This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac running with non-standard permissions....your Mac may be insecure

Hello,

Just got a pop up from Sophos Endpoint saying:" Please contact your system administrator.  (I don't have one). Your Mac is running with non-standard permissions on key directories and your Mac may be insecure.  Reference knowledge base article # 131959.

Can anyone please explain this to me?  What should I do?

 

Many thanks.



This thread was automatically locked due to age.
Parents Reply
  • Thanks Rodolfo,

    I tried this but don't have wheel, only me (read-write permissions) and everyone - no access.

    I did have a look at the small list of possible other 'names' and saw Sophos there, and I thought of adding it, with a read-only permission, but in the end I didn't and left it as it was. Thoughts?

    thanks very much, Susan

Children
  • Hi, I need to point out that I am no expert at all. I discovered this by sheer luck, when trying to track an error that I thought was caused by CCC (Carbon Copy Cloner), and the tech help at CCC (best customer service I've ever seen, no kidding) gave me the key idea that solved this problem. This said, here are two grains of salt:

    "Idea #1" Note that the Mac allows you to check a box that says "ignore ownership on this volume". You cannot do this from the boot volume, but you can do it to the other volumes. Now, if you ever started from another volume, and this got checked in your regular start up volume, what happens is that the way ownership gets displayed changes. In particular,  you get no "wheel", but see "staff". If you have never used multi-boot [i.e.: more that one operating system with several partitions in your HD], then this would not apply to you.

    "Idea #2". This, I think, is the more likely cause of your trouble. The "Get Info" window allows you to add or subtract ownership [the + and - buttons below the permissions area]. Maybe "wheel" got subtracted, somehow --- either by you or by some software installer with a bug [not through the Get Info window, of course; there are other ways to change permissions].  Try to put it back, using the + button, and then give it the correct permissions.

    Good luck. This message is very annoying. Worse, there is actually a vulnerability involved, so you should try to correct it. Worse case scenario, call support at Sophos and bring a carload of patience with you.

  • I have tried this. No issues with my permissions. Any other fixes?

  • Hi everyone, 

    This article explains the vulnerability discovered in July 2017 on how to perform a privilege escalation attack on MacOS by using 3rd party installers such as Sophos'. Steps are provided in this article to correct the permissions and fix this issue. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids