(SOLVED!) Best environment to repair permissions in?

[Diogones]

Hey all,

As an avid Mac user and troubleshooter, I find that repairing permissions is something I do quite frequently, but I've heard differing ideas on how exactly to go about it. Some of the suggestions are:

1: Boot into Safe Mode and launch Disk Utility

2: Repair Permissions directly in your normal administrator account, while working normally

3: Boot into the Recovery Partition, or if there isn't one, from the recovery/install media, and once in the recovery environment, repair from there

4: Don't use Disk Utility to repair permissions; use a third-party Utility such as Lion Cache Cleaner or Disk Warrior

5: Boot into Single User Mode and repair permissions from the command line

While I'm sure you could repair permission using any one of these approaches, I was wondering which was the most effective at bringing permissions up to date with the latest changes to your accounts, documents, and programs. I think just repairing in Safe Mode or regular mode would work fine, right?

 

[Intell]

Number 2 would be the closest. But having a separate user account just for admin privileges doesn't increase security if the only person using the machine is you.

 

[Diogones]

Thanks for your prompt and helpful reply, Intell! Right, what I meant by option two was that a user would repair their permissions logged in normally. I used the word "administrator" because that is what most users' accounts are.

As for keeping a separate admin account, sure I could see that giving you more security, because even though you may be the only person using it, if you are not logged into an admin account directly, and keep the password separate from yours, and do not automatically log into it, these measures can help prevent an unwanted program or other unauthorized process that requires admin privileges from installing or running, respectively.

Granted, the separate admin account method is much more effective if you have multiple users, as you could prevent an inexperienced user from messing with system files, for example, but I still see it protecting a single user setup, even just a little.

 

[Intell]

The slight flaw in the logic of having a separate admin and non-admin account to increase security on a one person only Mac is that there isn't anything that can can harm without you entering your password.

Be it having to first enter your user name and then password or just the password, there is no extra security added. On Mac OS X, the user's processes run as the user without superuser privileges. The only way to get superuser privileges is by entering an admin password or via a software exploit. Both ways happen on a standard Mac OS X user account.

That way of thinking was valid for Windows 2000 and XP when every process ran with superuser privileges if the user account was as admin. However, Microsoft has made strides to correct that problem with Vista and 7's User Account Control feature. That very feature is analogous to Mac OS X requesting a password to do any superuser activity.

 

[GGJstudios]

As an avid Mac user and troubleshooter, I find that repairing permissions is something I do quite frequently, but I've heard differing ideas on how exactly to go about it.

Some people repair, or recommend repairing permissions for situations where it isn't appropriate. Repairing permissions only addresses very specific issues. It is not a "cure all" or a general performance enhancer, and doesn't need to be done on a regular basis. It also doesn't address permissions problems with your files or 3rd party apps.

Five Mac maintenance myths

Repairing permissions: What you need to know
About Disk Utility's Repair Disk Permissions feature​

Disk Utility repairs the permissions for files installed by the Mac OS X Installer, Software Update, or an Apple software installer. It doesn’t repair permissions for your documents, your home folder, and third-party applications.

You can verify or repair permissions only on a disk with Mac OS X installed.

Does Disk Utility check permissions on all files?

Files that aren't installed as part of an Apple-originated installer package are not listed in a receipt and therefore are not checked. For example, if you install an application using a non-Apple installer application, or by copying it from a disk image, network volume, or other disk instead of installing it via Installer, a receipt file isn't created. This is expected. Some applications are designed to be installed in one of those ways.

Also, certain files whose permissions can be changed during normal usage without affecting their function are intentionally not checked.

There are times when repairing permissions is appropriate. To do so, here are the instructions:

Repairing Disk Permissions​

If repairing permissions results in error messages, some of these messages can be ignored and should be no cause for concern.

Mac OS X: Disk Utility's Repair Disk Permissions messages that you can safely ignore​

 

[Diogones]

Wow, thanks a ton for your very informative post GGJstudios! I've run the permissions repair on a Snow Leopard machine after installing the latest update, and it fixed a sound issue I had with the Mac where there was no sound but the volume was turned all the way up. In that case, it fixed the installer files which caused the problem, but it doesn't fix third party installs. Thanks for the tip!

OK, I got the clarification now Intell; thank you for breaking down the whole separate user account issue. I realized that it was widely used for Windows XP, but I didn't realize it was necessary for the Mac.

However, I do see the advantage of having a separate user account in the context of an IT admin situation. Since the sysadmin could have a user account that isn't a part of the host machine, but administers the computer, the user would not only have to guess the password, but would also have a hard time filling in the user name field as well, since the user account name wouldn't be in the User Accounts preferences pane.

Of course, on a one person Mac, there would only be two accounts: your standard account, and the admin account (not including a shared or guest account). With that in mind, someone trying to infiltrate the computer wouldn't be deterred by having to enter the admin username, as it would be plain to see in the User Accounts preferences pane, and could thus be freely copied.

 

[GGJstudios]

Of course, on a one person Mac, there would only be two accounts: your standard account, and the admin account (not including a shared or guest account).

On a Mac with only one user, you only need one account, which is by default an admin account. There is no advantage to be gained by setting up a separate standard account.