MacOS – Change Permissions on macOS USB Device

macospermissionusb

I need to find out how to set the permissions of a USB flash drive at the device (not filesystem) level. In other words, I need to grant the user read/write access to a USB device identified by diskutil which is /dev/diskX where X is some integer.

For example, I insert a USB flash drive and according to diskutil it's identifier is /dev/disk5. If I check the permissions of it:

$ ls /dev/disk5*
brw-r-----  1 root  operator    1,  15 May 15 08:35 /dev/disk5
brw-r-----  1 root  operator    1,  16 May 15 08:35 /dev/disk5s1
brw-r-----  1 root  operator    1,  17 May 15 08:35 /dev/disk5s2

It has root:operator ownership and rw access limited to root and r access to operators only (this is why you must issue commands that modify the device as sudo).

What I need to do is give rw access to the operator as well and it's not as simple as just chmod 660 /dev/disk5. The moment you unplug the device and plug it back in, it loses the permissions.

Why do I need to do this?

I need to boot a USB flash drive in VirtualBox. To do so, I need to be able to create a "raw" disk image as a passthrough to the actual USB device. The problem is, to do this, I must issue the command via sudo which then changes the user I am executing VBoxManage which causes a number of errors since root has an environment completely different than the logged in user.

This can be accomplished in FreeBSD (I am sure Linux as well via a different method) by modifying the devfs.rules file and adding in a line like:

add path 'da*' mode 0660 group operator

Which essentially gives rw access to any USB storage device (USB storage is identified by FreeBSD as /dev/da0, /dev/da1, etc.)

How do I do this on macOS?

Best Answer

I was never able to find a way to get direct access to the raw device, however, VirtualBox has a "raw disk access" feature that allowed me to get around this problem.

The way this works is a VMDK drive is created that is actually mapped to a physical volume. This acts as a passthrough so that VB can access a physical device.

VBoxManage internalcommands createrawvmdk -filename "</path/to/file>.vmdk" -rawdisk /dev/disk#

For example, if I had a physical USB device with an OS installer I could create a VMDK which I could attach to a VM.

Example:

Assume a USB installer with macOS/FreeBSD/Linux/Windows. To attach that physical USB to a VM (assuming /dev/disk3 is the USB device),

Insert and unmount (not eject) the device.
```
diskutil unmount /dev/disk3
```

Create the VMDK

sudo VBoxManage internalcommands createrawvmdk -filename "USB_OS_Installer.vmdk" -rawdisk /dev/disk3

Take ownership of the VMDK (it was created as root via sudo; replace "user" with your username and leave the group "staff" as is)
```
sudo chown user:staff USB_OS_Installer.vmdk
```
Attach the VMDK to the VM in VirtualBox's GUI.

You now have access to a physical boot media device through your VM.

Related Solutions

MacOS – How Should I Correct the Owners and Permissions in an OS X User Folder

The first step I would recommend is to try resetting your home folder permissions with the Reset Password utility in Lion Recovery. (Despite the name of the utility, you won't actually be resetting any passwords.)

Resetting the home folder permissions with the Reset Password utility will reset both the owner and the permissions.

Restart your Mac holding ⌘+R to boot into Lion Recovery, which will bring you to the Repair Utilities screen.
Open Terminal from the Utilities menu.
In Terminal, enter resetpassword to open the Reset Password utility.
Choose your hard drive icon at the top, then choose your user from the drop-down menu below. Do not reset the password here.
At the bottom of the window, under "Reset Home Directory Permissions and ACLs", click the "Reset" button. This may take awhile if you have a lot of files in your home folder.

This should solve your permissions problems for most apps. However, it's possible you may have a few apps which had saved files with special permissions that are different from the user's default permissions (like preferences or application support files). For those apps, you may need to delete their preferences or reinstall the app.

If resetting your home folder permissions doesn't work, then you may need to try restoring from a backup or transferring your data to an external drive.

MacOS – Mac external drive, file rights

Permissions are annoyingly complicated, often because of Access Control Lists.

PathFinder from CocoaTech provides more extensive info on permissions than Finder, and has a trial period, but basically Terminal is required to get complete information.

There are actually three levels of obstruction to complete file control in OS X: permissions, access control lists and flags. The "ls" binary program ("list directory contents [Unix equivalent to Windows "dir"]) requires command line flags to show all restrictions. After starting Terminal, type:

cd /Volumes
/bin/ls -AFleO

This shows the current permissions, flags and Access Control List entries for each volume attached to the OS. On my system, this produces:

drwxr-xr-x  30 root    wheel  - 1088 May  6 23:17 AltBoot/
drwxrwxrwx  46 root    wheel  - 1632 May 16 11:43 BackGround1/
drwxrwxrwx+ 37 root    admin  - 1326 May 24 14:07 BackGround2/
 0: EBC292CE-0E64-4416-A676-288A96E46764 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
lrwxr-xr-x   1 root    admin  -    1 May 14 20:40 Ground@ -> /
drwxrwxrwx+ 13 xxxxxx  staff  -  510 Feb 22 17:46 GroundTM/
 0: EBC292CE-0E64-4416-A676-288A96E46764 allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity
drwxrwxrwx  11 xxxxxx  staff  -  442 Feb 22 17:46 VMware4/

That long list of characters after "BackGround2/" is an ACL entry. The dashes on the file line are where any flags would be listed. The system flag can be set in multiuser mode, but can ONLY be unset in single user mode. My father managed to get that flag set on some of his pictures, and it took me a long time to find out why I couldn't delete or change the owner on those files. And he would never touch Terminal in any way.

Use the manual page command man chflags to get more info on how to set and unset the flags. If all you see is dashes, then no flags are set.

To remove the ACL entries, the command for my example would be "sudo /bin/chmod -NR Background2/", which would ask for an administrator password. CAUTION ! Bad things can happen when you are the super user. See man chmod for more info on ACL entries. (I am putting /bin/ before the commands because only the Apple supplied programs in the /bin directory can affect ACLs. There are GNU programs which can be added to OS X and have the same names, but cannot present or modify ACL entries. These are available from MacPorts MacPorts.org.

Best Answer

Related Solutions

MacOS – How Should I Correct the Owners and Permissions in an OS X User Folder

MacOS – Mac external drive, file rights

Related Question