There has long been confusion and misunderstanding about what, exactly, the Repair Permissions routine in Apple’s Disk Utility does. What started as the Repair Privileges Utility available separately for Mac OS X 10.1 has become the subject of some controversy in the intervening years.
“What permissions does it verify?” and “Where does it get the list of permissions it uses for comparison?” are two reasonable questions users and system administrators alike may ask in order to understand the software better.
The answers to these questions are important to prevent the abuse of this technique in the no man’s land of troubleshooting voodoo. Repair Permissions has been debated ad nauseum, but confusion blankets it like a thick fog. It’s 2008 and yet I still come across reasonable people who don’t know what the software is doing — sometimes even holding that it is doing something it isn’t.
Well, there is information available on this topic. First, let’s look at Apple Knowledgebase Article 25751: About Disk Utility’s Repair Disk Permissions feature. As of this writing, it states:
“When you use Disk Utility to verify or repair disk permissions, it reviews each of the .bom files in /Library/Receipts/ and compares its list to the actual permissions on each file listed. If the permissions differ, Disk Utility reports the difference (and corrects them if you use the Repair feature).”
That seems to imply that all of the Bills of Material (BOM) files for every package listed in /Library/Receipts are reviewed. But, the article further explains:
“No [Disk Utility does not check permissions on all files]. Files that aren’t installed as part of an Apple-originated installer package are not listed in a receipt and therefore are not checked. For example, if you install an application using a non-Apple installer application, or by copying it from a disk image, network volume, or other disk instead of installing it via Installer, a receipt file isn’t created. This is expected. Some applications are designed to be installed in one of those ways.”
The article implies that every package receipt is reviewed, but only the files and directories listed in an Apple-originated package are checked and repaired by Repair Permissions. This is somewhat confusing, since it doesn’t really explain how third-party software installed through an Apple installer package relates to this — particularly in the case where a file or directory is in both an Apple-originated package as well as a third-party one.
Macworld magazine’s Dan Frakes tackles the situation with the article Repairing permissions: What you need to know. The author tracks what BOMs Disk Utility is using while running Repair Permissions via fs_usage. He also runs strings on the tool that repairs permissions to find what, if any, BOMs are listed in the executable. Based on that evidence, he finds that a limited subset of BOMs are consulted by Repair Permissions — and all of them are Apple-originated; none are from a third party.
This dovetails nicely with the discussion of Repair Permissions in Michael Bartosh’s excellent Essential Mac OS X Panther Server Administration book from O’Reilly. While Mike is no longer around to explain how he obtained the list of BOMs — printed on page 163 — that are referenced by Disk Utility, it is likely he used one or both of the methods above. It is also likely he had access to information from Apple itself before he made the assertion. He always seemed to prize strong evidence and a deep understanding of the software, and so I trust what he wrote.
Mac OS X Leopard’s online help probably has the best clarification of the matter from an official source. It is succinct and much better than the Apple KB article when it spells out:
“Disk Utility repairs the permissions for files installed by the Mac OS X Installer, Software Update, or an Apple software installer. It doesn’t repair permissions for your documents, your home folder, and third-party applications.
You can verify or repair permissions only on a volume with Mac OS X installed.
It’s best to start up your computer using a disk with the latest version of Mac OS X, including software updates. Software updates may change file permissions to improve security.”
I think we can consider this matter settled; Disk Utility’s Repair Permissions routine is limited in scope. It only uses BOM files from Apple installer packages, and the only packages examined by the utility are those from Apple. Third-party software, even when installed by an Apple package, is not in the mix. The repair process only needs to be run as a troubleshooting technique when you think there is a problem related to the permissions-on-disk.
If you want to do your own sleuthing, the MacWorld article shows how to run strings against the DiskManagementTool executable to find which BOMs it lists. Modifying that a bit to get the information from any given disk you’ve mounted, and placing the output on the pasteboard (so you can paste it in the editor of your choice), you get the following (substituting the volume’s path for “/path/to/startupvolume,” or just take that text out to use your current startup disk):
$ strings /path/to/startupvolume/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/Resources/DiskManagementTool | grep Receipts | pbcopy
Neither the DiskManagement framework nor the DiskManagementTool exists in Jaguar, however. I found that the on-disk structure of Disk Utility changed between Jaguar and Panther. After discovering that change, I thought I’d need to substitute “Disk Utility.app/Contents/Resources/Disk Utility Agent” for DiskManagementTool, but even that executable didn’t contain any references to “Receipts.” Instead, I settled upon the following for Jaguar:
$ strings /path/to/jaguarvolume/Applications/Utilities/Disk\ Utility.app/Contents/Resources/DiskFirstAid.bundle/Contents/MacOS/DiskFirstAid | grep Receipts
The result is much shorter: only 12 BOMs are referenced in Jaguar, in contrast to 47 in Leopard. For more, see Packages consulted by Repair Permissions in Jaguar, Panther, Tiger, and Leopard.