Applies to Sophos Home (Premium and Free) for MacOS
In July 2017, security researcher Partick Wardle presented a vulnerability at DEF-CON about how to perform a privilege escalation attack on MacOS by using 3rd party installers such as Sophos'.
We published an article at the time about how to check the validity of our installer manually. Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer
In the latest installer of Sophos Home, we have implemented security changes to mitigate this vulnerability. Part of this is to ensure the permissions of several paths are the correct OS default, to prevent this exploit. It will not install if the permissions are not correct as per the table below in the What to Do section.
The following error example can be seen in the SophosDiagnostics logs after the failure:
2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] insecurity detection: Error Domain=com.sophos.installer Code=30 "Error: path is not secure. /Library"
This is due to the security scenario in which the specified folder is not set to the OS default security. Sophos Home requires the below listed levels of security in order to install:
What to do
To check the folders permissions and make the security corrections, please follow these steps:
Watch a video with the steps here
1 - Click on the magnifying glass to open Spotlight and type terminal
2 - Open the terminal and copy paste the following command
|ls -ld /. && ls -ld /Library && ls -ld /Library/Application\ Support/|
3 - Hit Enter to display the permissions and groups. It will look similar to this:
The first things displayed are the permissions, then the group , then date and folder name.
Ensure the 3 folders match the below listed permissions /groups:
|Folder||Permissions and group|
|/.||drwxr-xr-x root wheel|
|/Library||drwxr-xr-x root wheel|
|/Library/Application Support||drwxr-xr-x root admin|
If any of the above do not match your folders' permissions/groups, Sophos Home will not be able to install due to security risks (Since installs inherit permissions).
Steps to fix permissions/wrong owner/group:
Please read this first:
These folders are protected by System Integrity Protection (SIP) (https://support.apple.com/en-ca/HT204899) by default. Changes can only be made to it when this is turned off.
These steps will need to be applied to any of the three folders that do not match.
Note: Repeat step 5 replacing foldername with the appropriate folder as needed, hit Enter after completing the command, and type your password as prompted (you will not see it while typing it).
- Reboot into Recovery Mode (Command+R on boot) [Watch a video here]
- Open Utilities->Terminal
- Run the command (This turns off SIP): csrutil disable
- Open a Terminal, copy the following command to change permissions of each folder:
sudo chmod 755 foldername
To change the owner/group of a folder see Note at the bottom.
- Reboot into Recovery Mode (Command+R on boot)
- Open Utilities->Terminal
- Run the command (This turns SIP on): csrutil enable
- Re-try installing Sophos Home
Note: If the owner or group are not correct, run the following commands to rectify it (based on each folder that needs correction)
- Please type them one at a time, and Hit enter
- Enter your password when prompted (you will not see it while you type it)
| sudo chown root:wheel /
sudo chown root:wheel /Library
sudo chown root:admin /Library/Application\ Support