How to change the group id of files and folders
This might help with some of the permissions problems that Leopard upgraders are experiencing.
The problem Since upgrading to Leopard, many users have been experiencing permissions problems. Some of these are connected with Group access to their files. A typical symptom is this: you select a file in the Finder and choose File > Get Info to examine its permissions. Permissions are listed at the bottom of the Get Info window, under "Sharing and Permissions". The Group here is listed as "Unknown". And then, possibly, when you click the lock (to authorize) and then try to change the Group setting, the Finder crashes.
Files and folder with the "Unknown" group are causing other problems as well. There is some evidence that Spotlight might not index them correctly, and perhaps Time Machine may not even back them up properly. And these incorrect groups might be at least partly to blame for the slowness of Repair Permissions on some people's machines. It isn't entirely clear what all the ramifications are.
Nor is it obvious why having an "Unknown" group should make much difference. Groups is Unix are not usually a big deal. The usual way in which groups come into place is when you're the admin user; this fact is expressed by your being a member of the admin group, and it is that that gives you write access to the top-level Applications folder, whose owner is root (which is not you) but whose group is admin (of which you're a member, and so the read-write group permissions on the Applications folder apply to you).
Funny things happen with groups all the time, and you never even notice. For example, in Tiger, when I save a new TextEdit file to my Desktop, it has gid 501, which is correct, but when I create a file with Preview (by copying a selection from an existing Preview window and choosing File > New From Clipboard) and save it to my Desktop, it has gid 0, which is wrong. So Mac OS X itself assigns things the wrong group quite frequently. This has no ill effects, though.
But it seems that an incorrect group such as this "Unknown" group which people are seeing does make a difference in Leopard. Why would this be? Quite honestly, that isn't clear. Perhaps it has something to do with the new implementation of the file sharing system, which depends very heavily on groups. For example, on my Leopard machine, my user is a member of the com.apple.access_screensharing group, because I've got screen sharing turned on for that user, and of the com.apple.access_ssh group, because I've got remote login turned on for that user. That's a completely new mechanism for marking who gets what kind of shared access to the computer, so perhaps that's why Leopard is so touchy about groups, in a way that Mac OS X never was before.
The cause Where are these "Unknown" group settings coming from? In a sense, the answer is very clear: it's that between Tiger and Leopard, Apple has changed its group policy for users.
In Tiger, a user was associated primarily with a group with the same name and number as the user. To see this, in Tiger, give the id command in the Terminal. What you'll see will start something like this:
uid=501(cooluser) gid=501(cooluser) groups=501(cooluser)
In Leopard, a user is associated primarily with the "staff" group. To see this, in Leopard, give the id command in the Terminal. What you'll see will start something like this:
uid=501(cooluser) gid=20(staff) groups=20(staff)
("uid" means user id; "gid" means group id. The id has both a number and a name.)
And there is one other point, which is equally important:
- In Leopard, for some people at least, there is no 501 group (or whatever your old group number might be).
It's the combination of these two things - the 501 user used to be a member of the 501 group, but in Leopard there is no 501 group - that is causing a file or folder with group id 501 to have its group described as "Unknown".
Another part of the cause is that, for some people at least, the Leopard installation process is not compensating for this change. It should be. Changing group values is not all that uncommon; it happens all the time. It happens, for instance, when a file or folder is copied from one user to another. For example, when I use File Sharing to connect my Tiger machine to my Leopard machine and copy a file from the one to the other, the file has uid 501 and gid 501 on Tiger, but when it is copied to Leopard it takes on uid 501 and gid 20. In other words, the system compensates for the fact that group 501 doesn't exist on the Leopard machine; the target user on the Leopard machine has group 20, so the copied file is assigned group 20.
The trouble is that this is not happening for some users during the upgrade process, and so there are a lot of files and folders hanging around whose group id is 501. Since there is no Leopard group whose gid is 501, Leopard calls this group "unknown".
Fixing the group id, the Finder way Some readers have found that they can correct permissions on a migrated folder merely by copying it (not moving it) to the Deskop, and then moving it back into place, replacing the troublesome copy of the folder.
Perhaps that technique would have come in handy during the upgrade to Leopard. For example, let's say you did an Archive and Install where your old stuff has ended up the Previous Systems folder. When you move a folder of your old stuff back into place, it might make a difference whether you move it or copy it (by holding down the Option key). Using the latter technique might cause group ids to be changed properly. That point is tentative, though, and probably needs further investigation.
Fixing the group id, the Unix way. Using a simple Unix command in the Terminal, you can correct the group id of all the files and folders within your Home directory, changing only those group ids that are specifically incorrect. (We're going to stay inside the Home directory because messing with permissions outside it is a completely different kettle of fish, and is not recommended unless you really know what you're doing.) If you want to try this, you should be aware that things could backfire very seriously, so make sure you've got a backup before doing anything else, and make sure you mentally sign the MacFixIt Total Indemnification Form in advance. (Having said that, I did run this on my machine before telling you about it, and it did work.)
Use the Spotlight preference pane to exclude your entire hard disk from Spotlight. The reason is that you are about to make a lot of changes, and while you are making them, you don't want Spotlight to be running along behind you, trying to note them all down. This will slow down the whole process considerably. So effectively you want to turn Spotlight off temporarily.
For the same reason, turn off Time Machine temporarily. Oh, by the way, every file whose gid gets changed by this process is going to count as a changed file, so it is going to get copied the next time you perform a Time Machine backup. That could be a long, large backup.
Next, make sure that your group id is 20. The id command in the Terminal, as shown above, should demonstrate this. If your group id is not 20 you're going to need to change it. To do so, use the Accounts system preference pane. Click the lock (to authorize yourself) and then control-click on your user account in the list of accounts and choose Advanced Options. In the resulting dialog, if your Group ID isn't 20, make it so and dismiss with OK.
Now, in Terminal, you need to know the number of the gid that is wrong. So first, find yourself a file or folder whose group is showing up as "unknown" in the Finder's Get Info window, and navigate to its containing folder. In the Terminal, type
ls -aln
followed by a space, and then drag the folder containing the problematic file or folder right from the Finder into the Terminal window, and hit Return in the Terminal. You'll see something like this:
drwx------ [number] 501 501 [number] [date] myFolder
The key thing is that pair of numbers in the middle, which I've shown as 501 501. The first is the uid of this item; the second is the gid of this item. It is the second number, here 501, that should be changed to 20.
Okay, I'm going to pretend that the troublesome group number is in fact 501. Then, in the Terminal, do this. First, type
cd
followed by Return. That's to bring you into your Home folder. Now, very very carefully, triple-checking everything before you dare to hit Return, type
sudo find . -group 501 -exec chgrp 20 {} \\;Because of the pesky CMS used here at MacFixIt, I can't be sure how that is going to come out on your machine, so I'm going to recite it in words: "sudo", space, "find", space, dot, space, hyphen-"group", space, "501", space, hyphen-"exec", space, "chgrp", space, "20", open-curly-brace-close-curly-brace, space, backslash-semicolon. I'm particularly worried about that backslash.
To explain all of that:
"sudo" means "Let me do this even if permissions would normally stop me."
"find" means "Locate the files matching the following description and perform the following operation on them."
dot means "Start in the folder where we are now," which is your Home folder because of the previous cd command.
"-group 501" means "Look for files and folders whose group id is 501." If your troublesome group id is different (e.g. 502), the number here will need to be different.
"-exec" means "And here's what I want you to do when you find one."
"chgrp 20" means "Change its group id to 20".
{} means "When I say 'it', I mean the file or folder you just found."
backslash-semicolon means "That's the end of what I want you to do."
If you're happy with all that, press Return. This command is going to take quite a long time to execute, so don't be discouraged. Don't do anything with the computer, either. Just let it run. There isn't going to be any feedback until it's all over, at which time your prompt will appear in the Terminal (and, if you computer is like mine, your fans will spin back down!).
You can now use ls -al in the Terminal, or use the Finder's Get Info window, to check that things went as expected. When you're satisfied, restart the computer (just for luck), and remove the hard disk from the Spotlight excluded items. Spotlight will reindex the hard drive. When that's all over, you can turn Time Machine back on and resign yourself to a large backup next time it runs.
Conclusions The change between Tiger and Leopard where a user's group number is now 20 instead of a number matching the original user number is a big change, and it seems that Apple didn't prepare for it as well as it might have. And pulling the rug out from under users by invalidating the previously existing 501 group is really not very nice. However, what's most distressing about the current situation is, as usual, the lack of information and the lack of tools.
Apple gave no warning that this change was coming.
Apple has never, since the dawn of Mac OS X, supplied a decent GUI utility for fully dealing with Unix ownership and permissions.
Apple has never provided clear information on what the correct ownership and permissions for various files and folders should be.
There is thus a tendency on Apple's part to obscurity verging on silence when it comes to technical matters, even when those technical matters are quite important. This might be to some extent denial ("Mac OS, it just works") and partly a desire not to burden users with technical concerns. But when you're knee-deep in the frustration of the situation that the Leopard installation has left you with, Apple's attitude may feel more like plain arrogance. In any case, the irony is this: thanks to the lack of decent official GUI tools and information, users are burdened with those technical concerns anyway, and have no recourse but to grapple with the underlying Unix data in the Terminal, and are left to a combination of deduction and guesswork to figure out what the goal is and how to achieve it.
Resources