Fixing/Correcting OS X home folder file permissions

Long story short, I managed to muck up the file permissions within my home directory in OS X (Lion). While I'm familiar enough with linux file permissions and more than comfortable changing them, I am unable to get the right combination of permissions and/or commands to change them appropriately.

Before I continue however, I must mention that I have a slightly different setup to a standard install. My hard drive is partitioned into two drives, System and User.

My home folder is located at in Users/[username] on the User drive, ie. when both drives are correctly mounted, it is accessible at /Volumes/User/Users/[username]. In /User/, I have a symlink [username] which points to //Volumes/User/Users/[username] and this has worked just as I wanted.

I tried the following two articles found here and here only t myself locked out of my own home directory. In the meantime I changed them to full global access so that I can use them but I would like to get around to fixing that.

achinda99

Posted 2011-10-31T00:47:44.580

Reputation: 263

1That CNET post is probably pretty destructive. You lose access (executable flag) to all directories within your home. I bet that guy has never attempted to actually do what he wrote. – Daniel Beck – 2011-10-31T06:43:11.200

Answers

First, make sure you own your home folder (note: I'm assuming you're running this from your own user account, and that you're an admin):

sudo chown -R $USER:staff ~

Then, give yourself proper access and nobody else any access (we'll make some exceptions later). Note that this is 2 commands to make sure that execute access gets added to the directories, but not plain files:

chmod -R 600 ~
chmod -R u+rwX ~

Now, grant read access to others for the directories they're supposed to have access to. If you don't have a sites folder, you can leave that off the second command:

chmod og+rX ~
chmod -R og+rX ~/Public ~/Sites

Apple likes to have access control entries to keep you from messing with "important" parts of your home folder. Again, if you don't have Sites you can leave that off (do not leave out Library; it's invisible, but it's there):

chmod +a "group:everyone deny delete" ~ ~/Desktop ~/Documents ~/Downloads ~/Library ~/Movies ~/Music ~/Pictures ~/Public ~/Sites

Finally, fix your Drop Box:

chmod og=wX ~/Public/Drop\ Box
chmod +a "user:$USER allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" ~/Public/Drop\ Box

Note that this procedure will not properly "fix" the permissions on files inside your various folders, but that doesn't really matter since it gives you full access to them and nobody else can get into the folders anyway...

Gordon Davisson

Posted 2011-10-31T00:47:44.580

Reputation: 28 538

5Doing what you suggest will break things. You will take away execute permissions from binaries. Dashboard widgets, programs in ~/Applications, services will all break. Probably quite a bit more. – Daniel Beck – 2011-10-31T05:38:49.363

I suggest you skip the second code snippet and invert the third, i.e. take away (non-recursively) go-rwx for Documents, Music, etc. (those that are created by default). – Daniel Beck – 2011-10-31T05:40:38.537

@Daniel Beck: Most OS X users don't have a user Applications folder (or a personal binaries folder, or...). I hadn't thought of Services, though. Call it a personality quirk, but I don't like having execute permission enabled on non-executables, and I'd rather have to fix the occasional file that needs it than set it on everything. You can find any actual executables with find ~ -type f -print0 | xargs -0 file | grep executable and then add execute for them (chmod u+x /path/to/file) individually. – Gordon Davisson – 2011-10-31T06:07:17.750

@Daniel Beck: As for whether to remove group+other access to everything and add it selectively, or remove it selectively, I don't think there's a truly right answer: wiping the original permissions destroyed information, and there's no way to get it back. Your approach probably leaves most files closer to their original permissions, but at the risk of giving away access to things that should not be readable, like ~/.ssh – Gordon Davisson – 2011-10-31T06:12:36.293

Have you tested that find expression on OS X? There's no executable in Mach-O universal binary with 2 architectures Mach-O 64-bit bundle x86_64 Mach-O bundle i386. Maybe find ~ ! -type d -perm -111 would be better? // If the user's home directory is like mine with 30k executable files, he probably should restore from backup... – Daniel Beck – 2011-10-31T06:40:35.023

Gave this solution a shot. Generally seems to work, except now I have some weird functionality with drag/drop. Essentially I can't seem to drag drop anything (files to folders), one item in a container to another, etc. Furthermore, even in a browser, mouseover doesn't seem to work either. Might have to revert back to 777 until I can figure this out. – achinda99 – 2011-10-31T14:31:13.907

I managed to sort out the mouseover issue by disabling and the reenabling my bluetooth mouse, god knows what the hell was going on there. But the drag drop issue still exists. My default programs for txt files, etc also seem to have been screwed up along the way too. – achinda99 – 2011-10-31T14:56:06.807

1Drag & Drop and default programs are both related to launch services; check its preferences (ls -le ~/Library/Preferences/com.apple.LaunchServices*) and for services that need to be executable (see the find command I gave above). BTW, for some reason the execute permission seems to be set for the preference lock files, so maybe running chmod u+x ~/Library/Preferences/*.lockfile would help. – Gordon Davisson – 2011-10-31T15:42:33.087

@Daniel Beck: the grep I gave won't match the listing for the universal container, but it should match the enclosed executables (e.g. "(for architecture i386): Mach-O executable i386"). – Gordon Davisson – 2011-10-31T15:45:09.137

To Reset file permissions and Access Control Lists (ACLs) of your user's home directory to their default settings do this:

Boot into the Recovery mode by holding down the Command and R keys during boot.
Open the terminal (under the Utilities menu)
Type resetpassword into the terminal and hit Return.
In the Reset Password utility window choose the correct volume, and on the bottom you’ll see an area labeled ‘Reset Home Folder Permissions and ACLs’. Click the Reset button in that area.
Close windows, quick OS X Utilities, restart.

cborgia

Posted 2011-10-31T00:47:44.580

Reputation: 141

Repair Disk Permissions by opening Disk Utility, selecting the drive, then clicking Repair Disk Permissions

Canadian Luke

Posted 2011-10-31T00:47:44.580

Reputation: 22 162

From within Disk Utility, I select the "User" partition, and I do not have the option to fix permissions (it is disabled). – achinda99 – 2011-10-31T04:32:05.377

Repair Disk Permissions only fixes permissions on system files, not user files.

– Gordon Davisson – 2011-10-31T04:42:47.123

After much effort and searching:

While not perfect, I just used the Get Info window on the home folder. It showed "read/write" for the user,* "read only" for admin, and "no access" for everyone. Looked good enough to me.

I then ran the option in the gear menu to apply to all enclosed items.

Restored access to everything! Less than a minute (on my SSD).

Hallelujah! *standard, not admin

BCD

Posted 2011-10-31T00:47:44.580

Reputation: 11

Run this

cd $HOME
{ sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; \
sudo chown -R $UID:staff ~ $_ ; \
sudo chmod -R -N ~ $_ ; \
sudo chmod -R 755 ~ $_ ; \
sudo chmod 700 Desktop Documents Downloads Dropbox Library Movies Music Pictures Sites $_ ; \
sudo chmod 777 Public ; \
sudo chmod 733 Public/Drop\ Box ; \
} 2> /dev/null

davidcondrey

Posted 2011-10-31T00:47:44.580

Reputation: 1 345

I'm assuming that you used Linc's standard procedure as a starting point: https://discussions.apple.com/thread/5275515?tstart=0

– ylluminate – 2016-11-20T04:13:30.927