Sophos Home Support

Fix Installation & Uninstall Issues

Articles in this section

See more

Sophos Home MacOS Installer: Folder Insecurity Errors during install

Avatar
Sophos Home Support
  • Updated

Applies to the following Sophos product(s) and version(s)
Mac Endpoint 9.7.4

Operating systems
MacOS

Overview

In July 2017, security researcher Partick Wardle presented a vulnerability at DEF-CON about how to perform a privilege escalation attack on MacOS by using 3rd party installers such as Sophos'.

We published an article at the time about how to check the validity of our installer manually. https://community.sophos.com/kb/en-us/127252

In the latest installer for Sophos Central we have implemented security changes to mitigate this vulnerability. Part of this is to ensure the permissions of several paths are the correct OS default, to prevent this exploit. It will not install if the permissions are not correct as per the table below in the What to Do section.

The following error can be seen in the SophosDiagnostics logs after the failure:

2018-02-07 10:37:55.963 [com.sophos.bootstrap.helper 7135:48794 install debug] to path:(null)

 

2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] to secure location: (null)
2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] insecurity detection: Error Domain=com.sophos.installer Code=30 "Error: path is not secure. /Library"

This is due to the security of the specified folder not being the OS default. This is required for a secure installation. 

We require the following folders to have the following permissions:

Location Permission To check permissions
/ drwxr-xr-x root wheel (755 root wheel)  ls -la / (Look at .)
/Library drwxr-xr-x root wheel (755 root wheel)  ls -la / (Look at Library)
/Library/Application Support drwxr-xr-x root admin (755 root admin)  ls -la /Library (look at Application Support)

If this any of these has been changed, we will not install due to the security risk (Since installs inherit permissions). 

These folders are protected by System Integrity Protection (SIP) (https://support.apple.com/en-ca/HT204899) by default. Changes can only be made to it when this is turned off.

Existing permissions can be seen with this terminal command: ls -la /

To fix:

This will need to be done for any of the three folders which do not match. Repeat step 5 with the appropriate folders as needed.

  1. Reboot into Recovery Mode (Command+R on boot)
  2. Open Utilities->Terminal
  3. Run the command (This turns off SIP): csrutil disable
  4. Reboot
  5. Open a Terminal, run: sudo chmod 755 <folder>
  6. Reboot into Recovery Mode (Command+R on boot)
  7. Open Utilities->Terminal
  8. Run the command (This turns SIP on): csrutil enable
  9. Reboot
  10. Run our install

Note: If the owner or group are not correct (In the ls -la <parent>) then this can be changed by adding the command "sudo chown root:wheel /", "sudo chown root:wheel /Library" or "sudo chown root:admin for /Library/Application\ Support" depending on the case after step 5

Related articles

Comments

1 comment

Sort by Date Votes
  • Avatar
    Sherwin Pao

    Hi

    0
    Permalink

Please sign in to leave a comment.