how to fix permissions (Permissions Pt 2)
(This post continues from here on file permission problems.)
Did you know there are two levels of permissions on your mac? User level and system level. Most discussions of fixing permissions only discuss the latter, but you may also need to fix the former (also sometimes called ‘ACLs’) for some problems caused by upgrading Lion on top of Snow Leopard.
4. System Level Permissions
You can safely repair your system level permissions at any time, and doing it once in a while is a good maintenance activity even if you’re not experiencing any problems. It’s also the first thing to do as soon as you notice any problems with apps launching, file access problems, or your computer seems to be running unusually slow.
How to do it:
— 1. Go to Applications > Utilities > Disk Utility.app and double click the app to open it.
— 2. Click your HDD icon in the left column (if you have more than one, click the one that contains your startup disk).
— 3. If it is not already selected, click on the ‘First Aid’ tab. Choose the ‘Repair Disk Permissions’ button near the bottom of the window (see the larger of the two windows in the screenshot above).
— 4. Wait for the process to finish (it could take ten minutes or more), then quit Disk Utility. You can ignore most of the error messages that appear unless they’re in red.
5. User Level Permissions (ACLs)
These permissions apply only to your ‘Home’ folder and its contents, and if you have more than one user you will need to do this procedure for any user experiencing a problem. However, unlike system level permissions, repairing ACLs isn’t something you should do unless there is a specific issue to be solved. Problems that this repair might help with include permission conflicts inherited from an earlier Snow Leopard or Leopard installation, such as Finder always asking for your password when you try to delete, move or copy a file.
To reset the ACLs in Lion: (To reset the ACLs in Leopard/Snow Leopard have a look here.)
— 1. Remove the current ACLs by opening Terminal.app (Applications > Utilities > Terminal.app) and copy and pasting this command:
sudo chmod -RN ~
Press return. You’ll be asked for your password. Notice that when you type it in you won’t see anything on the screen. Press return again. If you get an error message, you probably didn’t type in your password correctly. Repeat this step till its accepted. It will take some time to complete. Then paste this command into Terminal also:
sudo chown -R `id -un` ~
and press return. Enter your password again if necessary.
— 2. Press the Power button on the computer and choose ‘Restart’. When the screen goes blank, hold down the ‘command’ and ‘R’ keys on the keyboard until you hear the start up chime. In the menu bar at the top, choose Utilities > Terminal
— 3. At the Terminal prompt type
resetpassword
Then hit ‘Return’
— 4. Forget about resetting your password; what you’re looking for is your hard disk icon at the top. Hit that, and then from the drop-down menu select your user account.
— 5. Go to the bottom of the dialogue window – leaving all password fields blank – and choose ‘Reset’ under ‘Reset Home Folder Permissions and ACLs’ (see the smaller of the two windows in the screenshot above, inside the red dotted line).
— 6. When the process finishes, quit everything and restart your Mac. 🙂
Related Posts
How to Troubleshoot Your Mac with FT2
can’t create kext cache error
FastTasks – download the free OS X utility app from Applehelpwriter
Posted on November 29, 2011, in Finder, OS X Lion, Snow Leopard, Trash and tagged ACL, admin, ask, can't, cannot, copy, delete, finder, fix, move, password, permissions, problem, reset, trash, why. Bookmark the permalink. 56 Comments.
applehelpwriter.wordpress.com 
Hello!
I made a real rookie mistake by following some bad online advice while attempting to install some drum software. I’m pretty sure that your ACL reset instructions are what’s called for, but maybe you can figure out what I did exactly. This occurred on an iMac running 10.7.4 Lion:
Logged in with a standard user account “User”, I selected the entire HD volume, and opened the GUI with “Get Info”. Under Sharing & Permissions, I added “User” to the list, granting it read and write permissions, as well as selecting “Apply to enclosed items”. So, these new permissions were getting applied to every file on the HD. But then I start seeing kernel extension errors (System/Library/Extensions), stating that they are no longer functioning – important ones, like the kext that controls writing to external devices, etc. I ran Disk Utility/Fix Permissions several times, and no longer see the kext error messages, but I don’t think I’m out of the woods. I couldn’t use “ditto” to copy my user folder to external HD – had to manually drag it over.
I know I added a permission to the files, but why would it break the extensions? Shall I go ahead and boot into the recovery partition and reset ACLs, or is there anything else I need to do first? Can I perform this from my recovery drive, or do I need to boot from Lion on an external bootable USB drive? Would it be as simple as going back to “Get Info” and just removing my “User” account from the Sharing & Permissions list?
Or (heaven forbid), have I truly broken my system and need to reinstall Lion?
Thanks for your help!
This issue is discussed in detail here:
https://discussions.apple.com/thread/3578673
Perhaps you could help.
I was repairing permissions via disk utility and making sure there was no corruption on my drives using disk repair. Please note: This is a Macbook pro with a second HD installed and the user folder is on the second drive.
One thing I did, which seems like a dumb idea now that I think about it. I verified the boot drive (repair was greyed out) but the user/2nd HD I clicked repair, which unmounted the drive briefly. All seemed okay. Then I booted from my utilities drive to disk warrior both drives. No issues with the drives (I also checked S.M.A.R.T. and it said all is good). I rebooted and everything is fine until I log in. Then the computer is unusably slow. I’ll try to open activity monitor and it might take 10 minutes. There’s very little CPU activity (it’s not UDP hogging the CPU).
I forced a shutdown and rebooted. I think booted and logged in as another user. It and all is fine (the other user is not on the 2nd HD).
In safe mode, I’m fine logging into the main user account on the 2nd HD. The only thing I installed yesterday was the latest version of JAVA. I don’t believe I restarted after the install but I really doubt it’s that.
Looking at the console I see a lot of disk1s2: I/O errors. But not in safe mode or when I’m logged in as the other user.
Any ideas would be greatly appreciated!
Thanks for such a detailed description on how to do this – I’ve followed along.
I get a zillion errors but patiently waited (2 days to complete both terminal commands).
Like Phil Stokes, my real problem came when running the resetpassword from the terminal window after booting in recovery.
Unlike Phil, I am not using FileVault2 but still, I don’t get a disk in the top area to select so I can then select the user. Any ideas?
Much appreciated.
Kind Regards,
I’ve installed the latest version of Mac OSX Mountain Lion. Are the steps the same?
Yes.
Thanks for such a detailed description on how to do this – I’ve followed along.
I did get some errors for both of the terminal commands.
My real problem came when running the resetpassword from the terminal window after booting in recovery.
The smaller window pops up but I don’t get a disk in the top area to select so I can then select the user. Any ideas?
Much appreciated.
Kind Regards,
Hi Robert,
have you got FileVault 2 enabled?
Hi Phil, Yes I do have filevault2
If FV2 is on you need to mount the volume and provide the FV2 password BEFORE you can see the disk in the ResetPassword window.
In the main Lion Recovery utilities menu, you’ll notice the last choice is “Disk Utility”. Click on that and mount the FV2 volume. After providing the password, exit Disk Utility and go back to Terminal, type ‘resetpassword’ and you should be good to go.
🙂
Perfect – It worked like a charm – I feel like I’ve got my Mac back.
Big thanks for your help. It is much appreciated.
Kind Regards,
Thanks to you too! I will update the post over the weekend to take into account FV2 users.
TBH, I hadn’t thought of that till you mentioned it, so thanks for the feedback.
🙂
Like Robert, I too cannot see a disk in the reset password window. Unlike Robert, I am not using FileVault2. When I run Disk Utility, diskOs2 is greyed out and not mountable. When I go use Startup Disk, no disk appears in the window. When I try to restore from a Time Machine backup, I find that there is no disk to restore to. I am running out of options to try. Everything was working fine until I restarted holding command R following your instructions. Any help would be extremely appreciated.
Thanks
Mark
A bit of interesting and useful trivia about Recovery and FileVault2: If you hold down ⌘-R to boot from the recovery partition, it prompts you for your FV2 password, and mounts your hard drive.
But if you hold down the Option-key, and manually select the recovery partition, it doesn’t do that.
Moral of the story: Always use ⌘-R to boot from the recovery partition.
Opt-Cmd-R is used to force the machine into Internet recovery directly (for those whose machines are compatible with that). It won’t mount your FV-2 protected HD, it’ll just overwrite it if you chose ‘reinstall OS X’. Be careful!
Phil,
I read a discussion about an undesirable side effect of “Reset Home Folder Permissions and ACLs”. The discussion is here:
https://discussions.apple.com/thread/3198307
The problem seems to affect mainly Time Machine users like me who had a user account in Tiger (OS 10.4, 2005-2007) and who migrated that account through Leopard to Snow Leopard to Lion. When such a user tries to restore a folder from a Time Machine (“TM”) backup, TM restores the folder but it does not restore any files that were inside it. An error alert appears saying: “The operation can’t be completed because you don’t have permission to access “.
Note that you can still restore individual files. You can even restore sets of sister files using shift-select and command-select. But you can’t restore files by restoring their containing folder.
This limitation will be a problem if you are trying to restore a large hierarchy of folders and files or if you need to restore an entire drive after a catastrophe.
I experienced the failure on some folders but not others. In my small number of tests, I could restore folders from backups dated before I used the procedure but not from folders from backups dated after I used it. If that pattern holds, then the problem will get worse over time in that more and more of my backups will have been made after this week and thus affected.
In Time Machine or in the Finder, you can open a Get Info window for any file or folder in any backup. When I do that and look at “Sharing & Permissions”, some folders and files have a proper user entry and a proper “everyone” entry but an improper group entry. Instead of the standard Lion group name (“staff”), the “Name” column says either “admin” or “Fetching…”. These improper entries seem to appear in the older backups, which is logical. But these are the very backups that don’t exhibit the restore-folder problem. That seems illogical to me.
Now I can see why you didn’t recommend this procedure to people not experiencing certain kinds of problems. I was experiencing such problems, and they do seem to have improved. But I miss the ability to restore a disk from a recent backup. 😦
Unless I learn of a better fix in the next few days, I plan to create a new volume and make Time Machine use that volume to create a brand new database. That should let me perform disk restores in the future. To enable restoration of individual files from backups that exist today, I will keep my current Time Machine volume intact but not connected with the Time Machine utility. I will have to use Finder (not “Enter Time Machine”) to navigate through the TM volume hierarchy to the desired file, but that will be a minor inconvenience.
Larry
Great feedback. Thx Larry! 🙂
Thank you, Phil. It had never occurred to me that fixing permissions in Disk Utility would not repair Home folder ACL’s.
Because my Mac Mini has been sluggish since I upgraded from Snow Leopard to Lion, I decided that I’d try what you suggested today.
The result: Some things (Safari, Address Book and running many applications at the same time) seem faster. Mail is very slow, but I suspect that’s a temporary networking issue because it was slower than usual today before I began the procedure.
The Reset Home Folder Permissions command in resetpassword took less than five minutes. I doubt it should ever take hours for anyone unless something is very wrong.
I did have some problems performing the procedure:
(1) sudo chmod -RN ~
Like stevenjklein, I got two “Failed to clear ACL” errors. One was on the same file as one of his (ubiquity.socket). I could not find that file, but I found one called ubiquity.socket.server.lck in Library/Application Support/Ubiquity. The other was on a locked text file, which I proceeded to unlock.
(2) chown -R `id -un` ~
For hundreds of folders, Terminal listed an “operation not permitted” error on a lot (maybe all) of the non-folder files within it. I see nothing in common about the problematic folders.
Questions:
– Why is it necessary in Step 1 to change the owner and group of every Home file to me and my group (the ‘staff’ group)?
– Doesn’t Reset Home Folder Permissions in Step 5 do that?
– Why didn’t you use sudo with chown? The chown manual says that only the superuser can change a file owner. Note that Steven used sudo with chown.
I love your helpful site.
Larry
Hi Larry
Thanks for the feedback, and those are good questions! I’ll try to answer them as best I can.
Hmm, actually I need to look into this more. From what I can tell, chmod ‘removes’ ACLs and the Reset Passowrd utility ‘resets’ them. Not sure what the difference is now you ask. I’ll see if I can find out more.
Yes, it does need sudo, but since you’ve just authorized sudo with Step 1, technically, there should be no need to do it again. That’s why I didn’t include it. However, I overlooked the fact that Step 1 takes some considerable time and sudo authorisation will probably time out by the time it has finished. I believe that’s why you’re getting the permission denied errors. Try it again if you haven’t already with sudo.
I’ve changed the post in light of your feedback. Thanks a lot for helping me to see the problem with Step 2!
OK, managed to get the answer to this thanks to the Apple Developer forums. Have a look here:
https://discussions.apple.com/message/18792445#18792445
(thanks to Red_Menace for his help :))
Phil,
I tried it again but used sudo before chown. Only two files reported errors, not hundreds.
Address Book and Mail run noticeably quicker, but that may or may not be due to the procedure.
Larry
What if my user files are in a different drive than the boot drive? The resetpassword procedure only shows my boot drive, not the drive on which the user home directories are. Any help will be appreciated.
Hi John
If you select the boot drive, does your user name appear in the drop-down menu below it? That’s what I’d expect to happen, regardless of which physical drive they’re on – it should show the user accounts for that installation.
Phil, I tried it per your instructions. After about 4 hours with no response, I cancelled it. I checked my home folder and it looks as if nothing has changed. I do not have a specific problem with my system, except when importing some pictures into Aperture, when the pictures get rwxrwxrwx permissions. I hate having anything on my system with such permissions, and I hate manually changing the permissions after every time I import the pictures, that’s why I thought there might be something wrong with my ACLs. I’ll give it another shot tonight, before going to bed, admittedly my home folder is kind of large, 443GB with lots of folders underneath, so maybe it needs more time?
Thanks, guys. Yes, once I had clear instructions to follow, it worked fine.
Thanks
Jay is right that there is an ambiguity in the instructions. Thanks, I’ll fix that pronto.
Steven, thanks for your help (triplet 5-yr olds! Wow!!). 🙂
Recently fell victim to installing MacKeeper and immediately realized I had made a huge mistake. Went through your instructions and completely repaired System Level Permissions w/o a problem. Then, I began trying to repair User Level Permissions (ACL’s). In attempting to follow your instructions to Reset ACL’s In Lion, I can’t get past step 2.???:
“2. Restart the computer holding down ‘Cmd-R’ until you hear the start up chime. In the menu bar at the top, choose Utilities > Terminal”
Do you mean “Command” + “Capital R” or “Command + Return”? I tried every combination & heard a chime. However, the computer did NOT restart and there was no menu bar for Utilities>Terminal????? Where is this menu bar supposed to be appearing from? There’s a pull-down menu called “Terminal”, but nothing called “Utilities”? I’m stuck at this point & cannot progress forward?
I’m on a MacBook 13-inch, Early 2008. 2.4 GHz Intel Core 2 Duo. 2GB Memory, running Mac OS X Lion 10.7.3 (11D50b)
Help!
Hi Jay
Use the ‘command’ key and the letter ‘R’ key (not the ‘return’ key). Hold these down until you get a screen that has a box in the middle offering you various options such as ‘Reinstall OS X’ etc. Ignore this box and look at the top of the screen, where the normal menu bar is. It should have on three or four, one of them ‘Utilities’. Click on that and choose ‘Terminal’ from the menu.
Thanks, Phil
I figured out the “Command + R” thing. I held them down forever and forever…..but that screen to which you refer never appears? I know it’s the box with the red dotted outline at top of your article. I guess I’ll go back & try it all once more, holding down those keys for even longer.
Appreciatively,
Jay
That box won’t appear from doing ‘Command -R’. You get to that box by choosing ‘Utilities’ in the menu at the top of the screen. So, let’s try this again:
1. Restart the computer, holding down ‘Command’ and ‘R’ keys.
2. When you see something that looks like a minimal desktop, look at the top of the screen. Do you see the word ‘Utilities’ in the menu bar?
3. If yes, click on it. From the drop down menu, choose ‘Terminal’.
Does that work?
First, holding down “Command -R” does NOT restart my computer. It makes a bell ring & the pull-down menu called “Shell” flashes. That’s it. No restart, no minimal desktop. Nothing like that ever appears. ??????
Jay, he didn’t say Command-R restarts the computer. You really need to read more carefully.
Restart your Mac WHILE holding down Command-R. (You can actually just restart normally, so long as you start holding down Command-R before it starts to reboot.)
Steve, you and Phil really need to write more specifically (i.e. – “WHILE” holding down Command-R key). That’s all I’m saying.
Thanks for the clarification, albeit unnecessarily condescending & insulting.
Sorry, Jay. I have four kids, including triplet 5 year olds, and they already used up my daily allotment of patience. Please forgive me.
So, did it work?
Hi Phil,
Am using mac os x 10.6.8.. followed your procedure but couldn’t delete mackeeper from backups on time machine.. got the message that backups can’t be deleted.. how do I fix this ? also do user level permissions need to be repaired on my os ?
machine quite slow and keep getting spinning wheel everytime i try to do something. thanks for your help !
Thanks for these updates, Steven. Keep ’em coming!
First, I should mention that the correct permissions for a user’s home folder are 755, but the correct permissions for almost everything inside is 700. After I reset my permissions (using the excellent BatChmod utility), I again tried your two commands:
sudo chmod -RN ~
chown -R `id -un` ~
Then I booted to the Lion recover mode, and tried to reset the ACLs again.
Success!
It did take a long time. After about 10 minutes it was still running, and I walked awake. When I came back an hour later, the button said “Done.”
Thanks for your patient assistance!
Good news, Steve, and thanks for sharing your experience. I’m sure it will help others.
Agree that Batchmod is an excellent utility, though I’ve been reluctant to recommend it on my Free Downloads page as I’m not sure it’s the sort of utility people should use unless, like yourself, they clearly have some idea of what they’re doing.
I just solved part of the problem with this: sudo chown -R sklein:admin ~
Now, when I create a new file or folder, it has the correct permissions. I’m the owner, admin is group, and the permissions are 755.
Also, the mystery regarding the files from the FAT32 flash drive was solved: Those files were locked! I didn’t need them anymore, so I deleted them.
Now I’m going to try and reset the ACLs again.
Here’s an update:
#1: No, I hadn’t repaired Disk Permissions first. I’m doing that now.
#2: For some strange reason, my user account was not a member of staff. I fixed that.
#3: For some other strange reason, my primary group membership was 503. There is no group 503. I changed it to admin. (My user ID is 503; I don’t recall how that happened since the first user account on a new Mac is usually (always?) 501.
I’m a Mac consultant who usually spends his time troubleshooting problems like this for other users. It’s pretty rare that I get stumped, and for some reason it seems even more frustrating that it’s on my own Mac!
I’ll check back in when I have a resolution to the problem. If you don’t here back from me, that means I haven’t fixed it yet!
Thanks Phil. I’m ‘following’ you now.
FWIW, my problem is not solved after all. I ran both commands you mentioned, ebooted to the Recovery partition and clicked the “Reset” button next to “Reset Home Folder Permissions and ACLs,”
The Reset button changes to “Running,” but it never finishes. I let it run an hour and it didn’t finish.
I have a few other accounts set up on this Mac, and I was able to reset those without any problem. It says “Running” for a few seconds, and then changes to “Done.”
Instead of this: sudo chmod -RN ~
maybe I should try this: sudo chmod -RE ~
Any suggestions?
If it makes a difference, the underlying problem I’m trying to solve is that the group permissions for my files shows up as “Fetching…” as described here: http://reviews.cnet.com/8301-13727_7-20121641-263/file-group-permissions-constantly-displaying-fetching..-in-os-x/
Hi Steve
A couple of questions:
1.Did you repair disk permissions for the whole disk before trying to repair the ACLs?
2. Did you follow Topher’s advice and procedures (from the link that you gave above)?
I can’t see any harm in doing chmod -RE. According to the Bash man page for chmod, the -E flag just tries to read the ACLs as single lines and parse them before trying to replace them, so it should be safe to do.
That said, I’ll have to admit this is an area I haven’t explored personally and I’m only guessing what I think should happen, so a couple of cautions:
—Back up your system before doing anything else.
—Look around the Apple discussions forums for more expert advice on ACLs and chmod
I’d be interested to know how you resolve the problem. Do keep us informed. 🙂
Phil:
This is a great help to me. I had tried rebuilding ACL permissions from the Lion recovery disk without first removing ACLs. (It didn’t work—just ran forever. I let it run overnight but it still didn’t finish.)
Then I found your page! A couple notes:
When I did this: sudo chmod -RN ~
I got two errors:
Failed to clear ACL on file U-verse 2.1.1 1.ipa: Operation not permitted
Failed to clear ACL on file ubiquity.socket: Invalid argument
For the first of those errors: I had previously clicked the “locked” checkbox in that file’s “Get Info” window. I unlocked it, tried again, and didn’t get that error.
I couldn’t find a file called “uniquely.socket” on my hard drive, so I’m at a loss as to how to fix. The name makes me think it’s some kind of communications socket, like a TCP socket.
Also, when I first tried this: chown -R `id -un` ~
I got an error message for every file in a folder that had been copied from a FAT32-formatted flash drive. (I don’t recall the exact error.) Is that because those files lacked ACLs?
On the above message, I forgot to click the “Nogify me of follow-up comments via email” checkbox. Is there any way to enable notifications after the fact? (I have already enabled them for this message.)
Hi Steven
You can ‘follow’ the blog by clicking the link in the left-hand margin of any page.
Phil:
This is a great help to me. I had tried rebuilding ACL permissions from the Lion recovery disk without first removing ACLs. It didn’t work (just ran forever — I let it run overnight but it still didn’t finish.
Then I found your page! A couple notes:
When I did this: sudo chmod -RN ~
I got two errors:
Failed to clear ACL on file U-verse 2.1.1 1.ipa: Operation not permitted
Failed to clear ACL on file ubiquity.socket: Invalid argument
For the first of those errors: I had previously clicked the “locked” checkbox in that file’s “Get Info” window. I unlocked it, tried again, and didn’t get that error.
I couldn’t find a file called “uniquely.socket” on my hard drive, so I’m at a loss as to how to fix.
Also, when I first tried this: chown -R `id -un` ~
I got an error message for every file in a folder that had been copied from a FAT32-formatted flash drive. (I don’t recall the exact error.) Is that because those files lacked ACLs?
FAT32 is a Windows format. You can’t repair permissions on that from within Mac OS X.
I wasn’t trying to repair a FAT32 volume. I service both Windows and Macs, and I had a FAT32 flash drive with a bunch of Windows drivers on it. A few months ago I copied the contents of that drive into a folder on my Mac hard drive. (My Mac hard drive is in the default HFS (extended, journaled) format.)
But the FAT32 flash drive wasn’t mounted at the time. I was just speculating on why only the files in that folder gave me that error.
Is it ever advisable to ‘Reset Home Folder Permissions and ACLs’ for ‘root’ in the drop-down menu?
Thanks 🙂
Root has all permissions, so I’m not sure what purpose that would serve, if any.
Generally, it’s best to stay out of meddling with the root user profile. Only boot into the root account temporarily to effect a specific fix, then logout. Most fixes that require root access can be done in Terminal in your normal ‘Admin’ account by using the ‘sudo’ command.
The very top most icon in Disk Utility is the physical drive. Use this for partitioning and disk repairs.
The indented drives are ‘volumes’ on the drive. Use this for permissions fixes for individual volumes (if for example, you have more than one partition on the drive).
There’s a whole host of permissions errors you can safely ignore. If you’re not sure, have a look here:
http://support.apple.com/kb/ts1448
I used the HD – Macintosh HD
I always get: Group differs on “Library/PreferencePanes, should be 0, group is 80.
Yet when I go to in there to look at it, it is blank? What does all that mean?
Also, how do I post a pic in the comments section?
Phil, you are bar none the best explainer of how to’s on the net. 🙂
Phil, Can I second that recommendation?
I’ve just cleaned up a mackeeper-mangled iMac and all that goes with it without darkening your electronic door:-)
Thanks for keeping this site open for us all.
Alan Crombie (in snow covered Perthshire, Scotland)
I never know which of the two HD’s we are suppose to work with.
Hard Drive 465.8 GB (with more numbers after it)
or
Macintosh HD.
Help please.
Hi Anne
I think you must have accidentally subscribed to the blog to receive new posts by email. The posts aren’t addressed to you personally, they are for anyone experiencing particular problems with permissions and deleting files.
If you don’t want to receive notification of new posts, follow the instructions for unsubscribing (should be at the bottom of the email somewhere).
(BTW, NEVER give your password to anyone!)
I don’t understand what you mean by “Trash” and why I should give you my password?
Besides, I can’t because nothing happens anyway.
Am I having problems as I have never rcvd anything like this before?
Don’t really understand what I should do as my utilities etc. is different then what I should do.