System Requirements not met. Users system folder not secure

[sarah.j...@gmail.com]

I came to Tunnelblick from TorVPN. I'm trying to install it on a MBP running High Sierra (10.13.4). It tells me to fix the problem by repairing disc permissions; the ability to repair disc permissions was removed in El Capitan (10.11). So what do I do and how can I trust a VPN when it doesn't work and is giving me outdated information on how to get it to work. 

[Tunnelblick developer]

I'm sorry this is happening to you, but please understand that Tunnelblick did not cause the problem, it is merely pointing out a problem that exists in your system.

You are correct that on macOS 10.11 and higher, "Disk Utility" does not include "Repair Disk Permissions", as is pointed out on our help page for this problem. On such systems, the only solution is to set the correct permissions using the /Applications/Utilities/Terminal. The commands to repair ownership and permissions for the folders that usually have problems are shown in tables located on that same page.

Please note that Tunnelblick is not affiliated in any way with TorVPN. Tunnelblick is just the free software that many VPN service providers (such as TorVPN) recommend or supply to their customers. We do not provide VPN service, just software.

[darr...@gmail.com]

When I try to change permissions as per your terminal commands on your help page, I get a terminal message "Operation not permitted".

I'm not an advanced user – can you help with repairing these system level permissions?

Thanks.

[Tunnelblick developer]

"D S", what version of macOS (OS X) do you have? You can find out by clicking on the little apple icon in the top left corner of your computer screen, then clicking on "About This Mac", "About This Macintosh", "About This Computer", or similar.

[Darren Shaw]

Hi. I’m on 10.14.2

Thanks,

Darren

--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/eSYvPlOLCZA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

[Tunnelblick developer]

Ok, thanks, "D S".

(A) You need to note which system folder Tunnelblick complains about when it launches. (For example, "Applications".)

(B) You must to be logged in as an "admin" user to use the commands because "sudo" only works for admin users.

(C) Do the following:

1. Copy the corresponding command from the table below "For OS X 10.11 and higher:" on System Folder Security. (For "Applications", for example, you would copy sudo chown root:admin /Applications; sudo chmod 0775 /Applications.)
   
2. Open Terminal, then paste. After pasting, press the "return/enter" key on your keyboard.
   
3. You will be asked for a password. Type in your password for logging into the computer (nothing to do with any VPN or website password).
   
4. Nothing will happen as you type -- you won't even see asterisks or bullets to indicate that you've typed anything at all.
   
5. Press the return/enter key on your keyboard.
   

On Saturday, January 12, 2019 at 12:38:55 PM UTC-5, D S wrote:

Hi. I’m on 10.14.2

Thanks,

Darren

[Darren Shaw]

Tunnelblick complains about "The Users system folder (/Users) is not secure.”

So I did what you said for:

/Users

root

admin

rwxr-xr-x

0755

sudo chown root:admin /Users; sudo chmod 0755 /Users

It accepted the change!

Tunnelblick installed successfully and I was able to connect to the provider of my VPN.

MAY I ASK: should I go through each of the examples you have provided on your webpage for all the other folders, even if your installer hasn’t complained about them? Is there something wrong with the permissions for my Mac that I should correct as you have helpfully set out on your System Folder Security page?

Thank you so much.

[Tunnelblick developer]

If Tunnelblick installed successfully, it means that all of the system folders listed in the table have the correct ownership and permissions, so you don't need to do anything more.

There's no way to be sure that everything is OK on your Mac, but what's most likely to have happened is that a badly-written installer for some application changed the ownership/permissions on the Applications folder.

It is possible that it also changed ownership/permissions on folders that Tunnelblick does not use and thus doesn't check, but unless you have other problems you can probably ignore that.

Note that if you reinstall whatever installer messed up the ownership/permissions, it will probably do that again, Tunnelblick will complain again, and you'll have to go through the same procedure using Terminal.

[vince...@gmail.com]

"Note that if you reinstall whatever installer messed up the ownership/permissions, it will probably do that again, Tunnelblick will complain again, and you'll have to go through the same procedure using Terminal."

This is absolutely _awful_. 
This behaviour is unacceptable - Tunnelblick literally being in the only app that refuses to work -  and Tunnelblick has becoming as annoying as a virus. 

Unfortunately, I need to use it to due to requirements from my work space. 
I´m looking forward to the day I don´t have to use this piece of junk anymore...

[Tunnelblick developer]

First, please understand that Tunnelblick is not causing the problem, it is only pointing it out.

To summarize your complaint:

• Tunnelblick's refusal to operate on a computer system that has been compromised is "absolutely _awful_" and "unacceptable".
• You would rather operate a compromised system than fix it.
• You are repeatedly installing a program that compromises your system.

(And, yes, if you are getting these warnings, your computer is compromised. That's not to say that it has malware, just that it is more vulnerable to becoming infected with malware than a system that doesn't have ownership/permissions problems.)

A common reason an employer requires employees use Tunnelblick is because they consider it more secure than alternative programs. One of the reasons it might be considered more secure is that it refuses to run on already compromised systems. (If a compromised system connects to their network, it removes one layer of their "security onion" and puts their entire network more at risk, so it's quite reasonable for them to be unhappy about it.)

Since you are apparently repeatedly running into this problem, why don't you keep the one line command to fix it handy, and consider executing it a necessary step each time you run the badly-written or malicious installer? Just use the appropriate command from our System Folder Security page.

By complaining about Tunnelblick, you are "shooting the messenger". Instead, you might want to direct some of your ire at the program(s) that are compromising your system. Or, more productively, you could notify the program's author(s) so they could fix their programs.

Or perhaps you could try to persuade your "work space" to relax their requirement so you can install an alternative to Tunnelblick, such as Viscosity. If they don't care about you connecting your compromised system to their network, they might be fine with a proprietary program being used to connect to their network.

[vince...@gmail.com]

Well, let´s look at this from the PoV of the user, shall we?

 "You are repeatedly installing a program that compromises your system."

Well, first of all I have absolutely no way of knowing, if that is the case. And since I haven´t installed in the last weeks anything except of updates of sources like office365, it´s really hard to know what causes the problem. 

What is your solution? That I try to connect with Tunnelblick every time after any type of installation to check which installer might wreck havoc with those rights? I have _work_ to do, I´m not a permission rights detective with too much spare time.

Thus, this sentence is absolutely not helpful and kind of has it backwards. _I_ am not responsible for anything. I use stuff that I need, and if somebody wrote a shitty installer, I am a _victim_ and not the cause of the problem. 
You kind of seem to think that you are dealing with irresponsible users who don´t care about the safety of their systems and king of deserve to but shut out of a VPN connection until _they_ fix it...

"Since you are apparently repeatedly running into this problem, why don't you keep the one line command to fix it handy, and consider executing it a necessary step each time you run the badly-written or malicious installer?"

Well, again you seem to think this is _my_fault. I have not freaking clue what causes it. To me the error appears in completely erratic fashion. 
Would you actually care a tiny bit about user experience, you would include into the error message pop up the command line that fixes it. How hard would that be? 
So instead:
"X is not secure. I will thus close now, fuck you"

the output could be:

"X is not secure, to fix this, please type this line into your terminal (the fitting line for X), then it should work after a restart"

You see the difference?

[Mike Weber]

I have no affiliation with tunnelblick, I just follow this list.

The difference I see is that you are very disrespectful.

I happen to agree that tunnelblick should have no business caring about the permissions of anything except itself, and where it stores its VPN/shadow profiles...but you need to think a bit more before you speak.

This software is free, and I do not care what rule or policy asks you to use it, you should learn to respect that.

Please fix your attitude, does this look like a call center?  Or how about you come down off your chariot, and write the code yourself?

[Rob]

I totally agree.

[vince...@gmail.com]

Hi Mike,

I´m sorry to say, I completely disagree with you. 

Since I´m forced to use this software, which I have always utterly disliked (name, interface, usability, you name it), this is really the final straw for me. 

There is absolutely no need to respect a software, which I find annoying in the best of times, and infuriating in the worst of times, especially because of the complete disregard of usability.

I respect good work and useful tools, independent of whether they are free or not.

Honestly, I´m looking forward to the day when Tunnelblick does not exist anymore forcing my institution to change to another software. 

Of course, I never claimed that this was an objective view. It´s my personal experience and my personal view on this. 

If you like the tool and want to give respect to the developer, please feel free to do so. But don´t expect me to follow. 

Best, 

Vince

[Tunnelblick developer]

Thanks for sharing your idea of giving instructions on fixing the problem in Tunnelblick's error message. I'll look into it.

[Tunnelblick developer]

Mike wrote:

I happen to agree that tunnelblick should have no business caring about the permissions of anything except itself, and where it stores its VPN/shadow profiles...but you need to think a bit more before you speak.

Tunnelblick cares (only) about ownership/permissions of every system tool that it uses directly, the entire path to each tool, and the path to every folder that it stores data in or retrieves data from. That's because if any of those ownership/permissions are wrong the part of Tunnelblick that runs as root could cause other damage to the system.

[Mike Weber]

So I suppose that this somewhat makes sense, and I think I see the logic behind it, but I am just a fan of the Unix philosophy:  Make each program do one thing well.

It seems to me, that if you continue to follow the concerns that you have to a logical end, that you will be cryptographically verifying almost the entire system.

You have built software, that does VPNing really well, and want to protect this confidential secrets/keys/codes that allow a VPN connection to be established, but you are also now falling victim to having to deal with some issues that OSX may have.

I agree that the permission's issue, IS an issue, but it should be enforced by OSX, or other software itself.  I am not arguing against what you have done, I am just pointing out, that it may become more difficult in the future if someone/something else does not pick up the slack that this software has already done...which seems to be keeping keystores, and core software secure.

[Tunnelblick developer]

Mike, thanks for your thoughtful comments and support (and your posts helping other users in other discussions, too).