You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2018-03-01 18:30:22

ooshnoo
Member
Registered: 2011-06-13

Admin... Why does imaging change permissions on /Library directory?

Admin... Why does imaging change permissions on /Library directory to root:admin from it's default of root:wheel?  It's either the "Hostname" or the "Configure" form in the workflow that's doing it, as if I exclude them from the workflow, permissions are left as they should.

This is preventing certain software from installing and we'd like a workaround / fix if possible.

Thanks!

-A

Last edited by ooshnoo (2018-03-01 19:45:44)

Offline

#2 2018-03-07 20:03:18

jelockwood
Member
Registered: 2009-11-11

Re: Admin... Why does imaging change permissions on /Library directory?

Related to this issue it appears DeployStudio also changes the permissions of /Library as well as the group.

The correct original permissions should be drwxr-xr-x but DeployStudio leaves it as drwxrwxr-x

As @ooshnoo states the owner:group is also changed from root:wheel to root:admin

For most situations these changes do not cause obvious problems although the suspicion is that this will affect the security of the computer. However I have encountered at least one major issue caused by this. The Sophos anti-virus installer runs a check before installing to verify that the following directories have the correct permissions -

/
/Library
/Library/Application Support

All three should normally be drwxr-xr-x

As mentioned because of this bug in DeployStudio /Library ends up with the incorrect permissions and group ownership. As a result the Sophos installer refuses to allow an install. Since /Library is protected by SIP the only way to fix this requires turning off SIP, modifying the permissions/ownership and then turning SIP back on. With the permissions fixed on /Library the Sophos installer then works.

I only noticed this after setting my DeployStudio to provide a High Sierra 10.13.3 image, I do not recall it happening on older versions of image. I am using DeployStudio 1.7.8 on a Mac mini running macOS 10.13.3. The High Sierra image was created using AutoDMG.

Offline

#3 2018-03-09 11:25:51

MacG
Member
From: Denmark
Registered: 2009-09-10
Website

Re: Admin... Why does imaging change permissions on /Library directory?

It happens even if you don´t use DeployStudio put an image on your Macs: We use DS to bind to AD, install a few configuration packages, run a few scrips, and the Munki takes over installing the rest.
It still changes the permissions on /Library.

If you make a script in DeployStudio:

#!/bin/sh

chmod 755 /Volumes/Macintosh\ HD/Library
chown root:wheel /Volumes/Macintosh\ HD/Library

reboot

exit 0

And run it in a non-postponed step at the end of your workflow it will work with Sophos, but we have 400 + Macs that can´t update Sophos because of this...
I´ve made a workflow that just runs the script above, but it means we have to call the affected Macs into the Servidesks... Not good.


Mac4ever..

Offline

#4 2018-03-12 13:31:54

Joon
Member
Registered: 2012-02-15

Re: Admin... Why does imaging change permissions on /Library directory?

Why reboot at the end of the script?
does DS still change the permissions after the script has ran?

http://www.deploystudio.com/Forums/viewtopic.php?id=7349 this is also very recent and about permissions.

Last edited by Joon (2018-03-12 13:33:04)

Offline

#5 2018-03-19 12:57:20

admin
Administrator
Registered: 2007-03-29
Website

Re: Admin... Why does imaging change permissions on /Library directory?

Hi, we have a 1.7.9 beta fixing this.

Offline

#6 2018-03-20 16:22:07

ooshnoo
Member
Registered: 2011-06-13

Re: Admin... Why does imaging change permissions on /Library directory?

> admin wrote:

> Hi, we have a 1.7.9 beta fixing this.

Thank you.  I’ve confirmed the issue is fixed and our software installed correctly.

Offline

#7 2018-03-27 07:29:11

Joon
Member
Registered: 2012-02-15

Re: Admin... Why does imaging change permissions on /Library directory?

how did you fix this ooshnoo, i don't see a beta available anywhere.

Offline

#8 2018-05-07 18:16:33

Peteo
Member
Registered: 2012-03-22

Re: Admin... Why does imaging change permissions on /Library directory?

Sophos has a KB article on this:

https://community.sophos.com/kb/en-us/131959

Offline

#9 2018-05-07 18:51:14

Peteo
Member
Registered: 2012-03-22

Re: Admin... Why does imaging change permissions on /Library directory?

Looking at our image I only see this happening with /Library folder for us. the root folder and /Library/Application Support seem to have the correct owners.

Also does any one working on DeployStudio know when these permissions started to get changed? Was it with 1.7.8 release or before?

Offline

Board footer

Powered by FluxBB