0
(0)

Applies to Sophos Home for macOS

What’s happening

When you try to install/uninstall Sophos Home on Mac, you receive the following message: “The installation cannot proceed. The installer has detected that key system folder(s) on your Mac have insecure permissions… “

mceclip0.png

OR “The removal failed. Insecure ownership or permissions were detected on a key directory. Installation cancelled.”

mceclip0.png

This happens when several system folders are not set up to their default security values, and/or they are assigned to an incorrect system group.
The usual triggers are: migrating system files to another device, OS corruption, having manually changed permissions in the past for testing/troubleshooting purposes.

Technical information

In July 2017, security researcher Partick Wardle presented a vulnerability at DEF-CON about how to perform a privilege escalation attack on MacOS by using 3rd party installers such as Sophos'.

We published an article at the time about how to check the validity of our installer manually. Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer

In the latest installer of Sophos Home, we have implemented security changes to mitigate this vulnerability. Part of this is to ensure the permissions of several paths are the correct OS default, to prevent this exploit. It will not install if the permissions are not correct as per the table below in the What to Do section.

The following error example can be seen in the SophosDiagnostics logs after the failure:
2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] insecurity detection: Error Domain=com.sophos.installer Code=30 “Error: path is not secure. /Library

What to do

Video Steps

Part 1 – Finding out which folders need to be corrected

You will need to check the current folders’permissions and make the appropriate security corrections in order to be able to install Sophos Home. There are 2 parts involved, be sure to watch the video steps for additional details!

1 – Click on the magnifying glass to open Spotlight and type terminal
2 – Open the terminal and copy paste the following command

ls -ld /. && ls -ld /Library && ls -ld /Library/Application\ Support/

3 – Hit Enter to display the permissions and groups. It will look similar to this:
mceclip0.png

The first things displayed are the permissions, then the group , then date and folder name.
Ensure the  3 folders match the below listed permissions /groups:

Folder Permissions and group
/. drwxr-xr-x root wheel
/Library drwxr-xr-x root wheel
/Library/Application Support drwxr-xr-x root admin

If any of the above do not match your folders’ permissions/groups, Sophos Home will not be able to install due to security risks (Since installs inherit permissions).

Part 2 – Correcting permissions/wrong owner/group

Please read this first:
These folders are protected by System Integrity Protection (SIP) (https://support.apple.com/en-ca/HT204899) by default. Changes can only be made to it when this is turned off.

Then, follow these steps to make necessary corrections:
These steps will need to be applied to any of the three folders that do not match.
Note: Repeat step 5 replacing foldername with the appropriate folder as needed, hit Enter after completing the command, and type your password as prompted (you will not see it while typing it).

  1. Reboot into Recovery Mode (Command+R on boot)  [Watch a video here]
  2. Open Utilities->Terminal
  3. Run the command (This turns off SIP): csrutil disable
  4. Reboot
  5. Open a Terminal, copy the following command to change permissions of each folder:
    sudo chmod 755 foldername  [Video steps here!]
    To change the owner/group of a folder see Note at the bottom.
  6. Reboot into Recovery Mode (Command+R on boot)
  7. Open Utilities->Terminal
  8. Run the command (This turns SIP on): csrutil enable
  9. Reboot
  10. Re-try installing Sophos Home

Note: If the owner or group are not correct, run the following commands to rectify it (based on each folder that needs correction)
– Please type them one at a time, and Hit enter
– Enter your password when prompted (you will not see it while you type it)

         sudo chown root:wheel /
sudo chown root:wheel /Library
sudo chown root:admin /Library/Application\ Support

Source : Official Sophos Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 21 times, 1 visits today)