hoakley June 27, 2019 Macs, Technology

Permissions, preferences, problems, and two updates

Permissions are a fundamental protection for all files and folders in macOS. They’re not sufficient any more to keep your system files safe, though, so Apple introduced System Integrity Protection (SIP), which in Catalina is going to make its new system volume read-only. Permissions occasionally get in the way of your work, when you try to write to a file to which you have only read-only access. Where permissions can cause more significant problems is with preference settings.

Almost every app has its own preference settings, which are generally stored in the Preferences folder of your Home folder Library, ~/Library/Preferences, although general settings for all users are kept in /Library/Preferences. Most apps don’t access those Property List files directly, though: macOS provides a service cfprefsd which handles that for them. That’s why trying to make changes directly in a preferences file is often doomed to failure, as any changes you make are likely to be overwritten by cfprefsd, unless you make them using the command line in Terminal.

When an app or service gets locked out of its preferences, typically by their permissions being changed, that can have troubling side effects. Apple gives the following as examples:

changes to preference settings, particularly those for System Preferences, do not ‘stick’;
changes made to the Dock do not ‘stick’;
you are asked to authenticate when trying to move or alter some folders in your Home folder;
when trying to save, you are told that the file is locked, or that you don’t have permission;
Preview, TextEdit, and App Store apps (which are sandboxed) may crash when opened;
alerts warning that the startup disk has no more space available for app memory;
Safari or SafariDAVClient use large amounts of resources (memory);
your Mac runs very slowly;
iTunes cannot sync a device;
problems with Photos or iPhoto libraries, including inability to import into the library, or forgetting the library each time the app is opened.

Before Apple introduced SIP, a common way to fix other problems with the system was to repair permissions, which then meant your Mac setting correct permissions on its system files. With SIP, those should never get changed, and traditional repair of permissions ceased.

However, that long list of symptoms arising from changed permissions on your preference files now forms good grounds for a different type of permission repair: repairing permissions in your Home folder instead. Apple details this procedure for Sierra, High Sierra and Mojave in this note, which has recently been updated.

Since Apple has been recommending this, many users have found the new repair of permissions has solved otherwise intractable problems. But if your problem is not one of those listed, don’t have high expectations. Performed properly, it shouldn’t do any harm, as it only sets permissions to what they should be. The diagram below explains what, why, and how.

There are a couple of issues arising from this.

First, if you check permissions on ~/Library/Containers and ~/Library/Group Containers, you’ll always find many items which the current user can’t read or write. This is because these folders contain the sandboxes of apps distributed through the App Store, and other sandboxed apps. Those apps are restricted to their individual sandbox, so within each of those containers is a whole nest of links to other folders, including back to ~/Library itself. If you follow those links, as my utility PermissionScanner does, you will see many files in locations where you shouldn’t have write permissions, for instance. That is perfectly correct, and when repairing permissions any changes shouldn’t propagate out into those containers.

The other issue is also not mentioned by Apple: global preference settings and other key files which are kept in /Library. Incorrect permissions on preferences and other settings files there can also cause problems, such as stuck system keyboard settings which are used when logging in. Apple’s procedure doesn’t cover those, but you can use PermissionScanner to discover problems, then correct them in the Finder or at the command line.

I have two apps to help you repair permissions in this new way, and both have just been updated. They’re PermissionScanner, which checks and reports permissions but doesn’t try to fix them, and RepairHomePermissions, which walks you through Apple’s official fix and saves you having to use the command line.

Important: before using either of these in Mojave, you must add them to the Full Disk Access list in the Privacy tab in the Security & Privacy pane. If you don’t, they won’t be able to work properly.

PermissionScanner 1.4 is a general-purpose tool for checking permissions in the following locations:

~/Library/Preferences
~/Library/Preferences and individual preferences files in ~/Library/Containers, ~/Library/Group Containers and ~/Library more generally
~/Library as a whole
the whole of your Home folder
/Library/Preferences

In each folder, you can look for those files for which you don’t have read and write access, or read access. This allows you to correct any stray permissions manually when needed to fix problems.

Version 1.4 now checks it own code integrity, checks for updates automatically, has variable text size, and several other improvements. It’s fully compatible with macOS Sierra, High Sierra, and with Mojave, and is available from here: permscan14
from Downloads above, and from its Product Page.

RepairHomePermissions 1.2 is the tool to step through Apple’s recommended process for repairing permissions on your Home folder without using Terminal.

It starts by showing you how to set and propagate correct permissions in your Home folder. Once you have done that, click on the Repair Permissions button. This automatically works through the sequence of commands recommended by Apple to complete repairing permissions, saving you from having to use Terminal.

This version has code integrity checking and links to its Product Page, but doesn’t support automatic checking of updates (as those are infrequent), and is fully compatible with Sierra, High Sierra, and Mojave. It’s available from here: rhpb12
from Downloads above, and from its Product Page.

17Comments

Add yours

1

Alec on June 27, 2019 at 3:11 pm

Thanks for the apps. And a not to other potential users: it has come as a surprise to me that after running RepairHomePermissions Time Machine is now backing up 120GB of my home folder. Inheriting the existing backup and associating the disk as described here https://www.baligu.com/pondini/TM/B6.html did not reduce the amount that needs to be re-backuped.

LikeLiked by 1 person
- 2
  
  hoakley on June 27, 2019 at 4:41 pm
  
  Thank you.
  Yes, this is why I made PermissionScanner. It’s more work, but I prefer to scan just the preference files, then manually correct any permissions which might be required. However, that isn’t Apple’s official recommendation, and does take more personal effort.
  Howard.
  
  LikeLike
  - 3
    
    Alec on June 27, 2019 at 6:01 pm
    
    I first used PermissionScanner. And it showed me a couple of files without write access in ~/Library/Preferences. ls -al showed them with the regular -rw-r–r– and owned by my user, without any differences to most other files in that folder. As the mismatch of the app telling me that there are issues and myself having no clue how to fix these issues in the terminal (as they did show a rw flag for the user), I ran RepairHomePermissions.
    
    By the way, while the console had a note that 120GB will have to be rebackuped, Time Machine actually spent the last 5 hours “preparing backup”, with a very constant 150KB/s upload to the NAS and 50KB/s download. I assume it’s comparing some checksums – if I’d only know why it’s doing that so slowly, neither the NAS nor the MBP show a high cpu load, and sudo sysctl debug.lowpri_throttle_enabled=0 didn’t change anything either. I’m prepared to have this laptop spend another 12 hours doing whatever it’s doing. Oh how I hate Apple’s neglectance of Time Machine, at least they could have improved the status messages in the past decade.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on June 27, 2019 at 6:07 pm
      
      I presume that you had added PermissionScanner to the Full Disk Access list before running the scan?
      What were the original problems which prompted you to seek this solution?
      It sounds like TM is running a deep traversal scan, which does sometimes happen. Is it backing up from an APFS source, or HFS+? You can sometimes get info about this from T2M2, although it’s not normally intended to be used using a backup.
      Howard.
      
      LikeLike
  - 5
    
    Alec on June 27, 2019 at 6:10 pm
    
    A few minutes after posting my comment Time Machine now started backing up 120GB. I’m clueless why, as for 99% of the files RepairHomePermissions should not have changed anything, and for the other 1% only permissions changed. Still Time Machine considers my entire users folder as completely new. Sigh.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on June 27, 2019 at 6:12 pm
      
      Hurrah for the backup!
      My fingers are crossed for you.
      Howard
      
      LikeLike
  - 7
    
    Alec on June 27, 2019 at 6:52 pm
    
    As for your questions: yes, I gave both apps full disk access. The drive is APFS formatted, its a MBP running 10.14.5. The issues that led me to run RepairHomePermissions was that PermissionScanner showed com.apple.mail-shared.plist, com.apple.homed.notbackedup.plist, com.apple.universalaccess.plist and com.apple.homed.plist as not writable. And when checking the entire home library, the app shows 2708 files out of 114786 scanned as not writable – most of them in …/Containers, but about 5% in other folders. So I ran RepairHomePermissions. Which didn’t change a lot, I’m still getting the same result of unwritable files (I didn’t compare these 2708, but the list looks quite similar, and the four “Home Preferences” files are the same as prior).
    
    LikeLiked by 1 person
    - 8
      
      hoakley on June 27, 2019 at 8:08 pm
      
      So, before running either of these, did your Mac have any of the signs that there was a permissions problem, as listed?
      Interestingly, those files listed are those which are protected by Mojave’s privacy protection. Are you sure that PermissionScanner did have Full Disk Access at the time of that scan? (If you try adding it while the app is running, you have to quit the app, then open it again for that change to take effect.) If you disable it in Full Disk Access, those are exactly the files which appear as not being writable, because that’s the response that is given when you try to check their permissions programmatically.
      As I write in the Help book, you expect lots of the contents of /Containers and /Group Containers not to be writable, as those are the containers used by sandboxed apps, and their permissions can’t (and shouldn’t) be repaired. The Home All Prefs scan, or just the Home Preferences scan, are those that I recommend there. That said, Apple’s repair routine covers all the folders and files which it can access in your Home folder, which is why so many have changed for the purposes of backup.
      I suggest that you ensure that you have quite PermissionScanner, and check Full Disk Access again. If it is definitely there and ticked, authenticate and try removing it and adding it again before opening the app. Then run Home Preferences and Home All Preferences scans and see what they return. The former should be completely clear, and the latter may only have one or two oddballs if you have Xcode installed, otherwise should also be clear.
      Howard.
      
      LikeLike
  - 9
    
    Alec on June 27, 2019 at 8:30 pm
    
    Uh oh, I just realised I didn’t grant full disk access but accessibility controls. I didn’t check properly what was selected in the left pane, I guess I need more sleep. Now Home Preferences and Home All Preferences are both clear. Home Library still shows files, but other than Containers its only two apps in Application Support and a few files in Saved Application State.
    
    Thanks a lot for asking if I really set the disk access.
    
    As for the problems, there was/is one: Safari is using rather large amounts of memory (which isn’t released when closing tabs, so I have to relaunch it every day or so). So I thought I’d try solving the issue this way. We’ll see if it changed anything, as I just rebooted the system it’ll take some time.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on June 27, 2019 at 8:33 pm
      
      I’m so sorry – it’s easily done. I will improve the Help book to alert other users to this.
      However, apart from the time that you have spent, this shouldn’t have done any damage, and maybe – once you and your MBP are feeling more refreshed – maybe it will have fixed Safari for you.
      Howard.
      
      LikeLike
    - 11
      
      Alec on June 27, 2019 at 9:27 pm
      
      Thanks for your kind words!
      
      LikeLiked by 1 person
12

Gerald on June 29, 2019 at 9:11 am

Howard,
I am experiencing the « startup disk reports no free space for app memory » problem that renders my 32 GB RAM / 700 SSD Mac Pro barely useable.
It has about 200 GB free space available.
I’ve tried every repair I could – thank you again for your valuable work –, restored from Time Machine, reinstalled macOS over itself, with no luck.
Repairing permissions always fails with the expected error code, no matter if I run each steps more than once, with or without SIP.
I’ve checked against real free storage space with terminal my APFS volumes (containers) and of course they are fine.
When running out of app memory, console is often filled with « no space left on device » errors, apps wouldn’t save they status, spotlight would need to Rei des at next boot, and other niceties.

Truth be told: I am running that late 2013 Mac Pro with a custom made fusion drive using the internal flash storage plus an external thunderbolt SSD. I’ve been using it for years and never ran into any issue related to storage.
Issue is relatively new.

Now I am clueless with no more cues to where to look.

LikeLiked by 1 person
- 13
  
  hoakley on June 29, 2019 at 9:55 am
  
  Is the external SSD bootable? I presume that you’re running 10.14.5.
  I’d be tempted to try making/using a bootable external disk, and seeing if the problem persists with that. If it does, it points the finger at your ‘fusion drive’. It might be worth backing it up completely and starting from scratch with a freshly-made ‘fusion drive’ in 10.14.5. That’s a lot of work, though.
  Howard.
  
  LikeLike
14

Gerald P. on June 29, 2019 at 11:05 am

Howard,
Thank you for your reply.
My external SSD has no other role than being the sidekick to my internal SSD as a fusion Drive.
I became wary of it, and did not like the « converted to APFS by… » string in Disk utility, so in between two attempts to solve that problem I erased the volume and formatted it as APFS to get rid of the « conversion » and restored with Time Machine. Now it’s plain APFS.
Yet you’d be right to point out that it’s still an « old » Fusion drive.
Problem is I don’t think I have seen much talk about the « new » Fusion Drive, how it works differently from the previous one, and how to build it.
As an avid documentation scouter, did you run into such technical explanations?

One more lead maybe: Mac Pro have ECC memory. So they should not crash with memory related issue if I’m correct. Could my issue actually be a symptom of what is happening in your opinion? It’s been upgraded with OWC certified memory but as far as I remember that problem existed before I upgraded it.

And one possible clue: it happens a lot when I capture many live streams with youtube-dl at the same time, like if Terminal history was killing it off because of the huge scrolling history within each Terminal tab.
Again thank you for all your work and attention.

LikeLike
- 15
  
  hoakley on June 29, 2019 at 2:29 pm
  
  Apple’s only documentation of use here is its APFS reference, which only describes Fusion Drives very briefly. They are used quite differently in APFS, with the SSD acting as a cache for the HD. I’m not convinced that there’s any advantage to using them together like that, rather than managing them separately, but I could be wrong.
  I suspect that your crashes are related, but that would be difficult to investigate without good log excerpts, which are possible retrospectively with Consolation.
  Howard.
  
  LikeLike
  - 16
    
    Gerald P. on June 29, 2019 at 4:17 pm
    
    thank you for your reply Howard,
    That’s what I read so the purpose of having two SSDs with a new Fusion drive doesn’t make much sense.
    I’ll probably try to Carbon Copy to an external drive to test that out and try to narrow the issue down as well as try with my old memory kit.
    
    I tried the logs but the problem appears so randomly that I don’t know where to begin with exploring the logs.
    
    Anyway thanks a lot for your input.
    
    LikeLiked by 1 person
17

cade on August 9, 2019 at 12:40 am

Howard — Safari 12 was running super slow & cpu hog on Sierra/imac late 2015 5k/ after most recent update to 12.1.2 — repairing home permissions (running RepairHomePermissions 1.2) seems as of this session to have done the trick. Still a memory hog this.

LikeLiked by 1 person

·Comments are closed.

Share this:

Related