I have a file "test.log" inside a directory. The directory has an accesslist, defined as: 0: user:Me allow list,add_file,delete_child,file_inherit The file "test.log" (created by root) has automatically the following access rights: -rw-r--r--+ 1 root wheel 0: user:Me inherited allow read,write As "Me", I can open this file in Terminal – for example with nano – edit it, save the changes and exit nano. Result: the file has been changed as expected. When I use the following command: echo "test" >> test.log I get the error: -bash: test.log: Permission denied "Me" is a standard user. When I su to an admin user, the admin user gets the same Permission denied error when executing echo "test" >> test.log. Even, as admin user, when I use sudo echo "test" >> test.log I also get the Permission denied error. Only as root can I append text to the file using echo >>. I have no idea, how to fix that or what causes this behaviour.

File Info, under Sharing & Permissions, says "You have custom access" and lists: Name Privilege joe (user) Read & Write staff (group) Read & Write everyone Read only But ls -le says: -rwxrwxr-x 1 egbert staff 22806528 Jun 4 08:57 somefile.ext This agrees with output from stat -x somefile.ext Mode: (0775/-rwxrwxr-x) Uid: ( 501/ egbert) Gid: ( 20/ staff) joe is not a known user on this system (check with dscl . -list /Users UniqueID and "joe" is not in the list) Finder won't let me "Choose new owner...". It says "The operation can't be completed because you don’t have the necessary permission." Yet I am egbert (see above) and I am owner and I have write privileges. There does not appear to be any ACL on the file or any extended attributes (@ or +). sudo chmod -N somefile.ext fails with chmod: Failed to clear ACL on file somefile.ext: Operation not supported. So who is joe if he's not known or listed among users? And how do I remove this user's access and restore privileges to me (egbert)? And why is there a disagreement between the Finder and what is reported by ls and stat? Help!

I would like to know if it is possible, and if it is, how can be seen the ACL (Access Control List) associated to a file in a MacOS context, using command line (not using the GUI "File Information" tab, I mean).

When I set ACL with the permissions for the folder in File Sharing (System Settings > General > Sharing > File Sharing > info) the same ACL and permissions are set for the folder itself on the file system (

-ld folder/

or Folder info). Basically, the folder on the file system mirrors the settings from File Sharing. As well, when I set ACL for this folder in File Sharing, the Folder info shows that it is **Shared folder**. When I switch File Sharing in System Settings on, the Finder shows notification **Folder shared with File Sharing** when the folder is opened. By changing the ACL in the File Sharing settings I can cut myself off from accessing my home folder, temporarily though. This behaviour is odd and I think it started when I wanted to disable access to all volumes with File Sharing and stop sharing Macintosh HD along with other shared content via SMB for Administrators. So I have modified

/Library/Preferences/SystemConfiguration/com.apple.smb.server

and added two keys –

and

– as described here . It helped me to disable the access to all volumes but the issue described above appeared and it persists even when I reverted the changes and deleted the added keys. When we tried to enable File Sharing on my colleague’s Mac, nothing on the file system mirrors the changes from the File Sharing settings. No Sharing notifications, no Shared folder in the info of the folder, and the permissions of the folder itself are also not reflecting the changes from File Sharing settings. My and colleague’s Macs run Ventura, my is Intel based, his is ARM based. Any help would be appreciated.

I have a Brother printer which is able to save scans to a Samba v1 share. I have configured a shared only user named "brother" in macOS (Ventura latest release) and have setup everything in the web interface of the printer. The self test of the printer can access the share. A final scan reveals the file on the share. However, the file created by the printer only gets u+rw permissions: sven@Svens-Mac-mini Drucker % ls -l total 2048 -rw------- 1 brother wheel 999836 Feb 23 21:28 20230223_212738_MFC-J5730DW_001247.pdf drwxr-xr-x 2 sven wheel 64 Feb 23 21:31 test sven@Svens-Mac-mini Drucker % This is strange as the umask is set to 022 and it properly works when creating a file (test) from macOS Finder directly on the share. I have checked the ACLs (but I am not an expert either): drwxrwx---+ 5 sven wheel 160 Feb 23 21:31 Drucker 0: user:sven allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity 1: user:brother allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity drwxrwxrwx@ 2 sven wheel 64 Feb 14 15:39 SC Info sven@Svens-Mac-mini Shared % So, I have no idea what is wrong. How do I have to set the ACLs to FORCE every file to get a 755 or even 777 permission? If this is not possible: is there a way to trigger a hook script after each change on that specific folder? Thanks, Sven

I downloaded a Catalina installer which can't run because I am already on Monterey. I copied it to an external drive and put the internal copy in the Trash. When I try to empty the Trash, Finder complains that it is "in use" even after a reboot or a re-launch of finder. ps -ef shows that it is not open. It has ACLs that can't be removed, so it can't be deleted in the shell. In response to "no hillside," I find this rather interesting: User@MBP ~ % ls -dleO@ .Trash/Install\ macOS\ Catalina.app drwxr-xr-x 3 root wheel - 96 Aug 10 23:43 .Trash/Install macOS Catalina.app User@MBP ~ % sudo chown -R User:staff !$ sudo chown -R User:staff .Trash/Install\ macOS\ Catalina.app Password: chown: .Trash/Install macOS Catalina.app/Contents/SharedSupport/InstallESD.dmg: Operation not permitted User@MBP ~ % ls -dleO@ ".Trash/Install macOS Catalina.app/Contents/SharedSupport/InstallESD.dmg" -rw-r--r-- 1 root wheel restricted 7737578258 Aug 10 23:43 .Trash/Install macOS Catalina.app/Contents/SharedSupport/InstallESD.dmg That fifth column (hyphen or "restricted") is not documented in man ls ls of | grep -i Install returns no results **Is there a way to remove it other than erasing the internal SSD?** (And hopefully other than disabling SIP in single-user mode!) Long ago in MacOS version far, far away, there was a similar incident but it was never answered nor solved by me.  That file eventually disappeared, but I don't know how or why.

I am trying to set user-specific access to certain apps and folders on a mac, and I found [this answer](https://apple.stackexchange.com/a/371105/462795) to be extremely helpful. (Thanks [@Gordon Davisson](https://apple.stackexchange.com/users/427/gordon-davisson)!) However, I can't seem to run the chmod commands on applications inside the /System/Applications folders, even when I use sudo:

sudo chmod +a \ 
     "user:some_user deny list,search,readattr,readextattr,readsecurity" \
     /System/Applications/Mail.app

chmod: Failed to set ACL on file '/System/Applications/Mail.app': Operation not permitted

Is there a workaround? **Update** At the moment I would be happy to even have a specific solution that... * Worked on Catalina, even if it doesn't work on more recent versions * Only works to add and remove custom-deny rules access (i.e. restrict permissions) rather than extending additional permissions

I am on Mac OS X Lion and wants to prevent users from creating sub directories inside a folder but at the same time users should be able to add files to the same directory. The following command does not allow user to add files to the folder: chmod +a "user allow add_file" test What should I do to allow users to add files and not sub directories?

On **MacOS**. I want to make it so that any new files/folders that get created within a specific folder have the same permissions (**not** _group_, that's already taken care of) as those of the parent directory. On **Linux**, I would normally use setfacl, but it looks like chmod on MacOS might be able to do what I'm looking for. I've read through the man page for chmod but I still can't figure out how to properly format the command to get what I want.

In Mac OS, file and folder access permissions are managed in a layered way with basic unix (POSIX) style: owner/group/everyone and read/write/execute modes along with, recently added _Access Control Lists_ (ACL) for additional access control. Both the POSIX and ACL controls can be managed from the command line with the traditional unix command chmod. For example: Mac:~> sudo chmod -R +a "staff allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit" path/to/folder* What is the comprehensive list of all ACL attributes which are settable in Mac OS 10.13 (High Sierra)? What does each mean?

As an experiment I tried, and failed, to print a file in another user's Documents directory. The accessing user (admin) has read permission on the file however they have no permissions on its parent directory (the 'Documents' directory of the other user).

~ wsee$ ls -le
drwx------@ 32 wsee  staff       1024 10 Feb 11:51 Documents
 0: group:everyone deny delete
....
~ wsee$ cd Documents
Documents wsee$ ls -le
-rw-r--r--   1 wsee  staff         12 10 Feb 11:00 test

~ admin$ cat /Users/wsee/Documents/test
cat: /Users/wsee/Documents/test: Permission denied

I wondered whether I might be able to access the file because I knew its path, please could someone explain why this wasn't the case and what stopped me from accessing it.

I'm moving a whole folder from one volume to another (both HFS+), using sudo mv, and thought ACLs would be preserved. However at the end of transfer I see that they haven't been kept, and since mv deleted the files in the original volume I can't restore them. Why did this happen, and how to do it right next time?

I'd like a way using the CLI to set the ACEs and the accompanying files so that Time Machine will recognize a vanilla APFS volume as a Time Machine volume. I need the CLI that generates the conditions needed for Time Machine. Specifically, cd /Volumes \ ls \ TIME-MACHINE-VOLUME\ Macintosh HD cd TIME-MACHINE-VOLUME\ ls -le \ total 16 \ drwxr-xr-x@ 6 root wheel 192 Mar 29 19:55 2021-03-29-195615.previous \ 0: group:everyone deny add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,chown \ -rw-r--r--@ 1 root wheel 6908 Mar 29 19:56 backup_manifest.plist

Created a user group called "Duo". When I add it to a directory, macOS Mojave (10.14.6) automatically changes the name to "Dev". Even id says my user is group "Dev" (and not "Duo" as it was named): $ id uid=502(s) gid=20(staff) groups=20(staff),505(Dev) ... What's actually happening here?

In my environment we use macs. I've been asked if it's possible to remove the capability of deleting files/folders for users. Most of our users are developers and we provide local admin rights to their accounts so that they can install apps and do some advanced stuff without much hassle. Now, I've been reading a bit about POSIX and ACLs but couldn't come up with a solution. If the user is a local admin, I don't think there's a way to limit its privileges. I imagine creating another type of user between admin and standard, basically a user that can still create files and folders (at least inside his home folder) and install apps but can't delete any files or folders. Is this something possible by any approach? Thanks!

There are double entries for the group 'everyone' under permissions. This is the state of hundreds of files in the Documents Folder. I don't know how they got there and it's now a big problem for my workflow since upgrading to Mojave [10.14.6] as I have to enter a password if I want to move this file into another folder or move it to the trash. I can remove the extra group this way:

-Pro:~ user$ chmod -N /Volumes/Mountain_Lion/Users/rjrasch/Documents/Cantare\ Docs/Cantare\ Logo\ samples.pdf

Once I remove the ACL permissions with chmod -N I can move and/or discard the file without a password. I noticed the man find page list -acl as a primary but I have not been able to create a valid command to locate other files that need this permission removed. What Unix command do I need in order to search for other files in the Documents Folder so I can fix these types of permissions?

I like doing things from the command line (eg copying only 24 select files by wildcard from my time machine backups) and Time Machine's extra permissions and protections catch me out every time. Information on how to work around all the permissions is out there, but you have to know what you're looking for and find solutions to about 3 different problems. So how do you restore those files with correct permissions?

I am in the process of dismantling an old macOS High Sierra Server and rebuilding it as a macOS Mojave Server. I've exported Users and Groups from OpenDirectory on the old one and imported them in the new one. I could move the user's home folders by shutting the old system down, mounting it in Target Disk Mode on the other and using ditto. But suppose I do not want that and I want both to keep running (e.g. because the old one is still providing services such as mail and DNS) as the new server is still in buildup and contents on it are experimental (final copy done before going live on the new one). The best way I can come up with that preserves everything is creating a DMG on one system, use ditto there and move that to the other and then do the reverse. Both source and target file system are APFS, a DMG will be HFS+. Is there a better option that preserves 'everything' from the directories copied? It seems to me that tar and zip don't cover everything. I'm uncertain about rsync/rsync --daemon.

Anytime I've run up against this in the past, I was always able to figure it out, and usually via the command line. I'll list all the commands I tried so far, followed by other things I've tried below that. Commands I've tried so far, and were also ran as root using sudo su root: * rm -rf * rmdir * ls -@RelO (shows folder is empty) * ls -Rail (shows empty) * ls -ri (shows empty) * xattr (I finally removed the extended attributes of this folder, as ls -la showed an @ at the end of the permissions. drwxr-xr-x@ 3 mike staff 96 Jan 23 23:29 iPhoto Library As mentioned, in addition to these Terminal commands, I... 1. Booted into Safe Mode (still says "Directory not empty") 2. Booted into Recovery Mode, then ran csrutil disable to turn off System Integrity Protection, and rebooted as normal. Then, from Terminal (again, via sudo su root), ran all of the same commands. It keeps saying "Directory not empty". 3. Booted into Single User mode, navigated to the folder, and ran the above commands (was sure this would work). It still reads, "Directory not empty" 4. Not copied, but moved this to a thumb drive (command key + drag to volume), a message read, "Was able to move folder, but can't delete existing one". You may have noticed this is my old iPhoto Library file. Just so you know, I've finally (after many years) consolidated my newer "Photos" library, so I wanted to get rid of this, as it's almost 90 GB. And yes, I did 'right-click' to "Show Contents", then was able to get rid of everything inside of this folder, but can not get rid of the top-level folder. I have never been stumped like this (I'm a Mac tech for 23 years). This is quite the forced feeding of some seriously humble pie.

I use keepassXC on mac for my password manager. I use the keyfile feature with it, which requires a keepassxc created keyfile to be read in order for the database to be unlocked (veracrypt utilizes the same feature). What I am trying to accomplish is something mildly similar to my .ssh folder protection permissions on Mac OS. I would like to set permissions and ACL’s of the keepassxc keyfile so that the following rules are applied: 1. The file cannot be read or written to by any entity unless the following conditions are met: a. The Entity trying to read the file is KeepassXC for Mac OS. b. The Entity using and running KeepassXC is me (my user) on Mac OS. 2. The file can not be read or written to by any entity including root, unless the above conditions are met. Does anyone who understands permissions and ACL’s know how I could accomplish something like this?