I could not do a save for Office files for a couple of weeks via my laptop through sharing.

My imac has the base files and folders.

It turns out the OS was adding an "everyone" to permissions to many folders and saying read only.

Why does it does this? Has anyone else seen this?

Permissions is the real bane for someone who is the only one on his computers. thanks

We probably have, but you'd have to tell us which folders before we can tell you for sure.


First off, you aren't the only one using your computer. Apple also uses it (to install software on), and many of its security policies are geared towards keeping their software on your computer functioning.

Second, though, people who say they're the only one using their computer often mean they're the only one who uses their computer daily. What about when the kinfolk come to visit over the holidays, and innocently ask "Is that an Apple computer? What's so special about it?" or "Hey Uncle Kev, do you have any games on your computer? Can I play one?" or "Cousin Kev, can I just real quick-like check my email?"

Security becomes a lot easier to understand once you have a goal in mind to focus your attention on. Consider setting up a "Kinfolk" user account. (Or "Friend" or "Show Off My Mac", if you don't have any kinfolk.) Decide what you want them to access (your games and other apps, including Safari) and what's off limits to them (your email, saved passwords). Configure your permissions accordingly.

Even if you never actually use that account (which should not be an admin account, of course), its mere existence will make security much more understandable.

Even as a "throwaway" account, it needs a strong password. Don't make the mistake I made, of setting the password to my "Friend" account to "friend". I discovered to my chagrin that even Macs can get hacked if you lower your guard.

Which, by the way, is why it behooves you to understand security. Do not write it off as something that doesn't concern you.

Around here the going rate for "decontaminating" a Windows PC — removing viruses, spyware, malware, etc. — is roughly $300. I have PC using friends who regularly have this done twice a year and they too are the only users of their PC. (Although as ganbustein so eloquently points out you are never the only user of a Mac running OS X.) Permissions and passwords may seem to you to be a pain, but they are lynchpins in the OS X security model and a major part of the reason Mac users aren't having to take their Macs in to have them decontaminated.

Thanks Guys, good info.
But any idea why I was not able to save on my network for a few days even though all my folders and documents were read/write?

And any idea why the OS was adding the "everyone" folder to all my folders with read only?

I have no idea what your network problem was but the everyone read only is as far as I know the default for most folders in OS X with the exception of folders within a specific user's folder where everyone has no access.

Joe, the folders had:
Kevs (me) Read and WRite
everyone Read and Write

these are on one external hard drive attached to a new imac

-----
all the files in those folders were read and write as well. All the parent folders were read and write, and yet--

on my laptop in the same room all the files were coming up as read only.

this continued for a few days.

Then I saw another "everyone" added to all the subfolders suddenly that was read only.

Then I deleted these new read only everyone, and the problem was solved.

1) why was the problem occurring when the new added everyone/ read only was not even there yet? when everything permission wise seemed perfect.
2) Why did the new everyone read only suddenly appear in 15 sub-folders of a parent folder.

I don't think Columbo could solve it, but I have seen you come up with some great ideas and solutions!

(no one but me touches these computers)

Get Info on the disk volume. At the bottom of the info window is a checkbox labeled "Ignore ownership on this volume". Uncheck it.

By default, the checkbox is checked (that is, ownership is ignored) for any disk volume that is not the startup volume. You have to uncheck it to make OS X pay attention to ownership on the volume.

The idea is that external disks are, in practice, usually used like large floppies, for carrying files from one machine to another by sneakernet. The Unix security model is an extremely poor fit to this usage. Unix permissions identify users by a numerical userid, and the numbering on one machine has no relationship with the numbering on another. Even a user who has the same user name on two machines may have different userids on those machines. It would be irritating at best if files the user put on the disk from one machine couldn't be read from another machine just because the numeric userids didn't match. For that matter, if you're really just sneakernetting files, you expect that whomever you give the disk to should be able to read it, even if they're not you.

The way this works is that everything created on or copied to a disk volume with "Ignore ownership" turned on is marked as owned by the special user with userid 99, whose name is usually "unknown" or "_unknown". The group of the file is set to group 99 (also usually named "unknown" or "_unknown"). Don't confuse either of these with "(Unknown)", with parentheses. That's the name Finder attaches to a numeric userid or groupid that it doesn't recognize.

If you try to access a file or folder on a disk volume with "Ignore ownership" turned on, it behaves as is it were owned by this same "unknown" user and group, even if it isn't really.

What makes "unknown" magical is that it's a chameleon. Any user except the superuser who looks at a file owned by "unknown" always sees it as if it were owned by whoever is doing the asking. Likewise for group: a file with group 99 behaves like it's in the primary group of whoever is asking (except, again, when the superuser asks—nobody lies to the superuser).


One important thing to keep in mind is that the setting of the "Ignore ownership" flag is not stored on the disk. Each computer (actually, each startup volume) keeps a list of all the disk volumes it has ever seen, and what setting that flag has for that disk from that machine. A new never-before-seen disk volume starts off with the flag set.

Thus, the flag can easily have different values on different computers, even for the same disk, so something that's read/write on one machine may be read only on another. If you erase the disk, the flag turns on again on all computers, because they see it as a new disk volume.

The reason this works well with sneakernetting is that if either machine has elected to ignore ownership, files automatically appear to be owned by whomever is looking, and users invariable give themselves read-write access to their own files.


As for the "everyone" line... That's part of the standard Unix permissions model. In the standard model, every file (and folder) has an owner and a group. (A group is a collection of users. A group can contain zero or more users, and a user can be in one or more groups. Groups are useful to conveniently share files between users on the same computer; put the users together in a group, and mark the shared files with that common group.)

In addition to a (numeric) owner and group, each file also has 9 permission bits, 3 for the owner, 3 for the group, and 3 for everyone else. Those three bits grant read access, write access, and execute access.

When the owner of a file tries to access a file, the 3 owner bits are consulted and the others are ignored. If a non-owner tries to access a file, if the non-owner is in the same group as the file, the 3 group bits are used. Otherwise, the 3 everyone-else bits are used.

That's why, when you look at permissions in Get Info, there will always be a line for "everyone". That's part of the standard Unix permissions model. And I repeat, it applies only to the users who are not the owner of the file (which Finder lists as the last "one-head" line) and also are not in the group of the file (which Finder lists in an optional "two-head" line following the owner line). The "everyone" line is the "three-head" line at the bottom.

BTW: any lines that Finder shows before the owner (last "one-head" line) correspond to ACLs, a topic you are invited to research elsewhere. If one of those is a "two-head" line for everyone, in addition to the "three-head" line at the bottom, that's probably a mismatch between the OS X versions on the two machines. One of them is showing an ACL that the other is hiding. If that's the case, we can talk. This post is long enough already.


As for why "everyone" has write access, you'd have to look at the progeny for the files. By default, most files are born read-only to group and everyone, but it's really easy to get that write access attached. When files are copied, their permissions are usually carried across to the copy. (But the owner is usually changed to the user doing the copy, and the group is taken from the group of the destination folder. Usually.)

Dan, let's wait for Joe to answer. His answers are very laconic and easy to digest. I understand little of your posts.

Ignore was unchecked.

Really? I thought ganbustein's last reply described a confusing set of issues in a remarkably clear and straightforward way.

Maybe you should try reading through it a few times.

And I.

I now know a lot more than I did before about the topic....and I admit to being one of the folks who, on some of the "technical stuff", usually needs a couple of reads to "get it". But that's what makes FineTunedMac a good place to get help. There are people here who will take the time to lay it all out.

ryck

Thanks, Dan has a great spirit, but it's a bit over my low- fi head. I find Joe's posts are just really laconic and easy to read.

That is the missing piece of the puzzle.

As ganbustein has so eloquently pointed out the rules are different for the boot volume than for other volumes on the system. I am intentionally using the term "volume" instead of "drive" because there may be more than one "volume" (a.k.a. partition) on any given drive. There is no "ignore permissions" setting for the boot volume. In fact it is possible to render a boot volume un-bootable by dinking around with the permissions on that volume.

The possibilities are too numerous for me to even begin to speculate on how or why the differing permission appeared and/or disappeared on your external volume. It would take a lot more information than certainly I have and probably more than you can recall to fill in the blanks Suffice it to say none of this violates the standard Unix/OS X rules, none represents system problems, none are the result of errors (with the possible exception of those human errors we are all prone too ), and none are cause for concern.

I Googled for a good article for you to read on Unix Permissions and could not come up with any that were concise, comprehensible, or would be likely to shed any light on what transpired in your case. Ignoring the concise and comprehensible criteria I came up with the File System Overview and Security Overview from Apple's Mac OS X Reference Library. The next time you have a bout of insomnia you might want to wade into these two tombs. The best I can offer in a short article is re-reading ganbustein's informative post in this thread.

I'm reminded of the movie Amadeus when the emperor grumbled about "too many notes".

Sorry, I said that backwards. If you want free access to the files on the disk volume, check ignore ownwership.

Generally, you want it checked for volumes on a disk that moves from computer to computer, and unchecked for a volume that stays always on the same computer.

If you have multiple bootable partitions, remember that each one has its own list of "ownership ignored" volumes.

And, who's Dan?

If that ain't a brilliant typo, it's a brilliant [sic]!

thanks guys, I meant Gan -- appreciate these comments!

I leave it unchecked, I was told years ago to have it unchecked.

That checking that could create chaos. Although I love the idea I'd be free of these Gremlins in the future. What think?

Yeah, why this all happened I have no idea, and why new "everyone" read on comes aboard to many folders I have no idea.

But it's working ok for now....(was lot of grief until it went away)

Guys, today, I'm in the middle of an email blast with my email software and could not save the file, so I had to force quit -- said I don't have permissions.
I go to the file and is says, "eveyone" is read only.

Now why does this happen?

I see it happen a lot also with excel files that I set everyone to read write. Time goes by and everyone is now read only.

How does this happen? thanks.

It is normal for "everyone" to be read only.

It's easy to mistake the "everyone" to mean that you have read-only access, but that's not necessarily the case. The permissions can be thought about as "you," "the group you belong to," and "everyone else." So if it says that you have read and write and everybody has read only, it means that the account oyu're logged in with right now has read and write, not read only.

May be worth noting a similar discussion from a year ago:
Anyway to get read/write for everyone as default?

...which itself branched off into:
Permissions Nightmare, need help

Tacit, that went over my head. sorry.
But suffice it to say, let me ask you this.
Permissions issue:

I'm on my home network. My laptop cannot access or save a read only file.

or the email blast same issue I cannot save it.

How do I solve this?

I go back to the desktop and do a command i on the problem file.

I change everyone to read/write. Problem solved. I'm a happy guy.

But here is my main question.

Why a month or months later, do these file revert to everyone read only? and the cycle continues?

As was already suggested by ganbustein (over a year ago), the first step to overriding OSX's default behavior is to tweak the umask.

These two articles provide alternative methods (to the launchctl 000 syntax he gave back then):

• Setting a custom umask
  
  
• How to set NSUmask in Leopard

Note in particular this section from the first link:


So... have you tweaked your umask yet?
If you run this:
umask
in Terminal, does the result look like:
0000
or:
0022
?

If you haven't tweaked the umask, then you'll see 0022... meaning, you're still running with OSX's default behavior (which itself is a reasonable compromise between somewhat friendly sharing and somewhat secure operation).

Another way would be to use group access and add some ACLs to do the sharing. ACLs can be added via the chmod command in terminal and possibly (to a more limited extent) via Finder Get Info windows. [i don't think Finder can set permission inheritance for example.]

But we have been told very little about your network, so it's impossible to know where to begin. (how are users logging in? as registered accounts or guests? which group do they ALL belong to? what are the precise permissions [including ACLs, if any] on the directory where this file-sharing takes place? what is the pathname of that shared folder? etc).

You seem to think folks can help you without knowing such details. They can't.

Your unwillingness to use Terminal.app hampers both conveying and resolving this situation. In case you change your mind, here is the method i would recommend to tweak the umask...

1. run this command:
   
   sudo sh -c 'echo "umask 000" > /etc/launchd-user.conf'
   
   That will create the file launchd-user.conf in the /etc/ folder, and insert the text "umask 000" inside it.
   
   
2. restart.

[those two steps will need to be done on all Macs from which users will be editing and saving files.]

Obviously, giving 'everyone' write access by default is risky business (by its very nature). Pluswhich, tweaking the umask still potentially leaves us at the mercy of the behavior of the applications themselves. If (for example) Microsoft Office is designed such that it sets its own POSIX permissions every time it saves file edits [i.e., if it deliberately removes world (or group) write access], then the only recourse would be to reset them to our liking... by writing a script and running it manually and/or periodically. [if we knew more specifics about the pathnames to your shared folder, writing such a script would be a piece of cake. Users could run that script by simply selecting it from a menu.]

The best approach is to employ the 'custom group plus ACLs' sharing method... but that will require much more effort on your part (to communicate details of your network's users and shares setup), and likely even more work in Terminal.

-HI-

that's bit over my head and hard to follow Hal, but appreciate the effort.

But then is the fact that the OS, is changing my files everyone back to read only normal?

Great Caesar's post!

If a file's perms are changing, i'd suspect it's due to some application's doing... not necessarily the "OS".

Normally, the umask determines perms on items when they are first created. If we modify those perms and then later edit the file, those perms we set should stick. But a lot depends on how edits get saved.

For example, TextEdit does not save edits "in place". Instead, it creates a copy over in some temp folder somewhere... and when we save those modifications, TextEdit deletes our original file and **moves** that copy from the temp area back to where the original used to be. Such shenanigans can play havoc with metadata. In the case of TextEdit there, one thing that happens is that the group assigned to the document always reverts back to the primary gid of the user saving the change (i.e., back to whichever "group" was tied to the temp folder).

That was a bit complicated i suppose, but my point is that it's probably an app to blame... as opposed to the "OS". [though one could argue that Apple designs both of those in that particular case.]



Not all that hard IMO. In fact, those two numbered steps i gave (run one terminal command and then restart) are really, really easy to do.

--

Edit #2: BTW, there were 6 questions in my previous post... and you didn't answer a single one. [perhaps you should hire an IT technician/administrator full-time.]

Hal, that helps a bit understand it all. very helpless we are.
I wish they sold the OS for single people who don't need permissions. but I'll try to get used to having to constantly check if a file can save ok. I'll learn to make it a habit.

Log onto the desktop with the DESKTOP username and password, not with the LAPTOP username and password. That should solve the problem.

Tacit, thanks!

What am I logging onto to? Lost me from the get go.

(sorry for being so lame -- you guys are genius compared to me....)

You have used the words "network" and "sharing" in some of your previous posts. So... does not the act of 'logging in' also occur within this troublesome scenario at some point? [i.e., when mounting the share.]

Shouldn't it be you who explains to us what (exactly) you're doing in the first place? [i.e., add a little more description so folks can get a better visual of the setup.]

Sorry guys my fault. Being that it's my intern who is logging on, I did not get my head around that. Ok, so the intern logs on. She sees my network name in the dropdown list.
I then give her the password (no user name), just the password to get online at my house/ home business. that's it. JUst like when you go to Starbucks or Coffebean. you are logged on now to the internet. From there most interns can then get into my designated shared folder. She gets in, but for some reason 3 or the 6 files in a particular folder are not showing on here little windows netbook. The permissions have been double checked, those files are ok, all say read/write like the other three that are showing up.

The normal practice would be to give the intern an account and password to log onto. The account would be the same account the files are stored under unless the files are on an external drive that is set to ignore permissions and then it could be any account. That way she appears as a normal user on the host system and would have all the privileges of that particular user account.

Just a thought, I know you do not want to invest much, or any, more money into this system, but given what you are trying to do you might consider a Mac Mini Server that comes with Snow Leopard Server installed. It would take a bit more to setup initially, but it would neatly solve all of these permission issues you are having with co-workers, interns, etc. The server software is specifically designed for the task you have in mind, and in the long run could make your life much easier.

Kevs, does your post #15026 belong here in "Permissions Horror, Apple inserting Read only into" or should it be in Issue with someone on Windows getting with my netw?

Cyn, the issues cross pollinate. I'm not sure they are the same.

I do get my Mac automatically making files read only after I've made them read write on the everyone. Still don't know why.

This issue is about my intern can get to a folder with file sharing, but several of the excel in that folder are not showing. it's bizarre.

Joe/ Tacit: The intern does not log into my computer. That's not how this work. I have a router -- again it's like going into a coffee shop, you get a single 7 digit password and they are on your network for internet. Then via file sharing I've designated a folder for the intern to access.

Why can she get into the folder and access 3 files but the other 3 don't show?
Thanks all for your great help!

(this may not be solvable, but it's good to ask)

What folder, where? Name its path (and tell us which "machine" it's on).

Better yet, list that folder via:

ls -alOe /path/to/the/folder

[you can get the proper pathname using copy/paste (or drag-n-drop) from Finder to Terminal.]



The listing i requested might just answer that question... if you're willing.

I don't know if this helps Hal, it's just, ya know:

Volumes/main hardrive/ documents/List/Projects

Couldn't he turn the trick at less cost by upgrading to Lion and its included Server component?

Oh it helps... as it shows to what extent you're sincere about solving this issue. (again, most of my requested info was ignored... so perhaps i should do the same to this thread).

Hal, remember, I'm not that intelligent!

A lot of this stuff goes over my head. Honestly, it may be a Gremlin, think about, she see's 3 files in the folder but not the other three.

What are the odds you guys, brilliant as you are, are going to know why that is? But I gotta ask, you never know.

Yeah but... you won't even run a simple (and totally safe) terminal command to allow us to see anything. You just want folks to guess, based on as little information as possible. Seems most of your "efforts" go into attention seeking, rather than learning and/or problem solving.

i say again:

ls -alOe /path/to/the/problem/folder

...where "/path/to/the/problem/folder" is a simple matter of copy/paste (or drag-n-drop).

Too much for you?
Too bad.

For the benefit of kevs, an admitted 'out of this league'r, how about being a tad more specific yourself? For instance, by giving the exact text to copy/paste into the Terminal window (/path), followed by drag & drop after that text in the Terminal window of the target folder via the Finder?

Keep in mind that for someone who's never done it or has little if any experience with Terminal, this can be quite confusing/scary, particularly when it's not clear exactly what to expect, or when you've made an error, and what (not) to do then.

Since you didn't...

kevs:

1. Launch /Applications/Utilities/Terminal.
2. Copy this text and paste it at the prompt, i.e. the little grey bar that comes after kevs$.
   Code:

   ls -alOe

3. Type a single space after the pasted text.
4. Drag the folder in which your files are into the Terminal window (and its path will automatically be entered).
5. Hit "Return."
6. Copy Terminal's results.
7. Paste them into a reply post.

Now, let's see.

I know you two are really into the Terminal. For me something has to be life and death to take terminal commands on faith with no context or explanations -- as it's so draining.

...it's less draining if you just think of it as following a recipe to bake a cake.

You've gotten some very thoughtful and detailed suggestions that will provide an insight into your long-standing issue with permissions....what have you got to lose?

If you haven't heard of it before, you might take a look at Bwana, which brings the man (Unix manual) pages to your browser and will enable you to understand Terminal commands that have been posted so you don't have to take them on faith.

what is man page.

also, there is the idea -- do you really know this will work?

The "man pages" are the UNIX manual that is stored on your HD as part of OS X; in it you can look up the functionality of commands and their options.

For instance, Hal posted


in which "ls" is the command and "alOe" are the options; this is how man describes "ls" (We'll ignore the options for now.):


> also, there is the idea -- do you really know this will work?

Terminal is pretty straightforward; you enter a command and it either runs and generates results or tells you "No such...."

So to answer your question, yeah; it works by default as long as you enter a correct command. (But you always want to copy and paste your commands!!!)

The 'man' page stands for the (Unix) 'manual', which is built into Mac OS X, but only accessible via this route (that is, without a 3rd party GUI).

At this point we need information about the problem, so that its nature becomes clear(er). That information will then either suggest a solution, or another question to pinpoint things further. This approach is time proven and will work.

What do you mean by "work"?

All it's supposed to do is produce a list of the items in that folder. The intent is simply to provide us with detailed information about the ownership & permissions on those items (that goes way beyond Finder's measly Get Info window), with which to answer the question you asked. [or at least supply some food for thought]