Results 1 to 14 of 14

Thread: Permissions on the boot drive...

  1. #1
    Join Date
    Feb 2012
    Posts
    265

    Default Permissions on the boot drive...

    Can anyone explain something to me? Why is it that when my boot drive (SL) has only two users (shown in Get Info sharing and permissions): Me and everyone - both with read and write - yet when I've been doing new installs recently, the user doesn't get a look in unless I put them in afterwards? This is happening in both SL and Lion.
    The users that tend to show up are System (R+W), Wheel (R+W) and everyone (RO)
    So to stop the user having to authenticate every time they want to do anything I change everyone to R+W, but why is that even necessary?
    And surely, when a completely new install is carried out, shouldn't it automatically include the only admin user in the permission?

  2. #2
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,119

    Default

    System, Wheel and Everyone are group names, not users. Every user is placed in one or more groups - users that are networked in and unlogged in - are considered 'everyone' and should only get read permissions on public unprotected files.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  3. #3
    Join Date
    Feb 2012
    Posts
    265

    Default

    Yes, I'm aware that they are group names, but my own MBP isn't set up that way. It only has 'Me' and 'everyone' and I didn't make it happen that way.
    The problem is, as I tried to explain in the first post, that with just the groups I mentioned nothing can be deleted, moved or installed on the HD without authenticating, so I'm having to add in the User (owner) manually each time and, until recently, I never had to do that with ANY installation. Even when I'm doing an install by cloning it's happening so I would like to find out why and what I can do to stop it.

  4. #4
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,119

    Default

    I am going to have to do some messing around to see where that comes into play. Unlike you, I don't have the opportunity to play with adding users very often. Most of ours have been static for years, or for customers typically only one user at a time.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  5. #5
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,119

    Default

    From here part of the problem may be that I have no new OS installs or Users. We have the same User database forever - moved from computer to computer over the years, so I may have missed a change Apple made. And most of the OS installs were updates from previous versions. If there is no longer a System Group, then that would make things different.
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  6. #6
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    Weird. Not normal.

    Never seen anything except:

    User
    Group
    Everyone

    Are you saying you don't have the 3 ownership deities?

    Now, to be fair, it is not that simple since Apple added ACLs, so technically there are two sets - both POSIX and ACLs - and often the ACLs are invisible. We kicked this around back at 10.5 when it hit. See post #36 and on.

    If you want to see all permissions (and change them) then either CLI or a third party GUI tool is a big help.

    This has been refined and I find it less intrusive in 10.6, and less still in 10.7, though yes, it is hard to do much without authenticating (beyond working with files within your own directory). Security + protecting users from themselves I suspect.

    A good idea, really. Think about it.....XP is a security nightmare mainly because an admin user can do everything without authenticating....so everything that happens when an admin is logged in is fair game for anything malicious. And everyone is an admin.

    Fail.
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  7. #7
    Join Date
    Feb 2012
    Posts
    265

    Default

    The 1TB drive I have in this MBP is split into SL and Lion.
    While booted into SL, the permissions show only me and everyone with full permissions on the SL partition (default boot). On the Lion partition it shows me and system with R+W, but it also has wheel and everyone as RO.
    The headache that this gives for some of my clients is that they have long and convoluted passwords and having to type that in every time they want to do something is tedious to say the least. Most people have those passwords to keep people out of the mac, usually their children, and not to stop things happening once they're in. I had one client who insisted that they worked in a standard account and kept an admin user only for when they wanted to make changes... if you want to be THAT paranoid I'd suggest getting a PC so you can enjoy ALL of the benefits of a thoroughly diseased environment!

  8. #8
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    Understand, but it just doesn't work that way.

    The OS is working as designed. You might try letting the users know that the need to authenticate is the primary thing that keeps their Mac from being easily infected. Even Vista and Win 7 does this.

    If they never want to be bothered with having to authenticate installing, moving, deleting software, etc., then they should work as root, not admin.

    And nobody is recommending that!

    ....are they really installing and deleting software that often? Such a great hindrance? Do they bother to lock their homes are cars, or just leave the doors open so it is quicker to come and go?

    As for working as std (non-admin), not a bad idea. I know folks doing this with Win boxes, that have no security issues - even without running AV software. Very useful, and increases productivity tremendously compared to scanning, chasing bugs, etc.
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  9. #9
    Join Date
    Feb 2012
    Posts
    265

    Default

    I regularly keep files, folders etc on the top level of the drive, especially when I'm switching in and out of different users for different purposes, especially testing and so on. The last thing I want to have to do every time I want to delete or move something is to get a message (a la Windoze) telling me that I am committing some illegal act with a sheep!
    Not having a password to do simple, but regular processes is hardly the same as leaving keys in the car so that was a bit fanciful. If it's so important then why does Apple not take the nanny-state further and disable auto login? Let's face it, even I don't use that, but most people do, especially in their own homes with no kids in the house.

  10. #10
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    I hear ya......

    But the entire concept of permissions breaks down and renders them moot if you (or any admin user) could have full access to the root of the HD. Their OS could not (would not) be used in any managed environments, like schools or enterprise.

    Maybe there is a work around? Could you change your work flow rather than fighting/changing permissions?

    Usually group access stuff can be stored in the Shared folder, or on a file server, NAS, Drop Box etc. Not at the root of the drive.

    How about an admin account that is there for service, that nobody regularly logs in to? I use a default admin account that lets me move data, install/uninstall, connect remotely, and transfer files without having to know any other user credentials. Maybe?
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

  11. #11
    Join Date
    Feb 2012
    Posts
    265

    Default

    Their OS could not (would not) be used in any managed environments, like schools or enterprise.
    I agree, but I wasn't concerned about managed environments... I was just wondering why I was getting a variety of different scenarios cropping up each time I do a new install. On one, about a month ago, the admin user was being refused flat out to do anything at all outside her own user with a simple "You do not have permission..." etc, without even an opportunity to authenticate. So I added her in as a user with full permissions and the problem was solved.

  12. #12
    Join Date
    Aug 2001
    Location
    Grangeville, ID USA
    Posts
    9,119

    Default

    I have never seen that - differences in group rights and permissions. Never heard of it even. Wonder if your installer has a corruption somehow?
    molṑn labe'
    "I am a mortal enemy to arbitrary government and unlimited power. I am naturally very jealous for the rights and liberties of my country, and the least encroachment of those invaluable privileges is apt to make my blood boil."
--Ben Franklin

  13. #13
    Join Date
    Feb 2012
    Posts
    265

    Default

    The one I had last month was a clone that had my normal 'test' user installed. I added her in the normal way once the clone was done. As a result of the fun and games I had on the last clone, I've redone the Lion drive now from the clean install I did on the iMac. I'll boot one of my macs from the clone of that drive and see what that's now showing up as and let you know later.

  14. #14
    Join Date
    Feb 2001
    Location
    on the landline, Mr. Smith
    Posts
    7,787

    Default

    Yes, never seen that.

    The permissions have changed from 10.6 to 10.7, but what you describe still sounds odd.

    After cloning and juggling, and perhaps hacking perms to get everything where it needs to be, I typically run the perm repair tool for the system, and use the 10.7 installer to reset the user perms, so that I know ACLs (and all everything else) is back to defaults.

    This could be done manually, but I like the consistency of the automated tools. I just wish I could extract the user reset tool from the installer, and could run from an external drive. Never tried it....hmmmmmm.
    "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •