Repair Permissions

Repair Permissions

There are a lot of misconceptions around the repair permissions feature within OS X. So let's try to understand what the process really does, what it doesn't and how and when to use repair permissions in the real world.

What Repair Permissions Really Does

First, repair permission actually compares the permissions of installed files and folders to a database that contains what the permissions of those files and folders should be as set by the developer/person who created the package. So there is no "repair" but more "change"

Second, repair permissions doesn't repair any file or folder you create, nor an application downloaded from the Internet. There is, thankfully, a list of what is repair. And even better we can specify which package(s) we would like to verify or repair. Now I'm not suggesting everyone should just add all packages to their list of repaired items, not in the least, but maybe you might want to check one or two applications causing you grief.

What Is Changed

To see a list of packages that are "repaired", we need to use Terminal (/Applications/Utilities) and enter the following command;

$ /usr/libexec/repair_packages --list-standard-pkgs

Your output should be similar to this;

Each of these items corresponds to an installed package. For example, com.apple.pkg.BSD is for the underlying OS installed called BSD which stands for Berkeley Software Distribution. An obvious items that should be "repaired", but lets consider why it's important to have such a limited list of packages that are considered during the repair process.

Let's say I create a new application called WrongPermissions.app. I ask my assistant to create an installer for my new application. They use something called PackageMaker to create said installer, but could you a variety of third-party tools. He then drags WrongPermissions.app along with some other supporting files into PackageMaker. PackageMaker then takes the set permissions of the files and folders from his computer and makes them the default for the installer. Let's then imaging that my assistants computer has never really worked right and the permissions for say /Applications/ are set to "No Access" for the group and "everyone". If you don't know, that's not correct. The proper permissions would be:

So now when you install WrongPermissions.app, your /Applications/ folder will be set incorrectly. And IF the repair permissions feature believed WrongPermissions.app was accurate, repairing permissions would never fix the problem. The good news is it doesn't and will only use the standard packages to consult when repairing permissions

Making Adjustments

Now I can't say I'm recommending this process, but you could add additional packages to this standard list by using the --pkg followed by the package ID. The ID can be found reading the database using the following command

$ pkgutil --pkgs

This command will output all the packages installed on your computer. So for example if you wanted to repair Pixelmator you'd use the following command

$ /usr/libexec/repair_packages --repair --pkg com.pixelmatorteam.pixelmator

Why Repair?

This is the real question everyone should consider. Remembering that repair permissions doesn't repair any file or folder you've created, nor any application that was installed via Installer that is outside of the standard list, when would you run it? Well it's simple, lets say you have a computer that won't boot. That is, the boot process won't get past an Apple and the "spinning gear". You can boot to verbose mode (command-v at startup) and see errors like "can't read file" or "permission denied reading ...." Now you have a real reason. It's the base OS not functioning as we'd expect. Now run repair permissions either via Disk Utility using the Recover Partition or even in the CLI if you so desire and restart again. I'd bet you're able to get to a login window!

And yes this actually happened to me with a client. It was also the last time I ran repair permissions to fix a problem and it was over 4 years ago! Sure I've run repair permission after configuring a "master computer" that i'm going to take an image of, but that's just being thorough and detail oriented.

Supporting Information:

http://support.apple.com/kb/HT1452

http://support.apple.com/kb/HT2963

http://support.apple.com/kb/PH10605