| The Benutzer system folder (/Users) is not secure. | m.h...@gmail.com | 15/05/14 14:34 | After the update to OSX 10.9.3 today, I got the error message "The Benutzer system folder (/Users) is not secure." Repairing via Disk Utility does not solve the issue. No manual repairing instruction for /Users is given in the online help. There is only one log entry in Tunnelblick: "The Benutzer system folder (/Users) is not secure." drwxrwxrwx@ 6 root admin 204 23 Okt 2013 Users drwxr-xr-x+ 76 mo staff 2584 14 Mai 19:11 mo What are the correct permissions? |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 15/05/14 19:06 | See problem #5 discussed at https://groups.google.com/d/msg/tunnelblick-discuss/mnrqnCSzvHQ/J-EaFNcV5lEJ. It links to a discussion at https://groups.google.com/forum/#!msg/tunnelblick-discuss/jZnYOL8zIN8/l4ozoQMZN4MJ. Apparently /Users should be owned by root:wheel with permissions 0755. Disk Utility in 10.5 and lower does not repair permissions on the other system folders (such as /Applications), so it probably doesn't repair /Users either. |
| Re: The Benutzer system folder (/Users) is not secure. | m.h...@gmail.com | 15/05/14 19:12 | sudo chown root:wheel /Users sudo chmod 755 /Users fixed the error. Maybe add this to the online help in the section for manual configuration. |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 15/05/14 21:35 | Thanks. I will add this to the help the next time I update it -- I'll probably add a page about this permission stuff. But it is really a problem with your particular computer -- some program you installed changed the permissions incorrectly. This is usually because of a bug in the program's installer, but it could be an indication that your system has been compromised. Note: this is not something that Tunnelblick has anything to do with except that Tunnelblick notices the problem and complains about it -- in other words, Tunnelblick is just the messenger. Such problems are fairly rare. The systems that I have updated to 10.9.3 do not have this problem -- the ownership/permissions on /Users was root:wheel 0755 before and after the 10.9.3 update. |
| Re: The Benutzer system folder (/Users) is not secure. | Gareth Stephens | 16/05/14 03:18 | Hi, Just to add that I updated to Mac OS X 10.9.3 today on two computers (an iMac and MacBook Pro) and have just started to receive this error message as well. Prior to this there were no issues. Disk Utility does find and fix the problem for me by setting the permissions to root:admin 755 (not wheel - which I tried manually). However on reboot the permissions revert to 777 and, of course, the error message reappears. I appreciate that this is probably not a TunnelBlick problem as such but how can I identify what is changing the permissions? As this occurred when both computers updated to 10.9.3 it leads me to believe that my system isn't compromised (although of course not impossible) and it is some quirk of 10.9.3 and another application (assuming it is not TunnelBlick). Not sure where/how to track this down any suggestions would be much appreciated! Thanks. |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 16/05/14 04:24 | Hi, gaz.st.. -- thanks for your report. I just started a thread on the Apple Support Communities about this problem after finding another report of it. (I'm hoping that some non-Tunnelblick users can help find the problem.) I can't reproduce this, so I can't help track it down, but everyone who is affected can help. In the past, similar problems (with /Applications, I think) have been caused by incorrectly-written installers, but presumably nobody has installers running automatically at system startup or login, so that probably isn't the problem here. Can anyone confirm that a "safe boot" on an affected system does not cause the permissions to change? See OS X Mavericks: Start up in safe mode. (I'll assume that a safe boot does not cause the problem (unless I hear otherwise), but confirmation of that from affected users would be helpful.) To find out what is causing this we need to see what programs are being launched and what kexts are being loaded at system startup and at login. To list the non-Apple kexts that are loaded, use the Terminal command:
Startup programs are more problematic because programs can be launched at startup and login by many mechanisms. Listings of /Library/LaunchDaemons. The following Terminal commands will list some:
If people who are affected by this run these commands and post the results, maybe we will see something they have in common. |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 16/05/14 06:39 | There was a typo in my prior post. The commands should be:
|
| Re: The Benutzer system folder (/Users) is not secure. | Gareth Stephens | 16/05/14 07:04 | My observation are: Even in Safe Boot the permissions are reset. I confirmed this by using the Disk Utility to reset the permissions and verified this by doing an 'ls' at the command prompt. I then shutdown the computer and booted into single user mode again verifying that the permissions were correct (they were) and this rules out, as far as I can see, it being a process that resets them on shut down. I then shut down from Single User mode and rebooted using Safe Boot. Once booted I checked via 'ls' and the permissions had been reset to 777. I then used the Disk Utility to fix the permissions again just in case doing in safe mode helped somehow. Once fixed I rebooted normally and, as expected, the permissions had again been reset to 777. So, the commands above gave: gareth@Gareths-iMac:gareth $ kextstat | grep -v com.apple Index Refs Address Size Wired Name (Version) <Linked Against> gareth@Gareths-iMac:gareth $ total 88 -rw-r--r-- 1 root wheel 462 25 Apr 03:26 com.adobe.fpsaud.plist -rw-r--r-- 1 root wheel 722 14 Sep 2012 com.bresink.system.securityagent3.plist -rw-r--r-- 1 root wheel 1693 24 Feb 19:16 com.crashplan.engine.plist -rw-r--r-- 1 root wheel 814 20 Jul 2012 com.google.keystone.daemon.plist -rw-r--r-- 1 root wheel 659 9 Dec 2011 com.jungledisk.service.plist -rw-r--r-- 1 root wheel 568 10 Mar 2011 com.microsoft.office.licensing.helper.plist lrwxr-xr-x 1 root wheel 103 15 Feb 2013 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool.plist -rw-r--r-- 1 root wheel 486 21 Nov 11:07 com.oracle.java.JavaUpdateHelper.plist -rwxr--r-- 1 root wheel 376 17 Apr 17:40 com.trusteer.rooks.rooksd.plist -rw-r--r--@ 1 root wheel 566 25 Mar 09:52 de.devolo.networkservice.plist -rw-r--r-- 1 root wheel 661 27 Sep 2012 org.macosforge.xquartz.privileged_startx.plist gareth@Gareths-iMac:gareth $ total 48 -rw-r--r-- 1 root wheel 788 20 Jul 2012 com.google.keystone.agent.plist -rw-r--r-- 1 root admin 655 16 May 11:13 com.hp.help.tocgenerator.plist lrwxr-xr-x 1 root wheel 104 15 Feb 2013 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Updater.plist -rwxr--r-- 1 root wheel 577 17 Apr 17:40 com.trusteer.rapport.rapportd.plist -rw-r--r--@ 1 root wheel 609 25 Mar 09:52 de.devolo.networkservice.notify.plist -rw-r--r-- 1 root wheel 720 27 Sep 2012 org.macosforge.xquartz.startx.plist gareth@Gareths-iMac:gareth $ ls -l ~/Library/LaunchAgents total 64 -rw-r--r-- 1 gareth staff 425 16 May 14:46 com.apple.FolderActions.enabled.plist -rw-r--r-- 1 gareth staff 554 16 May 14:44 com.apple.FolderActions.folders.plist -rw-r--r-- 1 gareth staff 813 11 Apr 2010 com.apple.SafariBookmarksSyncer.plist -rw-r--r-- 1 gareth staff 791 12 Dec 23:24 com.kovidgoyal.calibre.plist -rw-r--r-- 1 gareth staff 655 1 Dec 2012 com.google.GoogleContactSyncAgent.plist -rw-r--r--@ 1 gareth staff 1072 1 Feb 2012 com.opswat.aw.persistence.plist -rw-r--r--@ 1 gareth staff 533 16 May 13:29 com.spotify.webhelper.plist -rw-r--r--@ 1 gareth staff 543 28 May 2013 ws.agile.1PasswordAgent.plist gareth@Gareths-iMac:gareth $ Finally everytime I reboot and run Disk Utility this output from this is: Repairing permissions for “Macintosh HD” Permissions differ on “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html”; should be lrwxr-xr-x ; they are -rwxr-xr-x . Repaired “Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html” Permissions differ on “Users”; should be drwxr-xr-x ; they are drwxrwxrwx . Repaired “Users” Permissions differ on “Users/Shared”; should be drwxrwxrwt ; they are drwxrwxrwx . Repaired “Users/Shared” Permissions repair complete I will also post this information on the thread you started on the Apple Support forum. Regards, Gareth. |
| Re: The Benutzer system folder (/Users) is not secure. | goo...@buenomarketing.com | 16/05/14 08:52 | I just want to add my voice to this after the update this morning No problems before. After warnings that TB might not be secure. Here's my info: kextstat | grep -v com.apple Bigs-iMac:~ bigtrees$ Index Refs Address Size Wired Name (Version) <Linked Against> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 54 0 0xffffff7f808ff000 0x47000 0x47000 at.obdev.nke.LittleSnitch (4092) <5 4 3 1> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 103 0 0xffffff7f80eab000 0x4000 0x4000 com.logitech.driver.LogiGamingMouseFilter (1) <74 30 4 3> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 108 0 0xffffff7f816b0000 0x5000 0x5000 com.driver.LogJoystick (2.0) <30 5 4 3> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 119 0 0xffffff7f82a9b000 0x7000 0x7000 com.AmbrosiaSW.AudioSupport (4.1.2) <118 5 4 3 1> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 121 0 0xffffff7f817ac000 0x4000 0x4000 com.globaldelight.driver.BoomDevice (1.1) <118 5 4 3 1> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 135 0 0xffffff7f80c13000 0x4000 0x4000 com.manycamllc.driver.ManyCamDriver (0.0.9) <5 4 3 1> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ 136 0 0xffffff7f80bc1000 0x9000 0x9000 net.telestream.driver.TelestreamAudio (1.1.0) <118 5 4 3 1> -bash: syntax error near unexpected token `(' Bigs-iMac:~ bigtrees$ Bigs-iMac:~ bigtrees$ ls -l /Library/LaunchDaemons -bash: Bigs-iMac:~: command not found Bigs-iMac:~ bigtrees$ total 112 -bash: total: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 631 May 12 11:35 at.obdev.littlesnitchd.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 634 Sep 19 2012 com.adobe.SwitchBoard.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 462 Apr 12 11:43 com.adobe.fpsaud.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 621 Aug 31 2011 com.adobe.versioncueCS4.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 780 Dec 21 2012 com.ambrosiasw.ambrosiaaudiosupporthelper.daemon.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 770 Sep 25 2012 com.bombich.ccc.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rwxr-xr-x 1 root wheel 474 Nov 6 2013 com.cleverfiles.cfbackd.plist -bash: -rwxr-xr-x: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 656 Sep 5 2011 com.daz3d.content_management_service.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 814 Oct 12 2012 com.google.keystone.daemon.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 469 Aug 10 2012 com.intego.commonservices.metrics.kschecker.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 833 Apr 26 2013 com.macpaw.CleanMyMac2.Agent.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 1008 May 4 18:02 com.micromat.TechToolProDaemon.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 458 Sep 10 2013 com.raynersw.nshctldo.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 622 Jul 16 2012 com.teamviewer.teamviewer_service.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ Bigs-iMac:~ bigtrees$ ls -l /Library/LaunchAgents -bash: Bigs-iMac:~: command not found Bigs-iMac:~ bigtrees$ total 64 -bash: total: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 464 May 12 11:35 at.obdev.LittleSnitchUIAgent.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 697 Apr 15 2013 com.Logitech.Control Center.Daemon.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 612 Apr 19 10:47 com.adobe.AAM.Updater-1.0.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 493 Dec 21 15:47 com.extensis.FMCore.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 788 Oct 12 2012 com.google.keystone.agent.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 660 Aug 10 2012 com.intego.commonservices.statusitem.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root wheel 581 May 4 18:02 com.micromat.TechToolProAgent.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ -rw-r--r-- 1 root admin 428 Dec 22 2011 com.srs.EssentialsAgent.plist -bash: -rw-r--r--: command not found Bigs-iMac:~ bigtrees$ Bigs-iMac:~ bigtrees$ ls -l ~/Library/LaunchAgents ls -l /Library/LaunchDaemons total 112 -rw-r--r-- 1 root wheel 631 May 12 11:35 at.obdev.littlesnitchd.plist -rw-r--r-- 1 root wheel 634 Sep 19 2012 com.adobe.SwitchBoard.plist -rw-r--r-- 1 root wheel 462 Apr 12 11:43 com.adobe.fpsaud.plist -rw-r--r-- 1 root wheel 621 Aug 31 2011 com.adobe.versioncueCS4.plist -rw-r--r-- 1 root wheel 780 Dec 21 2012 com.ambrosiasw.ambrosiaaudiosupporthelper.daemon.plist -rw-r--r-- 1 root wheel 770 Sep 25 2012 com.bombich.ccc.plist -rwxr-xr-x 1 root wheel 474 Nov 6 2013 com.cleverfiles.cfbackd.plist -rw-r--r-- 1 root wheel 656 Sep 5 2011 com.daz3d.content_management_service.plist -rw-r--r-- 1 root wheel 814 Oct 12 2012 com.google.keystone.daemon.plist -rw-r--r-- 1 root wheel 469 Aug 10 2012 com.intego.commonservices.metrics.kschecker.plist -rw-r--r-- 1 root wheel 833 Apr 26 2013 com.macpaw.CleanMyMac2.Agent.plist -rw-r--r-- 1 root wheel 1008 May 4 18:02 com.micromat.TechToolProDaemon.plist -rw-r--r-- 1 root wheel 458 Sep 10 2013 com.raynersw.nshctldo.plist -rw-r--r-- 1 root wheel 622 Jul 16 2012 com.teamviewer.teamviewer_service.plist |ls -l /Library/LaunchAgents -rw-r--r-- 1 root wheel 464 May 12 11:35 at.obdev.LittleSnitchUIAgent.plist -rw-r--r-- 1 root wheel 697 Apr 15 2013 com.Logitech.Control Center.Daemon.plist -rw-r--r-- 1 root wheel 612 Apr 19 10:47 com.adobe.AAM.Updater-1.0.plist -rw-r--r-- 1 root wheel 493 Dec 21 15:47 com.extensis.FMCore.plist -rw-r--r-- 1 root wheel 788 Oct 12 2012 com.google.keystone.agent.plist -rw-r--r-- 1 root wheel 660 Aug 10 2012 com.intego.commonservices.statusitem.plist -rw-r--r-- 1 root wheel 581 May 4 18:02 com.micromat.TechToolProAgent.plist -rw-r--r-- 1 root admin 428 Dec 22 2011 com.srs.EssentialsAgent.plist ls -l ~/Library/LaunchAgents -rwxr-xr-- 1 bigtrees admin 601 Mar 1 2013 com.adobe.ARM.df0ab5bbe6f698196fcc21e3c1e66dcb758bd911f4d637272d9d8109.plist -rw-r--r-- 1 bigtrees staff 618 Dec 22 18:40 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.DC971EDC-8F3D-48D9-916F-03994714B687.plist -rwxr-xr-- 1 bigtrees staff 902 May 21 2013 com.macpaw.CleanMyMac2Helper.scheduledScan.plist -rwxr-xr-- 1 bigtrees staff 694 May 21 2013 com.macpaw.CleanMyMac2Helper.trashWatcher.plist -rw-r--r-- 1 bigtrees staff 498 May 12 14:33 com.pia.pia_manager.plist -rwxr-xr-- 1 bigtrees admin 770 May 15 19:09 com.valvesoftware.steamclean.plist -rwxr-xr--@ 1 bigtrees staff 545 May 29 2013 ws.agile.1PasswordAgent.plist |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 16/05/14 09:09 | Thanks, goo...@buenomarketing.com. From gaz's post, this happens even after a "safe boot", which means it doesn't have anything to do with the usual suspects -- third-party additions. So we don't need anyone to run the Terminal commands anymore -- they are irrelevant. I have submitted a bug report to Apple about this, with links to this discussion and the Apple discussion, and emailed their product security address about it. Hopefully they will look into this and get it fixed. In the meantime, I think the best solution is to Repair Permissions each time you reboot, or enter the following into Terminal:
which will fix the problem on /Users, so Tunnelblick will launch. (Tunnelblick doesn't use anything in /Users/Shared, so it doesn't check that.) An alternative is to run a very old and insecure version of Tunnelblick, which may not support features that you need (for example, it won't include OpenVPN 2.3.4). But each individual user will need to make that decision himself/herself. I think the last version that doesn't check these permissions is 3.3beta21b, which can be downloaded from Tunnelblick's Security Risk Downloads page. |
| Re: The Benutzer system folder (/Users) is not secure. | Mathew Nichols | 16/05/14 14:18 | More complications with the "Users" folder: http://www.loopinsight.com/2014/05/16/in-os-x-10-9-3-many-users-experiencing-a-hidden-users-folder-heres-a-fix/
|
| Re: The Benutzer system folder (/Users) is not secure. | m.h...@gmail.com | 16/05/14 14:30 | Making the Users-Folder visible again (yes, it's hidden now after Mavericks update) sudo chflags nohidden /Users Setting the correct permissions demanded by Tunnelblick sudo chmod 755 /Users/ ls -la should look like this drwxr-xr-x 6 root wheel 204 23 Okt 2013 Users This will be reset by reboot and has to be done once, e.g. as a startup script, before starting Tunnelblick |
| Re: The Benutzer system folder (/Users) is not secure. | Gareth Stephens | 16/05/14 15:39 | Just to confirm that disabling Find My Mac and running Disk Utilities' Repair Disk Permissions worked for me. To save repeating it all it is here in the thread linked to by Jonathon above. You would need to run the chflags command you posted as well I believe but I haven't tested this yet. |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 16/05/14 17:34 | This problem appears to be an interaction between the iTunes 11.2 update and Find My Mac. The combination apparently causes the /Users folder to (A) be made "hidden", and (B) have permissions 0777 each time you restart your computer. It also makes the /Users/Shared folder hidden and may change it's permissions, too. One workaround is to disable Find My Mac and then use Disk Utility to "Repair Permissions". I don't know if rolling back the iTunes update will also solve the problem. |
| Re: The Benutzer system folder (/Users) is not secure. | Tunnelblick developer | 17/05/14 01:18 | The solution to this problem is to update to iTunes 11.2.1. |
| Re: The Benutzer system folder (/Users) is not secure. | Gareth Stephens | 17/05/14 02:12 | Thanks, and just to confirm the update fixed my issue too. |
| Re: The Benutzer system folder (/Users) is not secure. | ami...@moonfroglabs.com | 11/01/16 11:37 | Change file permissions as mentioned: https://tunnelblick.net/cSystemFolderNotSecure.html then remove any lines in config file that show error while running the config. Thanks, Amith |