OS X: El Capitan’s Deletion of “Repair Disk Permissions” Could Impact You

| Analysis

Apple's next version of OS X El Capitan uses something called "System Integrity Protection" to prevent the alteration of critical system files. As a result, scripted installers and even privileged admin users can no longer change those UNIX file permissions and then modify them. This should make El Capitan more stable and secure. So, while "Repair Disk Permissions" is gone, that also creates an important issue for users: software upgrades.

The high level explanation for this analysis comes in the public beta release notes under Notes and Known Issues, Other:

System file permissions are automatically protected, and updated, during Software Updates. The Repair Permissions function is no longer necessary.

This change will generally go unnoticed by most average users except for the absence of that button in /Applications > Utilities > Disk Utility.app. A revised, better looking and easier to understand version of Disk Utility comes with El Capitan. However, in some cases, there could be further impact.

System Integrity Protection

This change comes under the umbrella of an OS X El Capitan feature called System Integrity Protection. The overall goal here is to prevent an overly ambitious installer that wants its own way or a piece of malware from altering critical system files and compromising the security or stability of OS X.

Apple has provided a way for developers or expert IT managers to turn SIP off when absolutely necessary, but that's something ordinary users will never learn about nor ever need to do. Developers have access to that information.

As part of the upgrade process, if the El Capitan installer finds unauthorized files in certain protected directories that don't belong there anymore, perhaps from a long forgotten installation, it will delete them. This could lead to some of your important software not operating as expected—or at all.

What this means for the average user is to take inventory of all mission critical apps to make sure they can migrate to El Capitan.

Upgrade Thoughts

Because of the above, it's probably a smart idea, in this author's opinion, to do a clean install of El Capitan and then reinstall just the software, updated for El Capitan, that you need. You can check on compatibility at "Roaring Apps" or by directly querying the developer's website. I surmise that some software in the Mac App store may need to be modified and may not be able to make the leap.

One question to ask is why Apple didn't do this sooner. The answer is that Apple typically warns developers ahead of time that certain functionality will be deprecated. It gives developers time to react. For example those same release notes state: "OS X El Capitan is the last major release of OS X that will support the previously deprecated Java 6 runtime and tools provided by Apple."

The bottom line here is that Repair Disk Permissions is going away because Apple is hardening OS X against alterations to critical system files via System Integrity Protection. The fallout for the customer is that it'll be more important than ever to certify that every critical app used is ready for the migration to El Capitan.

Popular TMO Stories

Comments

jbruni

Anyone know if /usr/local is considered “protected”?

John Martellaro

jbruni:  /usr/local is not protected.

dtm1

What about an app such as Onyx (and many others) that repairs permissions as one of it’s functions? Does El Capitan disallow this now?

John Martellaro

dtm1: I haven’t tried this in the beta of El Capitan, but my guess is that an app like that will simply fail and produce error messages.

Paul Goodwin

“Apple has provided a way for developers or expert IT managers to turn SIP off when absolutely necessary, but that’s something ordinary users will never learn about nor ever need to do. Developers have access to that information.”

If that capability is built in to defeat the SIP, isn’t it reasonable to assume that the malware hackers would just defeat it, then go about installing the malware, thus making the protection useless?

I’m not sure that losing the ability to repair disk permissions in Disk Utility is a real loss. I once ended up with an unusable hard drive when repairing disk permissions just went off in the weeds forever doing something forever. The drive ended up unstable after I stopped it (after many many hours), so I had to re-format it and start from scratch. That wasn’t a good day.

Paul Goodwin

PS. That event was quite a few years ago (OS X version ?). I haven’t had Disk Utility tell me I had disk permissions that needed repair for many years and many hard drives.

leeeoooooo

I’ve read that ‘repair permissions’ actually did some good back in the days of ‘Panther’ and maybe ‘Tiger.’ Maybe. These days its just hand-wavy stuff that you can pretend is doing something.

I’m impressed with System Integrity Protection. I feel safer already. Of course, SuperDuper! can’t do a full system restore with it active, and MacPorts has SERIOUS problems with it.

I wonder how long it will take the rest of the Unix world to restrict their software to /usr/local or /opt or something like that? That’s what the developer conventions are, but so far they’ve been treated “more as guidelines than actual rules.”

dtm1

John Martellaro - so I downloaded and ran Onyx using the Automation setting on OS El Capitan 15A263e on iMac 5K - it ran, no errors at all. Don’t know if it did do anything to permissions or not but it was checked to do it. It ran its auto process and asked to restart when finished - which I did.

Like to live dangerously.

leeeoooooo

I’ve always thought “repair permissions” was just so much smoke and mirrors. If this really is such a problem, why haven’t I ever come across it under any of the Linux or BSD systems I’ve run? THEY don’t have any option to “repair permissions” and there is absolutely nothing on the subject that ever come up on LinuxQuestions.org

Disabling System Integrity Protection involves rebooting under the Recovery partition to turn it off (you have to reinstall OS X to ‘turn it back on.’). It’s not something a malicious programmer is likely to get someone to do, though the Barkeeper guys want me to do exactly this to install a patch that will allow them to corral my system program menu icons along with the third-party program menu icons, which are the only ones they can ‘manage’ now.

John Martellaro

Paul Goodwin: Note the comment from leeooooo above. One must boot into the recovery partition to turn off SIP. So that rules out the ability of malware to do it on the fly in a normally running system.

Jerry Fritschle

I’ve long thought that “repair permissions” was the OS X answer to the legacy (“Classic”) MacOS’s “rebuilding the desktop.”  Now before a young, loud geek voice starts explaining the technical difference between the two (I’m quite aware of it), I’m talking about it from the above-mentioned “pretending you’re doing something” angle.  If you looked at Mac help forum threads in those days, smoke could be coming out of a machine, and somebody somewhere would ask if they tried rebuilding the desktop. grin

John Martellaro

Jerry: Ah, yes.  Fond memories.

macadmin

This is slightly disheartening and will require some testing. I constantly need to disable I/O ports for security reasons and the most reliable way to do that is to remove the extensions. When I need to re-enable the ports, it’s a matter of dropping the extensions back in and running disk permissions to bring them back online… I suppose I’ll have to figure out another solution.

cantubury

for the many who have OBd (obsessive compulsive disease)—those have to check the door, locks,lights and constantly press the elevator button—-we will miss it. our   SMUG, sarasota, fl mac club always said it was just not necessary. i guess i will have to find another way to obsessive on my many macs and iPad/pro. won’t be hard…me thinks…. to obsessive or to not obsess the is the question…..(the net-hamlet) yet, i am not fat and scant of breath, but…well you get the concept

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account