jkbull

Q: Does 10.9.3 make /Users insecure by setting permissions to 0777?

The 10.9.3 update seems to sometimes change the permissions on /Users from 0755 to 0777, allowing any user to make modifications to the folder. There are reports here and here. I found  out about this because Tunnelblick checks permissions of various system folders that it uses (and their parent folders) and refuses to run if they are not secure.

 

There are conflicting reports about whether or not Disk Utility's "Repair Permissions" will repair this. It may repair the permissions but then the incorrect permissions reappear after a computer restart.

 

Is anyone else seeing this behavior? It does not happen on a clean install of 10.9.2 followed by the 10.9.3 update, so it probably involves some third-party software. If people list their third-party apps and kexts, especially apps that launch on startup or login and kexts that are loaded when this problem occurs, it might help track down the problem.

OS X Mavericks (10.9.3)

Posted on May 16, 2014 4:00 AM

Close

Q: Does 10.9.3 make /Users insecure by setting permissions to 0777?

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by Tim_Doe,Helpful

    Tim_Doe Tim_Doe May 16, 2014 6:03 AM in response to jkbull
    Level 1 (15 points)
    May 16, 2014 6:03 AM in response to jkbull

    Same here. Permissions on /Users are set to 777 after the OS X 10.9.3 upgrade (and I believe the group should also be wheel?!). While "Disk Utility" detects and repairs this, permissions are reset to 777 after each reboot:

     

    drwxrwxrwx@  7 root  admin      238 15 May 20:14 Users

     

    After each and every reboot, "Disk Utility" finds this:

     

    Verifying permissions for “Macintosh HD”

    Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .

    Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .

    Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .

    Permissions verification complete

     

    I do not think my system is heavily modified:

     

    Tims-MacBook-Pro:~ tim$ kextstat | grep -v com.apple

    Index Refs Address            Size       Wired      Name (Version) <Linked Against>

    Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

    total 32

    -rw-r--r--  1 root  wheel  462 18 Apr 15:46 com.adobe.fpsaud.plist

    -rw-r--r--  1 root  wheel  568  2 Apr  2012 com.microsoft.office.licensing.helper.plist

    lrwxr-xr-x  1 root  wheel  103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

    -rw-r--r--  1 root  wheel  486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

    Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchAgents/

    total 8

    lrwxr-xr-x  1 root  wheel  104 18 Feb 20:59 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

    Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

    total 32

    -rw-r--r--  1 root  wheel  462 18 Apr 15:46 com.adobe.fpsaud.plist

    -rw-r--r--  1 root  wheel  568  2 Apr  2012 com.microsoft.office.licensing.helper.plist

    lrwxr-xr-x  1 root  wheel  103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

    -rw-r--r--  1 root  wheel  486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

    Tims-MacBook-Pro:~ tim$

  • by jkbull,

    jkbull jkbull May 16, 2014 6:43 AM in response to Tim_Doe
    Level 1 (86 points)
    May 16, 2014 6:43 AM in response to Tim_Doe

    Thanks, Tim_Doe.

     

    You repeated the "ls -l /Library/LaunchDaemons" twice, probably because of an error in my post in the thread on the Tunnelblick Discussion Group.

     

    "ls -l ~/Library/LaunchAgents" would be helpful, as would info about what the permissions are after a "safe boot".

     

    My understanding is that the ownership should be root:admin, not root:wheel.

  • by lkrupp,

    lkrupp lkrupp May 16, 2014 7:04 AM in response to jkbull
    Level 5 (4,153 points)
    Mac OS X
    May 16, 2014 7:04 AM in response to jkbull

    I smell a 'security update' coming from Apple.

  • by gaz_stephens,Helpful

    gaz_stephens gaz_stephens May 16, 2014 7:10 AM in response to jkbull
    Level 1 (5 points)
    May 16, 2014 7:10 AM in response to jkbull

    Adding my observations to this thread in the hope it gets fixed.

     

    Even in Safe Boot the permissions are reset.  I confirmed this by using the Disk Utility to reset the permissions and verified this by doing an 'ls' at the command prompt.  I then shutdown the computer and booted into single user mode again verifying that the permissions were correct (they were) and this rules out, as far as I can see, it being a process that resets them on shut down.  I then shut down from Single User mode and rebooted using Safe Boot.  Once booted I checked via 'ls' and the permissions had been reset to 777.

     

    I then used the Disk Utility to fix the permissions again just in case doing in safe mode helped somehow.  Once fixed I rebooted normally and, as expected, the permissions had again been reset to 777.

     

    The launch processes/daemons I have are:

     

    gareth@Gareths-iMac:gareth $ kextstat | grep -v com.apple
    Index Refs Address            Size       Wired      Name (Version) <Linked Against>
    gareth@Gareths-iMac:gareth $
    total 88
    -rw-r--r--  1 root  wheel   462 25 Apr 03:26 com.adobe.fpsaud.plist
    -rw-r--r--  1 root  wheel   722 14 Sep  2012 com.bresink.system.securityagent3.plist
    -rw-r--r--  1 root  wheel  1693 24 Feb 19:16 com.crashplan.engine.plist
    -rw-r--r--  1 root  wheel   814 20 Jul  2012 com.google.keystone.daemon.plist
    -rw-r--r--  1 root  wheel   659  9 Dec  2011 com.jungledisk.service.plist
    -rw-r--r--  1 root  wheel   568 10 Mar  2011 com.microsoft.office.licensing.helper.plist
    lrwxr-xr-x  1 root  wheel   103 15 Feb  2013 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist
    -rw-r--r--  1 root  wheel   486 21 Nov 11:07 com.oracle.java.JavaUpdateHelper.plist
    -rwxr--r--  1 root  wheel   376 17 Apr 17:40 com.trusteer.rooks.rooksd.plist
    -rw-r--r--@ 1 root  wheel   566 25 Mar 09:52 de.devolo.networkservice.plist
    -rw-r--r--  1 root  wheel   661 27 Sep  2012 org.macosforge.xquartz.privileged_startx.plist
    gareth@Gareths-iMac:gareth $
    total 48
    -rw-r--r--  1 root  wheel  788 20 Jul  2012 com.google.keystone.agent.plist
    -rw-r--r--  1 root  admin  655 16 May 11:13 com.hp.help.tocgenerator.plist
    lrwxr-xr-x  1 root  wheel  104 15 Feb  2013 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist
    -rwxr--r--  1 root  wheel  577 17 Apr 17:40 com.trusteer.rapport.rapportd.plist
    -rw-r--r--@ 1 root  wheel  609 25 Mar 09:52 de.devolo.networkservice.notify.plist
    -rw-r--r--  1 root  wheel  720 27 Sep  2012 org.macosforge.xquartz.startx.plist
    gareth@Gareths-iMac:gareth $ ls -l ~/Library/LaunchAgents    
    total 64
    -rw-r--r--  1 gareth  staff   425 16 May 14:46 com.apple.FolderActions.enabled.plist
    -rw-r--r--  1 gareth  staff   554 16 May 14:44 com.apple.FolderActions.folders.plist
    -rw-r--r--  1 gareth  staff   813 11 Apr  2010 com.apple.SafariBookmarksSyncer.plist
    -rw-r--r--  1 gareth  staff   791 12 Dec 23:24 com.kovidgoyal.calibre.plist
    -rw-r--r--  1 gareth  staff   655  1 Dec  2012 com.google.GoogleContactSyncAgent.plist
    -rw-r--r--@ 1 gareth  staff  1072  1 Feb  2012 com.opswat.aw.persistence.plist
    -rw-r--r--@ 1 gareth  staff   533 16 May 13:29 com.spotify.webhelper.plist
    -rw-r--r--@ 1 gareth  staff   543 28 May  2013 ws.agile.1PasswordAgent.plist
    gareth@Gareths-iMac:gareth $

     

    Finally everytime I reboot and run Disk Utility this output from this is:

     

    Repairing permissions for “Macintosh HD”
    Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .
    Repaired “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”
    Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .
    Repaired “Users”
    Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .
    Repaired “Users/Shared”

    Permissions repair complete

  • by Solitary_Satellite,

    Solitary_Satellite Solitary_Satellite May 16, 2014 8:32 AM in response to jkbull
    Level 1 (85 points)
    May 16, 2014 8:32 AM in response to jkbull

    Same issue here, every reboot resets the permission back to 777... weird.

     

    After reboot:

    drwxrwxrwx@   7 root  admin      238 16 mai 17:01 Users

  • by jkbull,

    jkbull jkbull May 16, 2014 8:32 AM in response to gaz_stephens
    Level 1 (86 points)
    May 16, 2014 8:32 AM in response to gaz_stephens

    Thanks, gaz_stephens, for your very informative report.

     

    Because this happens even with a "safe boot", I think that means that it is an OS X problem and doesn't need any third-party software. (It's my understanding that a "safe boot" does not load any non-Apple software.)

     

    So this looks like a pure OS X problem. Apple doesn't monitor these user forums. I have filed a bug report with Apple about it, and notified product-security@apple.com.

  • by gaz_stephens,

    gaz_stephens gaz_stephens May 16, 2014 8:35 AM in response to jkbull
    Level 1 (5 points)
    May 16, 2014 8:35 AM in response to jkbull

    Thanks jkbull - not sure how to pass my details but if Apple require someone to perform any particular tasks and record the output (as you haven't been able to replicate the issue) I'd be happy to help.  Perhaps you have my address from the Google Groups post regarding the issue?

  • by jkbull,

    jkbull jkbull May 16, 2014 8:44 AM in response to gaz_stephens
    Level 1 (86 points)
    May 16, 2014 8:44 AM in response to gaz_stephens

    Yes, I will be able to give them your email address if they ask. I didn't put it in my bug report because I wasn't sure that would be OK with you, but you said you are "happy to help", so unless I hear otherwise from you, I will assume it's OK to give them your email address.

     

    (That said, my  impression is that Apple isn't very good about following up on bugs. We'll see.)

  • by Solitary_Satellite,

    Solitary_Satellite Solitary_Satellite May 16, 2014 9:05 AM in response to jkbull
    Level 1 (85 points)
    May 16, 2014 9:05 AM in response to jkbull

    I checked on a non-updated Mac (still 10.9.2) and here are the initial user permissions and group:

     

    Term.jpg

  • by Tim_Doe,

    Tim_Doe Tim_Doe May 16, 2014 9:27 AM in response to Solitary_Satellite
    Level 1 (15 points)
    May 16, 2014 9:27 AM in response to Solitary_Satellite

    Could this be related to the feature that hides /Users (and other directories) after every reboot?

     

    There are a couple of users reporting this behavior. (https://discussions.apple.com/thread/6225659?tstart=0)

  • by Solitary_Satellite,

    Solitary_Satellite Solitary_Satellite May 16, 2014 9:30 AM in response to Tim_Doe
    Level 1 (85 points)
    May 16, 2014 9:30 AM in response to Tim_Doe

    Even if this is the result of the hiding of the User folder in /, shouldn't Disk Utility then not try to repair the permissions every time?

     

    It's a bug either from the new function of hiding the User folder or from Disk Utility who tries to fix the permissions...

  • by Eric Root,

    Eric Root Eric Root May 16, 2014 10:34 AM in response to jkbull
    Level 9 (71,155 points)
    iTunes
    May 16, 2014 10:34 AM in response to jkbull

    What I did as a workaround was in Finder/Go/Go to Folder type Users. That made the User folder visible. I created an alias of the folder and put it in Finder's Sidebar. Repeated procedure typing Shared, making an alias, and putting it in the Sidebar. Restarted and the alias links will take you there even after a restart.

     

    Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.


    Feedback

  • by Solitary_Satellite,

    Solitary_Satellite Solitary_Satellite May 16, 2014 10:42 AM in response to Eric Root
    Level 1 (85 points)
    May 16, 2014 10:42 AM in response to Eric Root

    Agreed, sent a feedback with logs and explanation.

    I have 3 machines having this "issue" so let's see what Apple will reply, bug of feature

  • by kevin_,

    kevin_ kevin_ May 16, 2014 10:49 AM in response to Solitary_Satellite
    Level 4 (1,561 points)
    May 16, 2014 10:49 AM in response to Solitary_Satellite

    If you log in as root or from your Recovery HD which logs you in as a root.  Then chmod the folders to 755 it will stick across restarts.

     

    If you do this as a user then it will reset back to 777 after restart

Page 1 of 3 last Next