Fixing Mac OSX File Permissions and ACLs From the Command Line
Recently the hard drive in my mac mini running Mac OSX Leopard (10.5) failed. Luckily I had time machine backing it up to an external USB disk. Now, since I had to replace the drive and rebuild my system anyway I figured, why not upgrade to Snow Leopard? Planning to just pull what I needed off the backup drive manually I went ahead with the upgrade. There aren’t too many files on this machine that I depend on. Just some ssh keys, gpg keys and random documents scattered about here and there. So I upgraded, installed my apps and copied my files from the backup. Everything was going smoothly until I tried to actually write to one of the files I copied from the backup drive. This is when I started getting permission errors.
Here’s what happened when I tried to update my ssh known_hosts file:
airbag:~ keith$ echo foo > .ssh/known_hosts -bash: .ssh/known_hosts: Permission denied
Huh? But I own this file…dont I?
airbag:~ keith$ id uid=501(keith) gid=20(staff) groups=20(staff),402(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),401(com.apple.access_screensharing) airbag:~ keith$ ls -al .ssh/known_hosts -rw-r--r--@ 1 keith 502 56140 Mar 25 2009 .ssh/known_hosts
I do own it… And so began much head scratching and man page reading.
Well, as it turns out I forgot to look at the file ACLs…
airbag:~ keith$ ls -le .ssh/known_hosts -rw-r--r--@ 1 keith 502 56140 Mar 25 2009 .ssh/known_hosts 0: group:everyone deny write,delete,append,writeattr,writeextattr,chown
Well no wonder, the ACL is set to deny write,delete,append,writeattr,writeextattr and chown from everyone! Let’s get rid of that.
airbag:~ keith$ sudo chmod -N .ssh/known_hosts Password:
That ought to do it. The -N flag says get rid of all the ACL info on the file. You could also update this to be just right for your user or group but I’d rather use only the standard unix permissions.
airbag:~ keith$ ls -le .ssh/known_hosts -rw-r--r--@ 1 keith 502 56140 Mar 25 2009 .ssh/known_hosts
Seems to have removed all ACLs from the file. I wonder if we can write to it now…
airbag:~ keith$ echo foo >> .ssh/known_hosts airbag:~ keith$
And there you have it, the file is writable once again. Now its time to get some real work done!