On macOS, Time Machine pretty much just works. You delete or mutilate a file. Then you realise you want to get back to the older version so you:
- Use the Finder to open the folder containing the file you want to restore.
- Choose "Enter Time Machine" from the Time Machine menu.
- Step back in the timeline until you find the version you want to restore.
- Select the file and click Restore.
Time Machine gives you a choice of replacing the later version with the earlier version, or having both.
This one's easy:
- Login as that other user (hint: this is what fast user switching is for).
- Follow the steps in when you own the file …
But what happens when the file you want to restore is owned by root? On macOS there is no "root" account so you can't use when the file is owned by another user …
Yes, it's true that you can enable the root user account if you really want to but that's overkill for this problem.
Here's a practical example. You've managed to overwrite your crontab
. You don't have another copy so you are hoping Time Machine can get it back for you.
You Google "where does macOS store crontab files?" and discover the answer:
/var/at/tabs
Armed with this knowledge, you:
-
Switch to the Finder.
-
- press ⇧+⌘+G (Shift+Command+G); or
- choose "Go to Folder…" from the "Go" menu.
-
Enter the path
/var/at/tabs
. -
Click "Go".
Unfortunately, the Finder responds with "The folder can't be found". That's because /var/at/tabs
and its contents are owned by root:wheel
but do not have any group or world permissions.
At this point you might think of using Terminal and sudo
to change permissions to make things visible. That will solve the problem at the Finder level but it won't actually help with Time Machine because it's storing views of what was rather than what is.
What sort of security system would it be if anyone could recover a file they didn't own from a backup?
Basically, you have to convince Time Machine you're the owner, which means you have to become root. What you do is open Terminal and run:
$ sudo /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder
Supply your administrator password when prompted.
The command launches a second instance of the Finder. You may see some warning messages. Ignore them. The Terminal command will appear to hang. Ignore that too. Otherwise, you won't notice much of a change in the macOS user interface.
Press and hold on the ⌘ key, then press the tab key until the selection is on top of the Finder, then let go of both keys.
Don't just click on the Desktop to bring the Finder to the front. Make sure you use ⌘+tab to select Finder.
Repeat the "Go to Folder…" steps. If everything has gone according to plan, the Finder will open a window into the /var/at/tabs
folder.
if the Finder still says "The folder can't be found", go back and repeat ⌘+tab to re-select the Finder.
Now that the /var/at/tabs
folder is visible in a window, you can choose "Enter Time Machine" from the Time Machine menu, skip back in time to the version of the file you want to restore, and restore it.
The second instance of the Finder was launched by sudo
so it is running as root. When the second instance of the Finder launches Time Machine, that also runs as root. Time Machine thinks you're root, so it will let you see and restore files owned by root.
Once the restore is finished:
- Close the
/var/at/tabs
folder. - Switch back to the Terminal window.
- Press ⌃+c (Control+C). That terminates the second instance of the Finder.
Job done!
The main advantage of this method over other approaches is that there is no mess to undo. You don't have to remember to go back and put permissions back how they should be. You don't have to remember to disable the root account. Forgetting to undo changes is a good way to create unintended security holes in your system.