Don’t like macOS migration assistant? Want to do things manually and have full control? Well this section is technical, but may yield key results for people having significant problems with Time Machine backups and the dreaded ACLs!
But the most importantly…
- Don’t change Time Machine ACLs!
- Just strip the ACLs of files you copied from it!
- So find, copy locally, and then change permissions.
Added to UNIX file permissions such as user/group/everyone each having their own read/write/execute permissions, MacOS also uses ACLs (Access Control Lists). These ACLs allow much more granular file and folder permissions settings.
UNIX File ownership
File ownership provides a secure method for storing files. Every file in UNIX has these basic attributes.
- Owner: controls actions the owner of the file can perform on the file.
- Group: secures actions a user, who is a member of the group that a file belongs to, can perform on the file.
- Other (world): what action all other users can perform on the file.
UNIX File Access Modes
The permissions of a file are the first line of defense in the security of a UNIX system.
- Read: Grants the capability to read or view the contents of the file.
- Write: Grants the capability to modify, or remove the content of the file.
- Execute: User with execute permissions can run a file as a program.
UNIX Directory Access Modes
Directory access modes are listed and organized similarly as any other file.
- Read: Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory.
- Write: Access means that the user can add or delete files to the contents of the directory.
- Execute: Executing a directory doesn’t really make a lot of sense so think of this as traverse permission.
Note: more details available on www.tutorialspoint.com/unix/
Back to Time Machine
Once we understand the basic of UNIX file security, we can now appreciate the fact that by default, Time Machine adds the following ACL to all files:
This ACL simply means that all files and folders inside a Time Machine backup are locked for everyone (even the root user).
So if you restore your files manually from a Time Machine backup, all files and folders will keep those annoying Time Machine ACLs attached to them (good for security, but bad for portability).
Solving the problem
Once we understand the challenge, it is quite easy to remove the Time Machine ACLs. For all three options you need the Terminal which you will find in /Applications/Utilities.
Either way, the key is to access the Time Machine files directly from the Finder window, then copy the file or folder directly to the destination folder.
Option 1 – Swing the axe
If we know the files we want are in folder called “Documents”, let’s copy that folder on our local desktop. Once the copy is done, we can type the following into our Terminal window (make sure you follow the path of where you’re trying to run the command).
Note: If you don’t know the Terminal-way of specifying a path file or folder, simply drag and drop the file/folder you want onto the Terminal window and the Terminal will type the correct file/folder name for you.
chmod -R -N ~/Desktop/Documents/ Files
Option 2: Remove the first ACL entry
Same example as above. You have a folder called “Documents” on your Desktop. But in this case you have a few files with custom ACLs that you want to preserve. Type the following into the Terminal window:
chmod -R -a# 0 ~/Desktop/Documents/ Files
What makes the above solution “dangerous” is that it is not idempotent.
An idempotent operation is an operation that can be applied over and over without changing the result after it has been applied once. Kind of like multiplying a number by 1. You can keep doing it but the result is always the same.
Why does that matter? Well, let’s say that you have a file that already had an ACL before Time Machine prepended its own ACL entry.
If you run the above command twice then you will have removed both the Time Machine ACL as well as the ACL that you probably didn’t want to lose.
Plus the above solution is also not ideal for Time Machine files that are mixed in with other files. If any of these other (non-Time Machine) files have ACLs then the above command will remove those ACLs.
Option 3: Remove specific restrictions from an ACL
Aside from being able to specify which number entry of an ACL you want to remove you can also specify the specific restrictions you want to remove. So you could do this:
chmod -R -a "group:everyone deny add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,chown" ~
Note: “~” means “my home directory”, i.e. if your username is bob then “~” = “/Users/bob”)
The above command is also idempotent!
If we want to view the UNIX permissions as well as the ACLs of a particular file/folder you can pop open the Terminal and type
ls -led /path/to/file_or_folder
(again, just drag and drop the file/folder you want onto the Terminal window if you don’t know how to specify it the Terminal-way).
If you want to learn more about certain commands, you can start by typing them into the Terminal window and you’ll be on your way to becoming a deepgeek.
(space bar to page forward, q to exit the man[ual] page)