For security and privacy, you will not be allowed direct access to some hidden system files and those in other user accounts on your Mac, but otherwise you should at least be able to see and read the files on your system, and especially should have full access to all files in your Mac’s home folder. However, there are times when you might find yourself barred from editing or reading files for which you ought to have full access.
In these cases, your might be required to authenticate each time you wish to save a file, and even after supplying an admin password to allow editing of the file, you might see an error that indicates the file cannot be written.
There are several reasons why this might happen, so even if a file seems to be set up in a way that should allow full access, and clearly you are not able to, then it may have some hidden properties that prevent this.
Check standard file permissions
This file contains an Access Control Entry for an additional user, and extended attributes at least because of the “Green” Finder tag.
If you do not see your account’s short name with “(me)” listed next to it as the first entry in this panel, then your account is not considered the owner of the file. If your name does not appear anywhere in the list, then the system does not have a rule for specifically allowing your account access to the file, and instead is depending on the default group and “everyone” permissions settings to determine how you can access it.
One option here is to simply click the plus button and then add your user account to the file, but another option is to make yourself the owner of the file in the Terminal:
- Open the Terminal utility
- Type the following text, but do not press Enter yet:
THEFILE=
- Drag your file to the Terminal window to fill out the full path to it, followed by pressing Enter to assign this to the variable “THEFILE”
The variable “THEFILE” contains the path to the targeted file, and can be used from now on in additional commands to point to the desired file.
- Run the following commands:
sudo chown $USER:staff $THEFILE sudo chmod 755 $THEFILE
You can copy and paste these commands from here to the Terminal. With your file assigned to the variable THEFILE, these commands will ensure first that your user account is the owner, and secondly that you have full read access to the file.
Clear file ACLs
The above permissions are the file’s basic UNIX permissions, also referred to as POSIX permissions, which suffice for most intents and purposes; however, for special setups more complex permissions rules may be required, which are provided in the form of Access Control Lists (ACLs). When you merely add your user name to the file using the plus button, this uses ACLs to append special permissions handling for the added users. In this case you will see the ACE (Access Control Entry) in the Finder’s information window, but in other cases Access Control Entries might exist but not show up in the info window.
Since they can change how a file is accessed, clearing the file’s Access Control List entries will ensure only POSIX rules are observed, and allow you the access that is shown in the Finder’s information window.
To list the ACL for a file, with THEFILE assigned as mentioned above, you can run the following command on the file to list its Access Control Entries:
ls -le $THEFILE
The Access Control Entries for a file will be listed by number here.
In the output of the command, the first line (which might wrap around) will be the standard posix permissions and other information about the file, but if there are any additional lines following this that begin with a number (e.g., “0:” or “1:”, etc.) then these indicate the presence of ACL rules. To remove them, run the following command in the Terminal (again provide your password if prompted):
sudo chmod -N $THEFILE
Clear extended attributes
Beyond POSIX permissions and ACLs, OS X supports another file attribute that can prevent access to files. These come in the form of extended attributes, which are metadata tags on a file that give the Finder special handling abilities, such as hiding the file, or tagging it with a label. Among the possibilities is a FinderInfo extended attribute, which may contain rules that prevent access to the file in the Finder and, depending on how other programs are coded, may interfere with access by them as well. You can see the extended attributes of a file by listing their contents with the following command:
xattr -l $THEFILE
The extended attributes for a file, and the attributes contents, will be listed in the Terminal. They look a little cryptic, but you can sometimes see obvious things like the “Green” word here, indicating the file is tagged “Green.”
Note that you can leave out the “-l” flag to just list any extended attributes by name, but you can see in the example here that the metadata extended attribute there is a User Tags entry that contains “Green,” and that the FinderInfo attribute is empty, but present. In some cases, the FinderInfo tag and others might cause problems even if they do not contain anything, so if you cannot gain access to a file by other means then your next step will be to remove the extended attributes of the file, using the following command:
sudo xattr -c $THEFILE
When done with all of these steps, your file should now be cleared of most potential blocks that could interfere with access to it, either in the Finder or in other applications you use.
A GUI for all that?
(…) but in other cases Access Control Entries might exist but not show up in the info window.
Wait…. whaaaat???? THE HORRRORR!!
That definitely looks like a bug! Is it reproducible? If so, how?
The filename should be quoted to allow a pathname/filename containing whitespace and/or expansion characters:
I.E., all occurrences of
$THEFILE
should be
“$THEFILE”
Dragging the file to the Terminal window as I described for creating the path will format it with properly escaped characters, so for these instructions you do not need to encase anything in quotes; however, if you use this approach for other path handling routines, especially where someone might enter path names without escape characters, then the use of quotes might be a good safety catch.