How to restore permissions for username "system"?

[sparky672]

I was having a heck of a time with the OWC SSD in my old Mac Pro (High Sierra 10.13.6) and ended up re-installing High Sierra from scratch and using Migration Assistant to restore the rest from Time Machine.

Along the way, I managed to bungle up my Home folder somehow and in the process of "fixing" permissions I ended up replacing the "system" user with my username. Unfortunately, there does not seem to be a way to get that "system" username back.

I believe the last place with screwy permissions is my Applications folder, where the permissions show my name in place of where "system" should be:

How do get "system" back onto the Application folder? BTW, everything inside the Applications folder is correct or has already been fixed by manually replacing them all from a Time Machine version. I have not tested everything, but so far my applications seem to work ok, even when logged in as another user.

1. How to fix permissions on Application folder with "system" username?

2. Is there a reputable app that can verify (repair) all system and user permissions on High Sierra? (Apple removed this from Terminal and Disk Utility)

Thank you!

 

[bogdanw]

Get BatChmod, select Owner: root and Apply.
batchmod_17b5.zip https://web.archive.org/web/20220914084330/http://lagentesoft.com/resources/batchmod_17b5.zip

Discussed here https://forums.macrumors.com/threads/batchmod-alternatives.2394659/

 

[sparky672]

Get BatChmod, select Owner: root and Apply.
batchmod_17b5.zip https://web.archive.org/web/20220914084330/http://lagentesoft.com/resources/batchmod_17b5.zip

Discussed here https://forums.macrumors.com/threads/batchmod-alternatives.2394659/

Thank you! These are the settings I tried.

I clicked "Apply" and entered my admin password. I got the "Donate" message so I assumed success.

However, the changes did not seem to get applied:

Unless I am misunderstanding how this works?

Below are the permissions from "Applications" in the Time Machine backup, so I am assuming the permissions on the current "Mac SSD/Applications" folder should be the same as they were here in the past. Does "system" automatically change to "Me" when I am logged in as Admin?

 

[chabig]

This is how it’s supposed to look. You on top, admin next, and everyone else last.

 

[sparky672]

This is how it’s supposed to look. You on top, admin next, and everyone else last.


View attachment 2509441

Thank you for the reassurance. I appreciate this. Can I ask you what Utilities folder should look like? I ask because I am only sure of these things:

• I screwed up permissions originally with my user account, and may have done something to break the app permissions.
• The permissions as shown on Applications folder via my last good TM backup show "system" as owner.
• The permissions on the Applications folder on a new MacBook also show "system" as the owner, for whatever that is worth to High Sierra I don't know.

 

[chown33]

Please post the output of this Terminal command:

ls -ledO@ /Applications

 

[sparky672]

Please post the output of this Terminal command:

ls -ledO@ /Applications

Only my own name redacted...

 

[chown33]

This Terminal command should change the owner to 'root', which is what Finder shows as "system":

sudo chown root /Applications

This will prompt for a password, and you should enter the password of your admin account. If your account isn't an admin, then you'll need to login with that account first.

The password you type in will NOT be echoed to the screen, so be sure to type it in carefully. When typed in, press the Return key.

After the command runs, you can repeat the 'ls' command I gave earlier. It should show 'root' as the owner. If not, please post again.

EDIT

The 'sunlnk' flag shown in the 'ls' output is related to System Integrity Protection. If that's enabled, you may be unable to alter the owner of /Applicaitons. So if the above 'sudo chown' doesn't result in 'root' owning /Applications, you'll probably need to disable SIP and try it again.

https://stackoverflow.com/questions/46658328/macos-cannot-delete-folder-with-a-sunlnk-flags

 

[sparky672]

you'll probably need to disable SIP and try it again

Yes. I had left SIP disabled for something else I had to do, and I did not realize had been re-enabled (likely on an update). This is probably why BatChmod failed.

Anyway... it's back to normal now. Thank you!

_____
​

Another quick question. This is the Mail app.

From my TM backup. What is "everyone: custom"?

From my actual Mail app...

Is this important? How to repair?

 

[chown33]

Yes. I had left it disabled for something else I had to do, so I did not realize it re-enabled itself (likely on one of the OS updates). This is probably why BatChmod failed.

Anyway... it's back to normal now. Thank you!

View attachment 2509675


_____
​

Another quick question. This is the Mail app.

From my TM backup. What is "everyone: custom"?

View attachment 2509679

From my actual Mail app...

View attachment 2509678

Is this important? How to repair?

I don't know what the Everyone: Custom means. It might be an ACL (Access Control List), but that's a random guess.

You can see an ACL (provided by macOS) on the output from the earlier 'ls' examples. It's the line:

 0: group:everyone deny delete

I almost never use Finder's Get Info window for changing permissions, because I can't always tell how the underlying Posix permissions are mapped to Get Info terms. Sometimes it's fairly clear, but other times it's not. And since permissions can be important, I think it's best to go straight to the originals, i.e. the Posix permissions.

If you want to find out what the underlying Posix permissions (and ownership) are, you can use a combination of a Terminal command-line you partly type in, then you drag-and-drop a Finder object (folder or file) onto the Terminal window. This will expand the object's complete quoted and/or escaped pathname. You then press the Return key in Terminal, just like you'd typed in a long pathname instead of dropping a Finder object in a window.

The partial command is:

ls -ledO@

There is a single space after the "@" WHICH IS REQUIRED. Without the space, dropping a Finder object into the Terminal window will concatenate the pathname to the -leOd@ options. The result will not be a valid pathname or options, so 'ls' will fail.

Personally, I think it's dumb that Terminal doesn't put a leading space, because it's perfectly happy to put spaces between items if you drop more than one. At this point, it's futile to complain about it, just make sure to always type "something something SPACE" before dropping things into Terminal windows.

 

[sparky672]

I almost never use Finder's Get Info window for changing permissions, because

Good point. I was only using Get Info as an easy way to show the differences. So far, I've only edited permissions with Terminal.

Here is the result for the TM backup...

Looks like there are ACLs causing the "custom" entry.

___________________

This is the actual Mail App...

Same permissions but no ACL.

Should this be repaired? How?

 

[chown33]

To me, the extra ACL in the TM backup looks like TM's doing. Denying all those modifications seems like exactly what TM would do to prevent unwanted alteration of backups.

I wouldn't change anything on the Mail.app in its normal location. The permissions it has now seem adequate to me. It lacks the "everyone deny delete" I see on my Mail.app, and which you can probably find on your other apps, but its absence doesn't seem overly risky to me. If you really want that ACL, a command-line could be made to add it.

 

[sparky672]

To me, the extra ACL in the TM backup looks like TM's doing. Denying all those modifications seems like exactly what TM would do to prevent unwanted alteration of backups.

I wouldn't change anything on the Mail.app in its normal location. The permissions it has now seem adequate to me. It lacks the "everyone deny delete" I see on my Mail.app, and which you can probably find on your other apps, but its absence doesn't seem overly risky to me. If you really want that ACL, a command-line could be made to add it.

As long as it's functioning properly, I am not going to worry about it.

Thank you!