Best application ownership and permissions?

  • What are the best (or correct, or recommended) ownership and permissions settings for ordinary third-party applications in Mac OS X 10.7 Lion? Were there different recommendations in older versions of Mac OS X?

    The latest PackageMaker User Guide (Jan 2012) says this: "In most cases, the owner should be root and the group admin."

    There are 2 reasons why I'm asking:

    (1) in a small random sample of third-party applications in my local /Applications folder, about half set the owner to system (root) and half to the current user. It makes at least this difference: the applications owned by the current user do not require authentication when I drag them out of the /Applications folder, but the applications owned by root do. It strikes me that requiring authentication is the better practice, since the /Applications folder is shared by all users.

    (2) In Lion, the permissions for all subfolders in the root folder, including /Applications, were changed to mode 755 (writable only by root) instead of mode 775 (writable by the admin group) according to Apple's What's New in Mac OS X document for Lion. This indicates to me at least an intention to increase security with respect to manipulation of the /Applications folder.

    --

    Bill Cheeseman - <bill...>
  • On May 30, 2012, at 6:07 PM, Bill Cheeseman wrote:

    What are the best (or correct, or recommended) ownership and permissions settings for ordinary third-party applications in Mac OS X 10.7 Lion? Were there different recommendations in older versions of Mac OS X?

    I've never been able to find a documentation officially stating the recommendations for the permissions and ownership in Mac OS X. The best source of information has always been the installation packages for the OS (if you're lucky enough not to be looking for some folders that are created upon installation). The evolution of these permissions have been said to be organic.

    The latest PackageMaker User Guide (Jan 2012) says this: "In most cases, the owner should be root and the group admin."

    There are 2 reasons why I'm asking:

    (1) in a small random sample of third-party applications in my local /Applications folder, about half set the owner to system (root) and half to the current user. It makes at least this difference: the applications owned by the current user do not require authentication when I drag them out of the /Applications folder, but the applications owned by root do. It strikes me that requiring authentication is the better practice, since the /Applications folder is shared by all users.

    Applications owned by the current user have most of the time been installed by drag and drop.

    If you check the permissions of applications installed from the Mac App Store, they are owned by root:wheel (the same is true for the System Applications).
  • On May 30, 2012, at 12:37 PM, St├ęphane Sudre wrote:

    > If you check the permissions of applications installed from the Mac App Store, they are owned by root:wheel (the same is true for the System Applications).

    It wasn't long ago that Apple documentation said wheel is not used in Mac OS X and is essentially identical to admin. I've noticed that wheel is now in use by Apple, but I don't know why or what the significance of this change might be.

    In looking at a number of Apple applications in Lion, I see quite a variety of settings. The admin group is widely used. In a surprisingly large number of Apple applications it is set to Read & Write instead of Read only, which strikes me as odd given the radically increased emphasis on security recently.

    Based on everything I've found and read, and your comments, I am inclined to set my applications (which use an installer package) to owner: system (root) Read & Write, group: wheel Read only, and all (everybody): Read only.

    --

    Bill Cheeseman - <bill...>
  • On 5/30/12 10:10 AM, Bill Cheeseman wrote:
    >
    > On May 30, 2012, at 12:37 PM, St├ęphane Sudre wrote:
    >
    >> If you check the permissions of applications installed from the Mac
    >> App Store, they are owned by root:wheel (the same is true for the
    >> System Applications).

    Remember that OS X also uses ACLs, which render the simplistic ownership
    analysis meaningless.

    This is where the difference between, for example, built-in and App
    Store apps arises:

    $ ls -lde iTunes.app Screeny.app
    drwxr-xr-x  3 root  wheel  102 Mar  6 12:23 Screeny.app
    drwxr-xr-x+ 3 root  wheel  102 Mar 31 14:41 iTunes.app
    0: group:everyone deny delete

    --
    Conrad Shultz

    Synthetiq Solutions
    www.synthetiqsolutions.com
previous month may 2012 next month
MTWTFSS
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
Go to today