Bruce and I had spent a long time designing, writing and testing SuperDuper!—as you might expect, backup programs need to be extremely reliable, and we worked hard to make that happen. And it’s trickier than you might think—there’s a lot of obscure stuff in HFS+ and its metadata, and getting all of the information copied properly is quite a job.
We released SuperDuper! v1.0 in January 2004. This is obviously a really tense time in the development process. No matter how much testing you do, no matter how thoroughly you plan your coverage, no matter how many Beta testers you’ve got, no matter how good they are, there’s always something that shows up once you release the software into the wild. Always. (Just ask Apple!)
Fortunately, we’d done an excellent job: early feedback showed we had no reports of any significant nature—most problems were quite minor and easily handled.
But there’s always something. Always.
In our case, over the first few months, we’d get an occasional report of a user who couldn’t access their own files when they’d booted from (or restored) a backup. Sometimes, they’d try to log in and end up with an empty Home folder. Sometimes, certain applications wouldn’t run.
Investigation showed that, in these cases, the files on the cloned volume were owned by root, even though—when we looked at the original files on the system—they were owned by the user.
Here’s a good opportunity for a short digression.
Unlike OS9, OSX’s file system has a concept of ownership and permissions. While this can sometimes make your system feel like you don’t own it any more, it’s a fundamental part of the underlying security model: something that we all benefit from, even when the details can feel arcane, infuriating or random.
All files on the system are owned by someone, and usually your own files are owned by you. System files are usually owned by the system, also known as root. Owners are also members of groups with names like staff and wheel, and a file has both an owner and a group.
In addition to a file having a concept of an owning user and group, it also has a set of permissions. There are three separate permissions for each file: owner permissions, group permissions and other permissions. The owner of a file can give each of these permission to read or write the files (in addition to other things, but you get the idea).
By default, files you create are readable and writable by you and no one else. And the system stuff—things you shouldn’t be able to touch—are usually owned by root and can’t be modified by a regular user unless they “authorize”: which is why you need to enter your password when you run a system update… or SuperDuper! itself.
With that in mind: back to the main post!
Since the files were owned by root, it meant the user couldn’t write (or sometimes read) them—which caused all sorts of trouble.
It was easy to “fix”—we were able to give the user instructions on how to use Terminal to reset the ownership of the files back to their own user—but the real question was: how the heck was this happening?
This went on for months. We tested and tested and tested and were completely unable to duplicate the problem, yet it still showed up every so often. We were able to help the few users who were affected by the problem, but we couldn’t find anything wrong with SuperDuper! itself—it passed all our tests, and was working on the vast majority of systems out there.
Finally, it happened to a user who was willing to spend a relatively long time on the phone, trying various things. In the middle of the call, as I had the user try various things to try to diagnose the issue, I hit on something that didn’t make sense. When the user looked at their files, they were—indeed—owned by them. But, if we looked at those same files as a different user, the same files were owned by that other user!
Needless to say, this was more than a bit of a shock. How could a file be owned by different people, depending on who was looking at it?
We didn’t yet know what the deal was, but I coined a term for it: floating ownership. And, I had a theory about what was going on.
Because SuperDuper! needs to get access to every file on the system, it runs as root: the only user with that ability. And if these weird files had their owner floating, it meant that when SuperDuper! looked at them, they’d be owned by… root. So when we copied over the ownership, instead of copying the file as the user saw it, we’d copy it the way that we saw it: as root!
Eureka!
It took some time to come up with a solution that worked, since OSX tries really, really hard to hide this whole floating owner thing from programs: all programs. Even Apple’s own tools—like ditto—don’t handle floating owners properly when copying files! But, after some thinking and testing I came up with an idea that worked: something called on-the-fly verify.
Idea in hand, Bruce implemented it, and we tested and released it in relatively short order… and then held our breath.
It was clear soon after that we’d licked the problem, with an additional benefit: we started getting many more reports indicating that SuperDuper! could successfully create a bootable clone where all other tools failed—a great, and unexpected, benefit of on-the-fly verify.
25 Apr 2005 at 10:11 am | #
Is this problem only observed on non-boot devices? There is a permission setting on non-booting Mac drives called “Ignore ownership on this volume”. I would assume that any user looking at an external partition with this setting would view files on this drive as their own. Get Info on a mounted drive and look at “Ownership & Permissions” for the setting. I notice that my Firewire drives get this setting automagically.
25 Apr 2005 at 10:17 am | #
Actually, no: it’s seen on boot drives as well. I discuss this a bit in today’s post: http://www.shirt-pocket.com/blog/index.php/shadedgrey/so_if_a_witch_weighs_the_same_as_a_duck.
25 Apr 2005 at 06:19 pm | #
Gosh! That never even occurred to me, though I’ve been bitten by this problem several times. But your post managed to remind me that Wilfredo Sanchez discussed this in his excellent paper “The Challenges of Integrating the Unix and Mac OS Environments” at <http://www.usenix.org/publications/library/proceedings/usenix2000/invitedtalks/sanchez_html>, although it sounds like they changed the behavior in the shipping system from what is described here:
“A more interesting situation, however, occurs when files get created in Mac OS 9 and are seen later by Mac OS X. The files have no Unix meta-data set, and therefore no permissions or owner. User 0 (root) and group 0 (wheel) are reasonable defaults, but a file mode of 0000 is almost certainly not what the user wants. Fortunately, we are able to distinguish between “no meta-data set” and zero values for mode and owner info. What we do in this case is present the owner, group, and mode as some reasonable default, which is determined by examining the permissions on the directory node on which the filesystem is mounted. Note that the actual permissions on disk remain unset unless someone sets them explicitly; an unmount and remount with a different default will effect the mode of such files.”
PS: This blog software is terrible. If I forget to enter some required information, the back button just doesn’t work and I lose my entire post.
25 Apr 2005 at 06:57 pm | #
I haven’t seen that paper, but I’ll take a look at it. They definitely have gone past what they described there.
Regarding the blog software (Expression Engine—by the pMachine folks), what does it do when you do a back? I’m not sure what I can do to fix it…
25 Apr 2005 at 07:24 pm | #
Well, hmmm, the whole issue with back seems to have fixed itself. Anyway, on my first post, I tried the back button in my browser, which took me back to the original blog post, but with my comments erased. The second time, I screwed up again, and this time used the “Back” link on the error page; but that just reloaded the error page, and when I hit “back” on the browser twice, same thing… my unfinished post was all gone.
Well, anyway, I can’t reproduce the problem now.
25 Apr 2005 at 07:30 pm | #
Weird—but I’m glad it’s not happening any more.
25 Apr 2005 at 09:46 pm | #
Dave could you describe on-the-fly verify in more detail? I don’t see any information her or in the forums on this feature (if you could call it that).
What is OTFV? What problems does OTFV solve? How does OTFV solve those problems?
One of the problems I’ve had with SD is that it didn’t appear to verify it’s copy. Does OTFV fix that?
25 Apr 2005 at 11:55 pm | #
On the fly verify handles the case described in this post. Specifically, it handles files with floating users ‘on the fly’, verifying their ownership and ensuring it’s set properly on the copy.
We don’t ‘verify’ the copies we make because, if there was a problem during the write, you’d get an error. It’s kind of like copying in the Finder: you don’t ask it to verify-after-write, because it’s kind of a basic part of the copy operation…
02 May 2005 at 04:56 am | #
nice new blog! handsome, too. just a followup to the “back” problem, mentioned above? unless i am dreaming, which i maybe, because i’ve yet to see mention of it, losing your previous page is a *special* feature of firefox. it does warn that you’re about to navigate away, if you set that preference, but i’m not the techie to answer why safari does not do this, firefox does. . .or maybe i’m dreaming. and thanks for the clarity of info on the dreaded clone issue, have manged to avoid since jaguar, but you’ve made it painless. tiger, bring it on.
02 May 2005 at 06:59 am | #
Thanks, zo! I tried with OmniWeb and Safari and didn’t have a problem, but didn’t try with Firefox…
08 May 2005 at 04:29 pm | #
Love expression engine, use it myself.
Really enjoyed the Super Duper stuff - I use ditto -V -rsrcFork, and I still get weird floating ownership issues.
Thank you!!
-Bill
08 May 2005 at 05:40 pm | #
Thanks, Bill. More to come!
20 Sep 2006 at 12:42 pm | #
How does one, “use Terminal to reset the ownership of the VOLUME back to their own user”?
What is the exact command in the terminal to change or reset the privis of a VOLUME (not files) using the terminal?
I have seen lots of ways to chwon files, but not drives or partitions.
20 Sep 2006 at 01:02 pm | #
It’s a good question, terminalator. I’m actually not sure. Clearly, chowning the mount point won’t do it… perhaps chowing /.? Maybe it’s in fstab?
20 Sep 2006 at 01:18 pm | #
I had a 2nd partition become completely inaccessible, even ‘get info’ wouldn’t open; dialog popped up saying I didn’t have permission. (SuperDuper did not cause the problem, it occurred after using Applejack.)
I logged in as root and changed the permissions on the 2nd partition. (Ironically, ‘Other...’ wouldn’t show up in the login window, further complicating things until I switch login from list to name/password.)
I was fishing for a way to make these changes from the terminal using sudo.
-terminalator
20 Sep 2006 at 01:37 pm | #
Well, another option would be to turn off ownership for the volume using vsdbutil in Terminal. But that’ll just disable ownerhsip, it won’t change it…
20 Sep 2006 at 03:58 pm | #
vsdbutil doesn’t have a man page, so I looked it up and macosxhints has some good notes....
http://www.macosxhints.com/article.php?story=20020925051644480&mode=print
To ignore ownerships on a volume, do:
% sudo vsdbutil -d /VolumeName
To restore ownerships on a volume, do:
% sudo vsdbutil -a /VolumeName
And to check the status of ownerships on a volume, do:
% sudo vsdbutil -c /VolumeName
19 Mar 2007 at 09:02 am | #
Hey Dave,
Happy customer here!
Are you sure you’re not giving away the crown jewels here?
I mean I love these types of behind-the-curtain posts, but don’t spill all the beans…
Adrian
19 Mar 2007 at 09:20 am | #
Hey, if it helps shine some light on some of the mysteries of how file copying works, it’ll help a lot of people. Worth it.