Thanks Apple… iTunes update opens /Users to the world

OSX iTunes security blunderYesterday I noticed something odd when I made a commit:

/Library/Ruby/Site/facter/util/resolution.rb:27: warning: Insecure world writable dir /Users in PATH, mode 040777

Odd.

I wasn’t sure what the permissions on /Users should be, but it’s fairly safe to assume that world-writable isn’t correct. Assuming that a recent OSX update or corporate management software had done something stupid, I ran disk utility and its “fix permissions” feature, which rectified the problem.

What caught it in this case was a code syntax checker, which runs on every commit. I wouldn’t have seen it otherwise, and most people wouldn’t know it had happened. But the impact is potentially severe if you share your computer with people you don’t trust with all your personal information: any person with a valid user account could take over your User directory and read your files.

The culprit turned out to be iTunes – Apple has fortunately released a fix, so go and download the 250-odd megabyte update again. A quicker, temporary resolution, is to simply run the following from Terminal:

sudo chmod 755 /Users

However, according to the security bulletin, this would be reset on every boot. So updating is the only way to fix it permanently.

 

Leave a Reply