admin user (and ditto group member) no longer has the corresponding permissions?!

René J.V. Bertin rjvbertin at gmail.com
Mon Jul 27 19:10:40 UTC 2020


Hi,

(Cross-post - apologies - explanation below)

To streamline things as a port dev/maintainer I've set `macportsuser` to myself, which means that as a member of the admin group I get to do a lot of things without needing to sudo all the time. I know the risks, and always managed to avoid them.

And now something has changed, not just for the MacPorts-related directories (the build dir, in particular), but system-wide, and even after a reboot.

I'm still an admin user, and AFAICT I can still do everything I could through the GUI. I can still "sudo". But I can no longer access files that are not mine and don't have the required permissions for "other" users. I have another admin user account ("adplus"), and when I su or FUS as/to that account I can still do anything I expect to be able to do. The group memberships are almost strictly identical: my usual account just is a member of the access_bpf (wireshark) and procmod groups.

For instance:
```
%> mkdir /tmp/kk
%> sudo chown root:admin /tmp/kk ; sudo chmod 770 /tmp/kk ; \ls -ldO /tmp/kk ; \ls -lO /tmp/kk
drwxrwx---  2 root  admin  - 68 Jul 27 20:14 /tmp/kk
%> date > /tmp/kk/kkk
/tmp/kk/kkk: Permission denied.
Exit 1
%> \ls -lO /tmp/kk
ls: kk: Permission denied
Exit 1

%> su -l adplus
%> date > /tmp/kk/kkk
%> \ls -lO /tmp/kk
total 8
-rw-r--r--  1 adplus  admin  - 30 Jul 27 20:29 kkk
```
Now, to make this more interesting: the above applies to a shell running in a terminal emulator that gets started when I launch my X11 environment (from the X11 icon in the Dock). Shells running in Terminal.app (also launched from the Dock) give me all the permissions I expect, and if I start my X terminal emulator from such a shell it inherits those permissions. Launching X11 from a shell in Terminal.app doesn't help.

In short, it looks like somehow my regular user account gets partly crippled when I start my X11 environment the way I used to, or at least in shells launched through xterm. Specifically, I can launch a Terminal.app or iTerm.app from my xinitrc script, and I'll have the expected permissions in there. But when I launch an xterm through that test shell, I will not have all permissions.
I seem to have read reports of something like this on the XQuartz ML (which is why I'm cross-posting) but I'm running OS X 10.9.5 which hasn't seen any system/policy updates for quite some time (and certainly not during the previous 19-day uptime, not that I recall at least). I'm using an X11 server built from version of the MacPorts port:x11 (and haven't touched anything in there either).

Any idea what on earth is happening here, what could have changed?

Thanks!
René Bertin


More information about the macports-dev mailing list