Applies to Sophos Home for macOS
What's happening
When you try to install/uninstall Sophos Home on Mac, you receive the following message: "The installation cannot proceed. The installer has detected that key system folder(s) on your Mac have insecure permissions... "
OR "The removal failed. Insecure ownership or permissions were detected on a key directory. Installation cancelled."
This happens when several system folders are not set up to their default security values, and/or they are assigned to an incorrect system group.
The usual triggers are: migrating system files to another device, OS corruption, having manually changed permissions in the past for testing/troubleshooting purposes.
Technical information
In July 2017, security researcher Partick Wardle presented a vulnerability at DEF-CON about how to perform a privilege escalation attack on MacOS by using 3rd party installers such as Sophos'.
We published an article at the time about how to check the validity of our installer manually. Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer
In the latest installer of Sophos Home, we have implemented security changes to mitigate this vulnerability. Part of this is to ensure the permissions of several paths are the correct OS default, to prevent this exploit. It will not install if the permissions are not correct as per the table below in the What to Do section.
The following error example can be seen in the SophosDiagnostics logs after the failure:
2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] insecurity detection: Error Domain=com.sophos.installer Code=30 "Error: path is not secure. /Library"
What to do
Video Steps
Part 1 - Finding out which folders need to be corrected
You will need to check the current folders'permissions and make the appropriate security corrections in order to be able to install Sophos Home. There are 2 parts involved, be sure to watch the video steps for additional details!
1 - Click on the magnifying glass to open Spotlight and type terminal
2 - Open the terminal and copy paste the following command
ls -ld /. && ls -ld /Library && ls -ld /Library/Application\ Support/ |
3 - Hit Enter to display the permissions and groups. It will look similar to this:
The first things displayed are the permissions, then the group , then date and folder name.
Ensure the 3 folders match the below listed permissions /groups:
Folder | Permissions and group |
---|---|
/. | drwxr-xr-x root wheel |
/Library | drwxr-xr-x root wheel |
/Library/Application Support | drwxr-xr-x root admin |
If any of the above do not match your folders' permissions/groups, Sophos Home will not be able to install due to security risks (Since installs inherit permissions).
Part 2 - Correcting permissions/wrong owner/group
Please read this first:
These folders are protected by System Integrity Protection (SIP) (https://support.apple.com/en-ca/HT204899) by default. Changes can only be made to it when this is turned off.
Then, follow these steps to make necessary corrections:
These steps will need to be applied to any of the three folders that do not match.
Note: Repeat step 5 replacing foldername with the appropriate folder as needed, hit Enter after completing the command, and type your password as prompted (you will not see it while typing it).
- Reboot into Recovery Mode (Command+R on boot) [Watch a video here]
- Open Utilities->Terminal
- Run the command (This turns off SIP): csrutil disable
- Reboot
- Open a Terminal, copy the following command to change permissions of each folder:
sudo chmod 755 foldername [Video steps here!]
To change the owner/group of a folder see Note at the bottom. - Reboot into Recovery Mode (Command+R on boot)
- Open Utilities->Terminal
- Run the command (This turns SIP on): csrutil enable
- Reboot
- Re-try installing Sophos Home
Note: If the owner or group are not correct, run the following commands to rectify it (based on each folder that needs correction)
- Please type them one at a time, and Hit enter
- Enter your password when prompted (you will not see it while you type it)
sudo chown root:wheel / sudo chown root:wheel /Library sudo chown root:admin /Library/Application\ Support |