Discuss [Req] comprehensive list of permissions/ownership at the Free Toolchain Software (Cydia App's) - Hackint0sh.org; i only hope that I titled this post correctly so as to avoid the wrath ...
[Req] comprehensive list of permissions/ownership
i only hope that I titled this post correctly so as to avoid the wrath of the moderators. (I looked but couldn't find the guidelines.)
After messing with my phone for months, going through every upgrade since 1.0.2, and just about every jailbreak method, the latest version of my phone is a custom firmware based on 1.1.4. Having survived a difficult learning curve with WinPwn, I now have my phone ALMOST exactly the way I would like it, having endured countless restores in the past few days. (My phone kept freezing up or moving VERY slowly. The only solution I found was to content myself with just the bare essential apps.)
Anyway, my question is this: does someone have a definitive list of which apps should run as 'root' and which as 'mobile'? I understand that basically anything that writes should be root, but how does this work with, say, Mail, which runs as 'mobile' but obviously writes? In other words, please explain ownership as well as write permission issues. Right now, I can't add a new email account to my phone. I access "Add Account" through "Settings" (Preferences.app), but the new account doesn't save, and thus doesn't appear when I open up the mail app. So, what's going on here? Specifically, who should own /Applications/MobileMail.app, /Applications/Preferences.app, /var/mobile/Library/Mail, and especially var/mobile/Library/Mail/Accounts.plist?
Thanks for any help!
Hi, your MobileMail.app folder and its binary's ownership - permissions should be root:wheel - 755
All the other files inside /Applications/MobileMail.app/ should be root:wheel - 644.
Since 1.1.3, Apple has added the mobile user account.
Springboard now runs all the apps as mobile (mobile:wheel - 755) instead of root (root:wheel - 755), by bypassing the app's original permissions.
Even apps with root level will be executed as mobile.
This option is in /System/Library/LaunchDaemons/com.apple.SpringBoard.plist.
The apps launched as mobile will write their prefs or other files in /private/var/mobile/
If the launched app's original ownership - permissions are root:wheel - 755, it will be able to write files or folders with root level located in /var/mobile/
Unofficial 3rd party apps are not acting the same way.
They were initially developed to run as root and some of them even launched as mobile still want to write in /private/var/root/ (their default path is hardcoded).
Because they don't have permissions to do it, actually they can't.
That's the reason why, you can see people saying they can't save prefs in some apps.
You might see some exceptions like "Installer.app" that requires special permissions (root:wheel or admin and 6755 or 4755).
(4 and 6 (SUID) will prevent Springboard to execute the app as mobile)
You might ask why ? Well, the reason is simple:
Installer is doing something that is not possible since 1.1.3.
It is writing in root level area of the filesystem to install files and set permissions.
The Summerboard.app or even BSD Subsystem installation process requires modification/installation of files with root level.
If Installer has only mobile (mobile:wheel - 755) level, it won't be able to write/modify the files.
The Installation will fail with a script execution error.
Also, when you install MobileFinder or FileBrowser, you'll need to manually change their permissions/ownership same as Installer to be able to modify or set file permissions of files with root level.
All the unofficial 3rd party apps should be run as mobile if they don't need to access the / (root).
In fact with the mobile user account Apple has brought more security, especially for the upcoming apps that will be available on the AppStore.
You can read these two thread for more details
[Solution][Updated] Fix Installer v3.1 "Package download failed " & permissions error
[HowTo] Check why your app is crashing/not saving/freezing... and more
Last edited by Former Bender; 06-15-2008 at 07:13 AM.
Well, that's certainly interesting...
The solution I found is to run Mail as mobile--just the opposite of what you suggested--but to also have it write to a mobile-owned Mail folder within /private/var/Mobile/Library. I found that as long as Preferences.app was running in root, and had write permissions for Accounts.plist, things worked okay.
Here are some screen grabs of the file system on my phone. Please let me know what you think:
/private/var/Mobile/Library (part 1):
(Not sure if these images will show up in my post, so here is the URL.)
/private/var/Mobile/Library (part 2):
/Applications (part 1):
/Applications (part 2):
I may have gone overboard in giving root access to too many apps, but too many things need to write, e.g., MobileCast, or, most especially, TimeCapsule, if you want to be able to restore. I made the MobileCast folder in ../../mobile/Media owned by root, as well as made it universally-writable; this may have been overkill, but before I did this, MobileCast wasn't refreshing the list of feeds.
So, I am not really satisfied with/convinced by your answer...perhaps you can explain to me the security benefits of running most apps as mobile rather than root. (I come from a linux perspective, so I do understand the basic concept of root, but I am the only one with access to my phone's file system, and if I screw something up--and I do, regularly--I just fix it.)
Furthermore, all of the files within the /Applications/MobileMail.app folder (aside from the executable itself, which is currently set at 0755) are simply language files and PNGs of things like the little envelope, etc. Why do I need root access to image files, if the user 'mobile' is accessing them?
I'm sorry but i try to see when i suggested you to run MobileMail as root.
Originally Posted by amadomon
My previous post was to explain you how the ownership/permissions work in the iPhone OS.
The default permissions/ownership for MobileMail.app are:
All the files inside the app package are root:admin as well, only their permissions are different.
drwxrwxr-x root:admin MobileMail.app
MobileMail binary and all the .lproj localization folders are 755.
The other files are 644.
The Mail folder in /private/var/mobile/Library/ is mobile:wheel - 755
All the folders and subfolders inside are mobile:wheel - 755
All the files (plist, emlx, etc...) are mobile:wheel - 644
Now you can see that launching MobileMail as mobile or root wont make any difference, because all the files it need to modify/create require only mobile level.
Do you understand now ?
I think you are confusing ownership and permissions.
Originally Posted by amadomon
Ownership is the user:group belonging to the file.
Permissions is the ability to read/write/execute a file.
Permissions are defined as follow:
first x = suid.
second X = User permissions
third X = Group permissions
fourth X = Others permissions
for example 755 represents:
7 = User can read/write/execute
5 = Group can read/write
5 = Others can read/write
So if your Application's ownership is root:wheel but run as mobile and it wants to modify a mobile:wheel file, i don't see any problem.
By Doctor Bob in forum Installation
Last Post: 01-10-2009, 08:13 AM
By mike456 in forum General
Last Post: 10-03-2008, 04:35 PM
By amadomon in forum Tools
Last Post: 03-12-2008, 06:10 PM
By amadomon in forum General
Last Post: 03-12-2008, 04:50 PM
By bootleg in forum General
Last Post: 07-09-2007, 10:44 PM