You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Does 10.9.3 make /Users insecure by setting permissions to 0777?

The 10.9.3 update seems to sometimes change the permissions on /Users from 0755 to 0777, allowing any user to make modifications to the folder. There are reports here and here. I found out about this because Tunnelblick checks permissions of various system folders that it uses (and their parent folders) and refuses to run if they are not secure.


There are conflicting reports about whether or not Disk Utility's "Repair Permissions" will repair this. It may repair the permissions but then the incorrect permissions reappear after a computer restart.


Is anyone else seeing this behavior? It does not happen on a clean install of 10.9.2 followed by the 10.9.3 update, so it probably involves some third-party software. If people list their third-party apps and kexts, especially apps that launch on startup or login and kexts that are loaded when this problem occurs, it might help track down the problem.

OS X Mavericks (10.9.3)

Posted on May 16, 2014 4:00 AM

Reply
Question marked as Top-ranking reply

Posted on May 16, 2014 6:03 AM

Same here. Permissions on /Users are set to 777 after the OS X 10.9.3 upgrade (and I believe the group should also be wheel?!). While "Disk Utility" detects and repairs this, permissions are reset to 777 after each reboot:


drwxrwxrwx@ 7 root admin 238 15 May 20:14 Users


After each and every reboot, "Disk Utility" finds this:


Verifying permissions for “Macintosh HD”

Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .

Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .

Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .

Permissions verification complete


I do not think my system is heavily modified:


Tims-MacBook-Pro:~ tim$ kextstat | grep -v com.apple

Index Refs Address Size Wired Name (Version) <Linked Against>

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

total 32

-rw-r--r-- 1 root wheel 462 18 Apr 15:46 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 568 2 Apr 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchAgents/

total 8

lrwxr-xr-x 1 root wheel 104 18 Feb 20:59 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

total 32

-rw-r--r-- 1 root wheel 462 18 Apr 15:46 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 568 2 Apr 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

Tims-MacBook-Pro:~ tim$

42 replies
Question marked as Top-ranking reply

May 16, 2014 6:03 AM in response to jkbull

Same here. Permissions on /Users are set to 777 after the OS X 10.9.3 upgrade (and I believe the group should also be wheel?!). While "Disk Utility" detects and repairs this, permissions are reset to 777 after each reboot:


drwxrwxrwx@ 7 root admin 238 15 May 20:14 Users


After each and every reboot, "Disk Utility" finds this:


Verifying permissions for “Macintosh HD”

Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .

Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .

Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .

Permissions verification complete


I do not think my system is heavily modified:


Tims-MacBook-Pro:~ tim$ kextstat | grep -v com.apple

Index Refs Address Size Wired Name (Version) <Linked Against>

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

total 32

-rw-r--r-- 1 root wheel 462 18 Apr 15:46 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 568 2 Apr 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchAgents/

total 8

lrwxr-xr-x 1 root wheel 104 18 Feb 20:59 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

Tims-MacBook-Pro:~ tim$ ls -l /Library/LaunchDaemons/

total 32

-rw-r--r-- 1 root wheel 462 18 Apr 15:46 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 568 2 Apr 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 18 Feb 20:59 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 22 Apr 20:59 com.oracle.java.JavaUpdateHelper.plist

Tims-MacBook-Pro:~ tim$

May 16, 2014 6:43 AM in response to Tim_Doe

Thanks, Tim_Doe.


You repeated the "ls -l /Library/LaunchDaemons" twice, probably because of an error in my post in the thread on the Tunnelblick Discussion Group.


"ls -l ~/Library/LaunchAgents" would be helpful, as would info about what the permissions are after a "safe boot".


My understanding is that the ownership should be root:admin, not root:wheel.

May 16, 2014 7:10 AM in response to jkbull

Adding my observations to this thread in the hope it gets fixed.


Even in Safe Boot the permissions are reset. I confirmed this by using the Disk Utility to reset the permissions and verified this by doing an 'ls' at the command prompt. I then shutdown the computer and booted into single user mode again verifying that the permissions were correct (they were) and this rules out, as far as I can see, it being a process that resets them on shut down. I then shut down from Single User mode and rebooted using Safe Boot. Once booted I checked via 'ls' and the permissions had been reset to 777.


I then used the Disk Utility to fix the permissions again just in case doing in safe mode helped somehow. Once fixed I rebooted normally and, as expected, the permissions had again been reset to 777.


The launch processes/daemons I have are:


gareth@Gareths-iMac:gareth $ kextstat | grep -v com.apple
Index Refs Address Size Wired Name (Version) <Linked Against>
gareth@Gareths-iMac:gareth $
total 88
-rw-r--r-- 1 root wheel 462 25 Apr 03:26 com.adobe.fpsaud.plist
-rw-r--r-- 1 root wheel 722 14 Sep 2012 com.bresink.system.securityagent3.plist
-rw-r--r-- 1 root wheel 1693 24 Feb 19:16 com.crashplan.engine.plist
-rw-r--r-- 1 root wheel 814 20 Jul 2012 com.google.keystone.daemon.plist
-rw-r--r-- 1 root wheel 659 9 Dec 2011 com.jungledisk.service.plist
-rw-r--r-- 1 root wheel 568 10 Mar 2011 com.microsoft.office.licensing.helper.plist
lrwxr-xr-x 1 root wheel 103 15 Feb 2013 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist
-rw-r--r-- 1 root wheel 486 21 Nov 11:07 com.oracle.java.JavaUpdateHelper.plist
-rwxr--r-- 1 root wheel 376 17 Apr 17:40 com.trusteer.rooks.rooksd.plist
-rw-r--r--@ 1 root wheel 566 25 Mar 09:52 de.devolo.networkservice.plist
-rw-r--r-- 1 root wheel 661 27 Sep 2012 org.macosforge.xquartz.privileged_startx.plist
gareth@Gareths-iMac:gareth $
total 48
-rw-r--r-- 1 root wheel 788 20 Jul 2012 com.google.keystone.agent.plist
-rw-r--r-- 1 root admin 655 16 May 11:13 com.hp.help.tocgenerator.plist
lrwxr-xr-x 1 root wheel 104 15 Feb 2013 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist
-rwxr--r-- 1 root wheel 577 17 Apr 17:40 com.trusteer.rapport.rapportd.plist
-rw-r--r--@ 1 root wheel 609 25 Mar 09:52 de.devolo.networkservice.notify.plist
-rw-r--r-- 1 root wheel 720 27 Sep 2012 org.macosforge.xquartz.startx.plist
gareth@Gareths-iMac:gareth $ ls -l ~/Library/LaunchAgents
total 64
-rw-r--r-- 1 gareth staff 425 16 May 14:46 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 gareth staff 554 16 May 14:44 com.apple.FolderActions.folders.plist
-rw-r--r-- 1 gareth staff 813 11 Apr 2010 com.apple.SafariBookmarksSyncer.plist
-rw-r--r-- 1 gareth staff 791 12 Dec 23:24 com.kovidgoyal.calibre.plist
-rw-r--r-- 1 gareth staff 655 1 Dec 2012 com.google.GoogleContactSyncAgent.plist
-rw-r--r--@ 1 gareth staff 1072 1 Feb 2012 com.opswat.aw.persistence.plist
-rw-r--r--@ 1 gareth staff 533 16 May 13:29 com.spotify.webhelper.plist
-rw-r--r--@ 1 gareth staff 543 28 May 2013 ws.agile.1PasswordAgent.plist
gareth@Gareths-iMac:gareth $


Finally everytime I reboot and run Disk Utility this output from this is:


Repairing permissions for “Macintosh HD”
Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x .
Repaired “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/inde x.html”
Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx .
Repaired “Users”
Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx .
Repaired “Users/Shared”
Permissions repair complete

May 16, 2014 8:32 AM in response to gaz_stephens

Thanks, gaz_stephens, for your very informative report.


Because this happens even with a "safe boot", I think that means that it is an OS X problem and doesn't need any third-party software. (It's my understanding that a "safe boot" does not load any non-Apple software.)


So this looks like a pure OS X problem. Apple doesn't monitor these user forums. I have filed a bug report with Apple about it, and notified product-security@apple.com.

May 16, 2014 8:44 AM in response to gaz_stephens

Yes, I will be able to give them your email address if they ask. I didn't put it in my bug report because I wasn't sure that would be OK with you, but you said you are "happy to help", so unless I hear otherwise from you, I will assume it's OK to give them your email address.


(That said, my impression is that Apple isn't very good about following up on bugs. We'll see.)

May 16, 2014 10:34 AM in response to jkbull

What I did as a workaround was in Finder/Go/Go to Folder type Users. That made the User folder visible. I created an alias of the folder and put it in Finder's Sidebar. Repeated procedure typing Shared, making an alias, and putting it in the Sidebar. Restarted and the alias links will take you there even after a restart.


Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.

Feedback

May 16, 2014 10:49 AM in response to Tim_Doe

1. On my 10.9.3 system, which does not change /Users permssions to 0777, /Users is still visible.


So does this change to 0777 permissions only happen for systems where /Users is made invisible?



2. It's hard to believe that permissions of 0777 could be correct -- they mean that anyone can make changes to that folder, which holds all users' home folders. They could, for example, delete the home folder of another users, or at least make it inaccessible by renaming it. All sorts of mischief could be done.


Maybe Apple is setting the permissions to 077 and then controlling acces via ACLs (access control lists). The listing


drwxrwxrwx@ 7 root admin 238 15 May 20:14 Users


shows that there are "extended attributes" associated with /Users, but my reading of the man page for ls is that the "@" may mean that there are ACLs, too.


It would be interesting to find out what those extended attributes are and if there are any ACLs. That can be done via


ls -l@e /


Can you each try that?

Does 10.9.3 make /Users insecure by setting permissions to 0777?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.