Does 10.9.3 make /Users insecure by setting permissions to 0777?

Same here. Permissions on /Users are set to 777 after the OS X 10.9.3 upgrade (and I believe the group should also be wheel?!). While "Disk Utility" detects and repairs this, permissions are reset to 777 after each reboot:

drwxrwxrwx@ 7 root admin 238 15 May 20:14 Users

After each and every reboot, "Disk Utility" finds this:

Verifying permissions for “Macintosh HD”

Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .

Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .

Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .

Permissions verification complete

I do not think my system is heavily modified:

Tims-MacBook-Pro:~ tim$ kextstat | grep -v com.apple

Index Refs Address Size Wired Name (Version) <Linked Against>

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

total 32

-rw-r--r-- 1 root wheel 462 18 Apr 15:46 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 568 2 Apr 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchAgents/

total 8

lrwxr-xr-x 1 root wheel 104 18 Feb 20:59 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

total 32

-rw-r--r-- 1 root wheel 462 18 Apr 15:46 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 568 2 Apr 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

Tims-MacBook-Pro:~ tim$

I smell a 'security update' coming from Apple.

Adding my observations to this thread in the hope it gets fixed.

Even in Safe Boot the permissions are reset. I confirmed this by using the Disk Utility to reset the permissions and verified this by doing an 'ls' at the command prompt. I then shutdown the computer and booted into single user mode again verifying that the permissions were correct (they were) and this rules out, as far as I can see, it being a process that resets them on shut down. I then shut down from Single User mode and rebooted using Safe Boot. Once booted I checked via 'ls' and the permissions had been reset to 777.

I then used the Disk Utility to fix the permissions again just in case doing in safe mode helped somehow. Once fixed I rebooted normally and, as expected, the permissions had again been reset to 777.

The launch processes/daemons I have are:

gareth@Gareths-iMac:gareth $ kextstat | grep -v com.apple
Index Refs Address Size Wired Name (Version) <Linked Against>
gareth@Gareths-iMac:gareth $
total 88
-rw-r--r-- 1 root wheel 462 25 Apr 03:26 com.adobe.fpsaud.plist
-rw-r--r-- 1 root wheel 722 14 Sep 2012 com.bresink.system.securityagent3.plist
-rw-r--r-- 1 root wheel 1693 24 Feb 19:16 com.crashplan.engine.plist
-rw-r--r-- 1 root wheel 814 20 Jul 2012 com.google.keystone.daemon.plist
-rw-r--r-- 1 root wheel 659 9 Dec 2011 com.jungledisk.service.plist
-rw-r--r-- 1 root wheel 568 10 Mar 2011 com.microsoft.office.licensing.helper.plist
lrwxr-xr-x 1 root wheel 103 15 Feb 2013 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist
-rw-r--r-- 1 root wheel 486 21 Nov 11:07 com.oracle.java.JavaUpdateHelper.plist
-rwxr--r-- 1 root wheel 376 17 Apr 17:40 com.trusteer.rooks.rooksd.plist
-rw-r--r--@ 1 root wheel 566 25 Mar 09:52 de.devolo.networkservice.plist
-rw-r--r-- 1 root wheel 661 27 Sep 2012 org.macosforge.xquartz.privileged_startx.plist
gareth@Gareths-iMac:gareth $
total 48
-rw-r--r-- 1 root wheel 788 20 Jul 2012 com.google.keystone.agent.plist
-rw-r--r-- 1 root admin 655 16 May 11:13 com.hp.help.tocgenerator.plist
lrwxr-xr-x 1 root wheel 104 15 Feb 2013 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist
-rwxr--r-- 1 root wheel 577 17 Apr 17:40 com.trusteer.rapport.rapportd.plist
-rw-r--r--@ 1 root wheel 609 25 Mar 09:52 de.devolo.networkservice.notify.plist
-rw-r--r-- 1 root wheel 720 27 Sep 2012 org.macosforge.xquartz.startx.plist
gareth@Gareths-iMac:gareth $ ls -l ~/Library/LaunchAgents
total 64
-rw-r--r-- 1 gareth staff 425 16 May 14:46 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 gareth staff 554 16 May 14:44 com.apple.FolderActions.folders.plist
-rw-r--r-- 1 gareth staff 813 11 Apr 2010 com.apple.SafariBookmarksSyncer.plist
-rw-r--r-- 1 gareth staff 791 12 Dec 23:24 com.kovidgoyal.calibre.plist
-rw-r--r-- 1 gareth staff 655 1 Dec 2012 com.google.GoogleContactSyncAgent.plist
-rw-r--r--@ 1 gareth staff 1072 1 Feb 2012 com.opswat.aw.persistence.plist
-rw-r--r--@ 1 gareth staff 533 16 May 13:29 com.spotify.webhelper.plist
-rw-r--r--@ 1 gareth staff 543 28 May 2013 ws.agile.1PasswordAgent.plist
gareth@Gareths-iMac:gareth $

Finally everytime I reboot and run Disk Utility this output from this is:

Repairing permissions for “Macintosh HD”
Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .
Repaired “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”
Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .
Repaired “Users”
Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .
Repaired “Users/Shared”
Permissions repair complete

Same issue here, every reboot resets the permission back to 777... weird.

After reboot:

drwxrwxrwx@ 7 root admin 238 16 mai 17:01 Users

Thanks jkbull - not sure how to pass my details but if Apple require someone to perform any particular tasks and record the output (as you haven't been able to replicate the issue) I'd be happy to help. Perhaps you have my address from the Google Groups post regarding the issue?

I checked on a non-updated Mac (still 10.9.2) and here are the initial user permissions and group:

Could this be related to the feature that hides /Users (and other directories) after every reboot?

There are a couple of users reporting this behavior. (https://discussions.apple.com/thread/6225659?tstart=0)

Even if this is the result of the hiding of the User folder in /, shouldn't Disk Utility then not try to repair the permissions every time?

It's a bug either from the new function of hiding the User folder or from Disk Utility who tries to fix the permissions...

What I did as a workaround was in Finder/Go/Go to Folder type Users. That made the User folder visible. I created an alias of the folder and put it in Finder's Sidebar. Repeated procedure typing Shared, making an alias, and putting it in the Sidebar. Restarted and the alias links will take you there even after a restart.

Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.

Feedback

Agreed, sent a feedback with logs and explanation.

I have 3 machines having this "issue" so let's see what Apple will reply, bug of feature 😉

If you log in as root or from your Recovery HD which logs you in as a root. Then chmod the folders to 755 it will stick across restarts.

If you do this as a user then it will reset back to 777 after restart