Leopard’s Get Info Permissions Flaw
Executive Summary:
There is a serious design flaw in Mac OSX 10.5 Leopard ‘Get Info’ GUI for permissions changing
- Provides very ambiguous and misleading metaphors for the standard OWNER GROUP OTHER permission modes which cause the user not to understand exactly which permission is being changed.
- Incorrectly applies the user to be sole owner and group member of any file or directory when they only asked for “read and write” permission to the file.
- Incorrectly assigns READ WRITE EXECUTE status to the files/dirs being changed when the user clicks for only “read write” permission even when the “make executable” box is not ticked.
- Incorrectly assigns ACL permissions to lock the file/dir in question to be only accessible to the user who added themselves to the “list” of people with access no matter who else is on the list and no matter what you change the permissions to with chmod from the command line. Note that the GUI does not tell you it is doing this and does not allow you to tell it not to.
- In conclusion, this GUI does things it is not asked to do and furthermore does things a responsible user would never do from the command line and is therefore a potential risk to the operating system and should not be used. To change permissions or ownership, always use the command line.
- Amendment: If this happens to you, do what I did and disconnect your computer from the internet until you are able to repair permissions.
Detail Intro:
I recently got a brand new iMac for my desk from my department. I was so excited and thrilled to get it. It had all the astro software I needed pre-installed and was able to have enough control over my computer as to make it usable for my software and scripting intensive purposes. Everything was going fine until I ran into a very serious design flaw in the OSX Leopard GUI ‘Get Info’.
As a fully competent Unix and Linux user for many years, I am well accustomed to the standard file permissions and modes of these OS’s and in how to safely modify them from the command line using chmod and chown. There are plenty of things I know *not* to do from the command line (the obvious being rm -rf *‘ing around without care. Furthermore, I understand that many files on the system need to be protected with special flags like schg and uchg and to have their permissions kept intact for the safety of the operating system and the network you are on.
But on the command line, the rules are simple. Each file and directory has an Owner, a Group, and an Other set of permissions that define who can access it, and what they can do with it. And the ways of changing these things from the command line make it entirely obvious what you are getting yourself into because you have to explicitly type it out. There’s no guessing involved as to what is going on.
But then there are GUIs. GUIs being the shiny front-end to the operating system have to rely on what are called “metaphors” for doing tasks you would do from the command line or a script. So instead of typing lpr -Ppsprinter myfile.txt, you can just press the big PRINT button. This is a simple case and clearly there are many GUI features that save you a great deal of time by substituting a button for what would be lines and line and line of command line entries and scripts. However, with this GUI power comes great responsibility to the designers to make these “metaphors” do exactly what you would expect as if you were to do the same thing from the command line. This is because you have to *trust* them as you are relinquishing control for ease-of-use. The PRINT button in, say, Preview.app, is a trustworthy metaphor because it does exactly what I expect it to do. It prints my .pdf file to the printer I choose or to the file I specify….just as I would if I were to run lpr.
But this is exactly where Leopard’s Get Info.app gets it all wrong. The metaphors for changing file permissions in this application are completely wrong, misleading, and do things you didn’t ask them to do which makes you to naively do things that you never would have done from the command line. What baffles me more is that OSX Tiger had it all right! The metaphors for changing the file permissions are understandable, clear, and do pretty much what I expect.
Detail Example:
Here is an example: On the left you can see the Tiger Get Info view of the file and on the right you can see Leopard’s version.
First note that in the Tiger implementation, the permissions names are the same as they are actually are in the Unix underbelly: Owner, Group, and Other. Now notice that Leopard’s implementation is completely different and confusing! Who the hell is “Everyone”? And where is Owner, and Group? Why is “Me” there? Why can there be so many entries when really the only people the file knows about are those listed in Owner, Group, and Other? Does adding myself to this “list” of people make me the owner a group member or simply change “other” permission to allow me access? What happens when I delete someone? Does that make that person / name no longer the owner or no longer the group? And why is there no distinction between “admin” with one head and “admin” with two heads? Who is admin with one head? Is that “root”? Why not call it root? And who is admin with two heads? Is that the name of a group or an owner?
So hopefully from seeing this example you can understand my complete confusion when I attempted to use this GUI to give myself write permission to a directory I had added outside of my home directory. I simply wanted to be able to read and write to my data directory which I had added to the root directory to keep my data separate from my home folder and from the system file hierarchy. However, because of a strange permissions error (not sure if this arose because the system was upgraded from Tiger (see problems for this in the references below) or if for because the ACL permissions on the root dir had propagated down into my data dir), I was allowed to create the directory but not allowed to read or write to my data files without having to type in my password every 3 seconds.
The Guts of the story:
I already had the Finder window open so just right clicked on my /data dir to Get Info and see what the permissions were. As a former Tiger user I had learned to trust the change permissions section because it did exactly what I expected and nothing more. I saw that I was the owner of /data and had read and write permissions. So what was going on? I then clicked “Get Info” for the root directory to see if it had some strange permissions. Nope, all seemed normal. The list of names in the permissions box said “admin, admin, unknown, and staff”. So I thought….hmmm, maybe my GUID is not correct for this group of users, I don’t want to go logging in as root to change my group permissions or my GUID…that is not responsible user behavior so instead I will just see what happens if I add my name to this list….maybe it will just add *group* Me to the apparent list of people who can access it with the specified group permissions….this is all very ambiguous but it’s Apple and they baby users so how bad can it be?!” The answer is VERY BAD.
At this point my operating system pretty much grinded to a hault. I had to boot up into single user mode to see what was going on and do a fsck and then mount the root dir and check what permissions had been changed. Well a quick ls -leO revealed the following.
It didn’t add group “me” and it didn’t add me to the group labeled in the mode and it didn’t honor its own uchg, schg, or ACL permissions on the root dir. Instead it made ME the sole owner, group member for the entire directory and furthermore instead of just giving me r_x permission (which is what I asked for because that is what the group permission mode was set to previously) it gave ME read, write, and execute permission. And to make matters worse….it deleted the “other” permission (which is usually set to read and execute. And to make matters even more worse, it added crazy ACL permissions to the directory which basically said “only ME can do anything to this file no matter who becomes owner or group next”. This meant that chown root:wheel and chmod 755 / did effectively nothing because ACL permissions trump standard permission modes! Furthermore despite only applying this setting to *just* the root dir (and NOT clicking on the “apply to enclosed folders”) the ACLs propagated themselves throughout the directory even though I wasn’t the owner of those files and clearly did NOT ask for it to do this.
Summary:
After trying to make a change with Mac OSX 10.5 Leopard Get Info GUI that I could have easily done safely and efficiently as a responsible user from the command line (just done chmod -R -N /data to delete the ACLs on the dir that were passed down from the root dir after I created it to actually give myself the access to the /data dir that the permission modes said I had) the GUI ended up doing something completely different which disabled my system. (Ammendment: I have changed the contents of the last sentence which read something like “gave IT Support an unnecessary headache” because some have taken this to mean that I was somehow not justified in asking for help from the paid professionals when I needed it.) This problem arose because of a serious design fault in the Get Info permissions management where the application does things you did not ask it to do with file permissions and more importantly it does BAD things you didn’t ask it to do and that a responsible user would never have done from the command line. This application feature cannot be trusted and should not be used so as to prevent problems like this in the future. Note: this application feature works fine for Tiger.
References to this Design Fault plus Related Issues:
Here are some references to this problem that I found on the web that I wish I had seen before. In all of them, you can clearly see people’s frustration with the ambiguity and with the stark divergence in control and transparency from the Tiger implementation.
Take Control of Permissions in Leopard
This is a book review about an E-book detailing just how awful the new Leopard Get Info permissions implementation is and teaches users to use the terminal or 3rd party application to change permissions more reliably. Here is the link to the actual E-book ($10).
AFP Leopard Server problems changing permission with get info
This is a post by a Server admin who is baffled by the way the clients (admin or not) clicked to change group permissions through this utility but the GUI instead changed the owner and group and other permissions and didn’t leave a trace of its actions that was understandable from the command line.
Topic : AFP Leopard Server problems changing permission with get info
Here is a post from the same man but posted on the apple discussions board. After this post almost every post afterwards is someone who says something along the lines of “yes, I have the same problem, this is clearly a bug”.
What’s with Leopard’s Permisisons Repair
This is a post by another baffled person with comments by other people experiencing different flavors of the same issue all stemming from Leopard’s faulty use of ACLs and the faulty implementation of the Get Info box. Here is the post from that thread that I think aptly explains the fault which is causing a variety of other problems. The application just does *not* do what it is supposed to.
This is a link from someone who did something similar to what I did except instead of adding himself to the list, he deleted the “everyone” entry because the name was so ambiguous and confusing that he thought it literally meant “everyone” as in sharing permissions and not the “other” permission set (which are different things for subtle reasons). This is just another case where the ambiguity of the GUI metaphor lulls you into a false security for doing something you would have never done from the command line.
Here is another post on exactly how confusing the ambiguous new permissions window is. This man seems to confuse “everyone” with “other” but his problem highlights a very annoying problem for people who are concerned about the security of their files and how to manage them with this GUI.
Bugs & Fixes: Get Info selection crashes Finder
Here is another problem with the Get Info GUI. If you upgraded from Tiger rather than doing a fresh install of Leopard, then there are other serious problems with permissions and ownership because of the switch from using flags to ACLs and from changing GUIDs. There are literally hundreds of posts on this topic where people who have upgraded do not have the correct group assignments. There are many hacks around this problem, but the best way I think that will reliably solve it is to do a fresh install of Leopard and not an archive and install upgrade from Tiger to Leopard. I’m happy to provide more links on this particular issue plaguing upgraders but if you google for “group permissions Leopard” you’ll get more than an eyeful. Here is a summary of these issues from the apple discussion forum with many more links.
2 comments May 9, 2008
