jkbull

Q: Does 10.9.3 make /Users insecure by setting permissions to 0777?

The 10.9.3 update seems to sometimes change the permissions on /Users from 0755 to 0777, allowing any user to make modifications to the folder. There are reports here and here. I found  out about this because Tunnelblick checks permissions of various system folders that it uses (and their parent folders) and refuses to run if they are not secure.

 

There are conflicting reports about whether or not Disk Utility's "Repair Permissions" will repair this. It may repair the permissions but then the incorrect permissions reappear after a computer restart.

 

Is anyone else seeing this behavior? It does not happen on a clean install of 10.9.2 followed by the 10.9.3 update, so it probably involves some third-party software. If people list their third-party apps and kexts, especially apps that launch on startup or login and kexts that are loaded when this problem occurs, it might help track down the problem.

OS X Mavericks (10.9.3)

Posted on May 16, 2014 4:00 AM

Close

Q: Does 10.9.3 make /Users insecure by setting permissions to 0777?

  • All replies
  • Helpful answers

first Previous Page 3 of 3
  • by jkbull,

    jkbull jkbull May 16, 2014 1:56 PM in response to kevin_
    Level 1 (86 points)
    May 16, 2014 1:56 PM in response to kevin_

    @kevin_ - I don't see that behavior.

     

    The owner doesn't need to change to root, it already is root.

     

    People aren't reporting a problem with the owner of /Users, only with the permissions.

     

    And if I have

    drwxrwxrwx@ 7 root admin  238 23 Oct  2013 Users

    (which is what Tim_Doe and gaz_stephens had) and do

     

    su chmod 0755 /Users

    (which is what they did), I then have

    drwxr-xr-x@ 7 root admin  238 23 Oct  2013 Users

     

    Which is what I expect from chmod. I don't get

    drwxr-xr-x@ 7 myadminusername admin  238 23 Oct  2013 Users

     

    Which would be totally weird -- the chmod command should not change the owner, just the mode. And there's nothing on the chmod man page that indicates it does.

  • by gaz_stephens,

    gaz_stephens gaz_stephens May 16, 2014 2:08 PM in response to kevin_
    Level 1 (5 points)
    May 16, 2014 2:08 PM in response to kevin_

    Just for the record I did do this via the recovery console (having also tried su) and it didn't work.

     

    I will give the disabling of FMM a go and report back.

  • by kevin_,

    kevin_ kevin_ May 16, 2014 2:13 PM in response to jkbull
    Level 4 (1,561 points)
    May 16, 2014 2:13 PM in response to jkbull

    Whew, what an issue...   I think I figured out what is going on....  I havent restarted my MacBook Pro this many times since I got it .

     

    Can some others please test this as well...

     

     

    Open up your iCloud prefs and turn Find My Mac OFF

    Open the Terminal and run the following command

     

    sudo chmod 755 /Users; sudo chmod 755 /Users/Shared; sudo chflags nohidden /Users; sudo chflags nohidden /Users/Shared

     

    Now restart your Mac and see if the Users folder stays visible and maintains the correct permissions.


  • by lkrupp,

    lkrupp lkrupp May 16, 2014 2:16 PM in response to kevin_
    Level 5 (4,153 points)
    Mac OS X
    May 16, 2014 2:16 PM in response to kevin_

    kevin_ wrote:

     

    Whew, what an issue...   I think I figured out what is going on....  I havent restarted my MacBook Pro this many times since I got it .

     

    Can some others please test this as well...

     

     

    Open up your iCloud prefs and turn Find My Mac OFF

    Open the Terminal and run the following command

     

    sudo chmod 755 /Users; sudo chmod 755 /Users/Shared; sudo chflags nohidden /Users; sudo chflags nohidden /Users/Shared

     

    Now restart your Mac and see if the Users folder stays visible and maintains the correct permissions.


     

    This fix was first reported by MacObserver and then MacWorld. It appears to be an interaction between iTunes 11.2 and the Find my Mac feature. Strange of true.

  • by kevin_,

    kevin_ kevin_ May 16, 2014 2:18 PM in response to lkrupp
    Level 4 (1,561 points)
    May 16, 2014 2:18 PM in response to lkrupp

    I came across this due to my Users folder disappearing again after enabling Find My Mac.   Didnt know that anyone else came across it as well.

  • by gaz_stephens,

    gaz_stephens gaz_stephens May 16, 2014 3:32 PM in response to Solitary_Satellite
    Level 1 (5 points)
    May 16, 2014 3:32 PM in response to Solitary_Satellite

    I have tried the disabling Find My Mac and it appears (at the moment) to have fixed the issue.  I am sure the article linked above gives full details, but here is what I did:

    1. Go to System Preferences -> iCloud, then scroll down and unselect Find My Mac
    2. Go to Applications -> Utilities then select Disk Utility.
    3. Once Disk Utility is up, click on the main volume (in my case Macintosh HD) and choose Repair Disk Permissions.

     

    Once the repair completes /Users should retain the correct permissions even after a reboot.  For steps 2 and 3 you could also simply use the command line and chmod.

     

    This does not resolve the hidden status of /Users, you will have to run that seperately, and I have not tested this yet or if it would survive reboots.  If I get the chance I'll try it out.

  • by Christian A. Burkert,

    Christian A. Burkert Christian A. Burkert May 16, 2014 3:55 PM in response to kevin_
    Level 2 (305 points)
    May 16, 2014 3:55 PM in response to kevin_

    setting /Users to 755 makes perfect sense, but setting /Users/Shared to 755 as well does not. 755 allows only the owner (root) to write into it, while everyone else can only read that directory. Since /Users/Shared is intended for all users to write into, the correct value must be 777.

  • by ssls6,

    ssls6 ssls6 May 16, 2014 4:03 PM in response to Christian A. Burkert
    Level 4 (2,869 points)
    May 16, 2014 4:03 PM in response to Christian A. Burkert

    I agree it doesn't make sense and if you do a disk permission repair the system will fix that.  I think this problem is getting blown out of proportions.  If you have your home folder turned on in finder sidebar, the impact of this is minimal unless you just like seeing the little house icon on your way past it.

  • by jkbull,

    jkbull jkbull May 16, 2014 4:06 PM in response to lkrupp
    Level 1 (86 points)
    May 16, 2014 4:06 PM in response to lkrupp

    kevin_ wrote:

     

    Whew, what an issue...   I think I figured out what is going on....  I havent restarted my MacBook Pro this many times since I got it .

     

    Can some others please test this as well...

     

     

    Open up your iCloud prefs and turn Find My Mac OFF

    Open the Terminal and run the following command

     

    sudo chmod 755 /Users; sudo chmod 755 /Users/Shared; sudo chflags nohidden /Users; sudo chflags nohidden /Users/Shared

     

    Now restart your Mac and see if the Users folder stays visible and maintains the correct permissions.


     

    No. The "sudo chmod 755 /Users/Shared" part is not correct.

     

    The permissions for /Users/Shared should not be 0755. On a Mavericks that has not had the 10.9.3 or iTunes update, the permissions are

     

    drwxrwxrwt   4 root         wheel  136 Aug 22  2013 Shared

     

    which means that they are 1777 (the "1" is the "sticky" bit). That is not the same as 0755. Disk Repair's "Repair Permissions" will reset it correctly.

     

    The way to do this is:

    1. Disable "Find My Mac" in the iCloud System Preferences
    2. Use Disk Utility to "Repair Permissions"
    3. Unhide the files with sudo chflags nohidden /Users; sudo chflags nohidden /Users/Shared

     

    Can anyone roll back the iTunes update and see if that solves the problem, instead of disabling Find My Mac

     

    The reason this is a big deal is that any user of your computer (or malware running as any user) could (with the 0777 permissions on /Users) do anything they/it wants with any other user's home folder.

  • by Tim_Doe,Solvedanswer

    Tim_Doe Tim_Doe May 16, 2014 8:14 PM in response to jkbull
    Level 1 (15 points)
    May 16, 2014 8:14 PM in response to jkbull

    iTunes 11.2.1 fixes it for me; /Users has 755 and is visible after reboot.

     

    Thanks guys for the thorough investigation!

  • by MadMacs0,

    MadMacs0 MadMacs0 May 16, 2014 11:29 PM in response to jkbull
    Level 5 (4,791 points)
    May 16, 2014 11:29 PM in response to jkbull

    The definitive answser from Apple is to update to iTune 11.2.1.

  • by gaz_stephens,

    gaz_stephens gaz_stephens May 17, 2014 2:11 AM in response to Tim_Doe
    Level 1 (5 points)
    May 17, 2014 2:11 AM in response to Tim_Doe

    Yep as confirmed this also fixes the issue for me too.  Thanks all.

  • by Solitary_Satellite,

    Solitary_Satellite Solitary_Satellite May 17, 2014 3:40 AM in response to Tim_Doe
    Level 1 (85 points)
    May 17, 2014 3:40 AM in response to Tim_Doe

    Confirmed on 3 Macs, iTunes 11.2.1 fixes this issue.

first Previous Page 3 of 3