Creating Permissions on Mac Trash Bin

[liser k.]

I want to be able to set permissions to my trash bin like you used to do on earlier OS. My goal is - in order to move a file to the trash bin you have to enter the Admin password before completing the move.

 

[liser k.]

I'd even settle for setting up a password protection for the trash bin itself.

 

[bogdanw]

I want to be able to set permissions to my trash bin like you used to do on earlier OS.

How did you used to do it on an earlier OS and why isn’t it working on this one?

 

[liser k.]

How did you used to do it on an earlier OS and why isn’t it working on this one?

Before you could choose Get Info on the trash folder and set the permissions at the bottom so it created a password prompt when adding anything to the bin. Im trying to protect work related footage from accidentally being trashed from one of our open viewing stations.

 

[bogdanw]

Something like this?
sudo chown root ~/.Trash

 

[liser k.]

operation not permitted, which means I need to somehow turn on full disk access with the OS.

 

[bogdanw]

You just need to give Terminal Full Disk Access. You can remove the permission after running the command.

 

[liser k.]

So this command line prevents trash from being deleted in the trash bin even after hitting empty?

If, so do you have the command line to reverse this? lol

 

[bogdanw]

To reverse it, replace root with your username.
sudo chown liser ~/.Trash
Also, if there is nothing of value in the trash, you can delete the Trash folder and it will be recreated with the correct permissions for the user.
sudo rm -r ~/.Trash

 

[liser k.]

Damn. I restarted my machine and now the trash empties regardless with the code and disk access applied to terminal and kept on. It seemed to work before this.

 

[capuzino]

You can do this on Monterey too.

1. Open your user folder
2. Press CMD + SHIFT + dot (this shows the hidden folders)
3. Locate the Trash bin
4. Choose get info over the folder or click the trash bin folder and press CMD + I
5. Change the permissions to read only
6. Do step 2 again to hide hidden folders.

 

[liser k.]

sadly, I can still move items to the trash bin and empty trash. I even turned on locked for the folder permission and set to read only. argh.

 

[capuzino]

sadly, I can still move items to the trash bin and empty trash. I even turned on locked for the folder permission and set to read only. argh.

That's weird. If I follow the guide to change permissions, I can't move any files to trash without password. I can empty it without password though.

Also if I lock the folder then I can't move any files to trash or empty it. Even if my user has read & write permissions for it.

 

[liser k.]

So, I created a new user that was a standard account and did the permissions to that trash. Eureka! BUT only for files that are on the local drive. When you add an external drive - IT's permissions trump the computers permissions of read only. You would have to set the external drive, media cards etc to read only as well to make this work fully. Unless there is a quick way to make all externals read only upon mounting.

 

[chrfr]

I want to be able to set permissions to my trash bin like you used to do on earlier OS. My goal is - in order to move a file to the trash bin you have to enter the Admin password before completing the move.

What, exactly, is the problem you’re looking to solve by doing this?

 

[liser k.]

What, exactly, is the problem you’re looking to solve by doing this?

So we have a viewing station for camera operators to take their media cards that they shot with and scrub through their footage. We are trying to create a fail safe that they don't somehow unwittingly trash footage from the card. Hence locking the trash bin from anything going in it without an admin password prompt.

 

[chrfr]

So we have a viewing station for camera operators to take their media cards that they shot with and scrub through their footage. We are trying to create a fail safe that they don't somehow unwittingly trash footage from the card. Hence locking the trash bin from anything going in it without an admin password prompt.

Each card that gets plugged into the computer has its own trash directory, so locking down the folder in the user’s home folder will have no bearing on this. You may want to look at forensic devices, either forensic card readers or USB write blockers if this is a critical thing. Otherwise you’re really looking at a personnel solution through training, not a technological one.

 

[liser k.]

Each card that gets plugged into the computer has its own trash directory, so locking down the folder in the user’s home folder will have no bearing on this. You may want to look at forensic devices, either forensic card readers or USB write blockers if this is a critical thing. Otherwise you’re really looking at a personnel solution through training, not a technological one.

yeah, agreed. thank you for the suggestions though!

 

[capuzino]

So, I created a new user that was a standard account and did the permissions to that trash. Eureka! BUT only for files that are on the local drive. When you add an external drive - IT's permissions trump the computers permissions of read only. You would have to set the external drive, media cards etc to read only as well to make this work fully. Unless there is a quick way to make all externals read only upon mounting.

External drives etc. have their own trash bins with own permissions. There's a hidden folder named .Trashes and inside that there's the drive's trash bin folder. After you change that trash bin's permissions it will ask for password everytime you try to delete something. However this needs to be done for every card and drive separately and will most probably reset every time you format the drive or memory card in camera or other device.

I bet someone more skilled could turn this into a automatic or partially automatic script (or maybe even know an app to do something like this), but one option for turning external drives to read only is this:

1. Connect the drive
2. Open terminal
3. Type "sudo mount -u -o -r " to terminal (remember the space after the r)
   1. -u = modifies the status of an already mounted filesystem
   2. -o = options
      
      1. Necessary for APFS formatted drives but with ExFAT ones the command only works if you remove the "-o". Don't know how well the command works with other filesystems.
   3. -r = mounts the drive as read only
4. Drag and drop the connected drive to terminal and press enter
5. Type your password and press enter again

Then it should ask password or give a permission error whenever someone tries to trash something from the drive.
This however has to be done every time the drive is connected again to a Mac.

 

[bogdanw]

Disk Arbitrator https://github.com/aburgh/Disk-Arbitrator free, works in Monterey, set mount read-only.