a piece of cake. Users could run that script by simply selecting it from a menu.]

The best approach is to employ the 'custom group plus ACLs' sharing method... but that will require much more effort on your part (to communicate details of your network's users and shares setup), and likely even more work in Terminal.

-HI-

Last edited by Hal Itosis; 04/03/11 05:34 PM.
Re: Permissions Horror, Apple inserting Read only into
Hal Itosis #14967 04/03/11 05:42 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
that's bit over my head and hard to follow Hal, but appreciate the effort.

But then is the fact that the OS, is changing my files everyone back to read only normal?

Re: Permissions Horror, Apple inserting Read only into
Hal Itosis #14968 04/03/11 11:45 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Great Caesar's post!


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Permissions Horror, Apple inserting Read only into
kevs #14970 04/04/11 12:39 AM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: kevs
But then is the fact that the OS, is changing my files everyone back to read only normal?

If a file's perms are changing, i'd suspect it's due to some application's doing... not necessarily the "OS".

Normally, the umask determines perms on items when they are first created. If we modify those perms and then later edit the file, those perms we set should stick. But a lot depends on how edits get saved.

For example, TextEdit does not save edits "in place". Instead, it creates a copy over in some temp folder somewhere... and when we save those modifications, TextEdit deletes our original file and **moves** that copy from the temp area back to where the original used to be. Such shenanigans can play havoc with metadata. In the case of TextEdit there, one thing that happens is that the group assigned to the document always reverts back to the primary gid of the user saving the change (i.e., back to whichever "group" was tied to the temp folder).

That was a bit complicated i suppose, but my point is that it's probably an app to blame... as opposed to the "OS". [though one could argue that Apple designs both of those in that particular case.]


Originally Posted By: kevs
that's bit over my head and hard to follow Hal, but appreciate the effort.

Not all that hard IMO. In fact, those two numbered steps i gave (run one terminal command and then restart) are really, really easy to do.

--

Edit #2: BTW, there were 6 questions in my previous post... and you didn't answer a single one. [perhaps you should hire an IT technician/administrator full-time.]

Last edited by Hal Itosis; 04/04/11 12:59 AM.
Re: Permissions Horror, Apple inserting Read only into
Hal Itosis #14971 04/04/11 01:25 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Hal, that helps a bit understand it all. very helpless we are.
I wish they sold the OS for single people who don't need permissions. but I'll try to get used to having to constantly check if a file can save ok. I'll learn to make it a habit.

Page 1 of 2 1 2

Moderated by  alternaut, dkmarsh, joemikeb 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.043s Queries: 65 (0.033s) Memory: 0.7194 MB (Peak: 0.9145 MB) Data Comp: Zlib Server Time: 2024-03-28 14:24:09 UTC
Valid HTML 5 and Valid CSS