Users Can’t Rename Their Files

You've just bought your art department new Mac Pros. You've cleanly imaged the machines, and you've carefully migrated the existing user data. Everyone loves their fast new computers, until the first call comes in. Someone went to change the name of a file on their desktop, and what they got instead was a cryptic error message:

You do not have sufficient access privileges to
rename the item "Example.psd".

You've run afoul of Leopard's "invisible" Access Control Lists. When you move an existing user's files to an account on a new system, you have to re-permission them to belong to the new account. In the past, you could just move them into the appropriate home directory, then selecting "Apply to enclosed items" in the "Sharing and Permissions" section of the Finder's "Get Info" window.

There's no indication that process works any differently now, but in Leopard certain default folders have ACLs applied automatically. Unfortunately, those default ACLs aren't displayed in the Finder as others are. User home directories use these defaults, and unknowingly propagating those permissions to the files inside can prevent users from renaming (and often deleting) their own files.

To see the access controls applied to any given file, open the Terminal and type:

ls -le FILENAME

Replace FILENAME with the full (or absolute) Unix path, like /Users/Jordan/File.txt. The shell should then return a file listing that includes your ACL information:

-rw-r--r--+ 1 Jordan staff 0 Apr 1 20:00 File.txt
0: group:everyone deny delete

That second line, the default applied to certain OS X directories, is at the root of this issue. It denies the group "everyone", to which all users belong, the ability to delete (and therefore rename) the file in question.

To remove this access control entry from individual files, type:

sudo chmod -a "everyone deny delete" FILENAME

For entire directories, replace FOLDERNAME with the appropriate path:

sudo chmod -R -a "everyone deny delete" FOLDERNAME

Leopard install DVDs include a new option in their "Reset Password" utility to "Reset Home Directory Permissions and ACLs". That's fantastic, but it only resets Apple's default user directories. Used judiciously, the above commands can restore all files and folders to their original ACLs, allowing users to happily rename and delete their data once again.

Special Thanks: This problem was solved by Jasson Lewellen, who handles Apple hardware repairs and corporate maintenance at CreativeTechs, and let me steal his great solution to meet my deadline.