tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

System Folder Security

One aspect of computer security is the security of system files and folders — files and folders created by macOS to run your computer. The security is primarily controlled by the ownership and permissions of the files and folders that make up macOS and the applications and data on your computer.

Tunnelblick checks the security of itself and of the parts of macOS that it uses. That sometimes results in Tunnelblick complaining that a system folder is not secure, and refusing to connect a VPN. For example, you might see the following message after launching Tunnelblick:

window with title 'System Requirements Not Met' and 'Help', 'Continue', and 'Quit' buttons

Other problems with system folder security may only appear when you try to connect to a VPN.

Tunnelblick repairs the security of all of its own files and folders, but does not repair files and folders that it does not create, such as system folders.

How System Folders Become Insecure

System folders are secure when macOS is installed, and usually only become insecure as the result of a program installer behaving improperly. System folders could become insecure because of malware, but that is rare:

  • In May 2014, Apple's iTunes 11.2 update caused each system boot to set insecure permissions on /Users and /Users/Shared. This was corrected in iTunes 11.2.1.
  • There are reports that some older MacPorts installers makes /usr insecure, and that some SPSS and xQuartz installers and some player application installers for Vulkano streaming video make /Applications insecure.

Repairing System Folder Security

On OS X 10.11 and higher, some system folders are protected by "System Integrity Protection". However, other folders are not, and the "Disk Utility" does not include "Repair Disk Permissions". Apple sometimes provides instructions for repairing permissions on items in your home folder, but they frequently change and are very involved.

On OS X 10.6 - 10.10, the ownership and permissions of system folders can be repaired by using the "Disk Utility" application (/Applications/Utilities/Disk Utility). Select the boot volume in the list on the left, and click on "Repair Disk Permissions".

Disk Utility in OS X 10.5 and lower does not fix the ownership and permissions of system folders; they must be repaired manually using the Terminal application (/Applications/Utilities/Terminal).

Correct System Folder Ownership and Permissions

System folder ownership and permissions vary from folder to folder and from one version of macOS to another. The following table lists the standard (secure) ownership and permissions for selected system folders under various versions of OS X and macOS.

For OS X 10.11 and higher (including all versions of macOS):

Folder Owner Group Permissions Octal Terminal command to repair
/Applications root admin rwxrwxr-x 0775 sudo chown root:admin /Applications; sudo chmod 0775 /Applications
/Library root wheel rwxr-xr-x 0755 sudo chown root:wheel /Library; sudo chmod 0755 /Library
/Library/Application Support root admin rwxr-xr-x 0755 sudo chown root:admin /Library/Application\ Support; sudo chmod 0755 /Library/Application\ Support
/private root wheel rwxr-xr-x 0755 sudo chown root:wheel /private; sudo chmod 0755 /private
/private/tmp root wheel rwxrwxrwt 1777 sudo chown root:wheel /private/tmp; sudo chmod 01777 /private/tmp
/Users root admin rwxr-xr-x 0755 sudo chown root:admin /Users; sudo chmod 0755 /Users
/usr root wheel rwxr-xr-x 0755 sudo chown root:wheel /usr; sudo chmod 0755 /usr
/usr/bin root wheel rwxr-xr-x 0755 sudo chown root:wheel /usr; sudo chmod 0755 /usr/bin
/tmp (10.11 - 10.14, 10.16, 11.0) root wheel rwxr-xr-x 0755 sudo chown root:wheel /tmp; sudo chmod 0755 /tmp
/tmp (10.15 only) root admin rwxr-xr-x 0755 sudo chown root:admin /tmp; sudo chmod 0755 /tmp

For OS X 10.7 - 10.10: Use "Repair Disk Permissions" in Disk Utility

Folder Owner Group Permissions Octal
/Applications root admin rwxrwxr-x 0775
/Library root wheel rwxr-xr-x 0755
/Library/Application Support root admin rwxr-xr-x 0755
/private root wheel rwxr-xr-x 0755
/Users root admin rwxr-xr-x 0755
/usr root wheel rwxr-xr-x 0755
/usr/bin root wheel rwxr-xr-x 0755

For OS X 10.6: Use "Repair Disk Permissions" in Disk Utility

Folder Owner Group Permissions Octal
/Applications root admin rwxrwxr-x 0775
/Library root wheel rwxr-xr-t 1755
/Library/Application Support root admin rwxr-xr-x 0755
/private root wheel rwxr-xr-x 0755
/Users root admin rwxrwxr-x 0775
/usr root wheel rwxr-xr-x 0755
/usr/bin root wheel rwxr-xr-x 0755

For OS X 10.5:

Folder Owner Group Permissions Octal Terminal command to repair
/Applications root admin rwxrwxr-x 0775 sudo chown root:admin /Applications; sudo chmod 0775 /Applications
/Library root admin rwxrwxr-t 1775 sudo chown root:admin /Library; sudo chmod 1775 /Library
/Library/Application Support root wheel rwxr-xr-x 0755 sudo chown root:wheel /Library/Application\ Support; sudo chmod 0755 /Library/Application\ Support
/Users root admin rwxrwxr-x 0775 sudo chown root:admin /Users; sudo chmod 0775 /Users
/usr root wheel rwxr-xr-x 0755 sudo chown root:wheel /usr; sudo chmod 0755 /usr
/usr/bin root wheel rwxr-xr-x 0755 sudo chown root:wheel /usr; sudo chmod 0755 /usr/bin

For OS X 10.4:

Folder Owner Group Permissions Octal Terminal command to repair
/Applications root admin rwxrwxr-x 0775 sudo chown root:admin /Applications; sudo chmod 0775 /Applications
/Library root admin rwxrwxr-t 1775 sudo chown root:admin /Library; sudo chmod 1775 /Library
/Library/Application Support root admin rwxr-xr-x 0755 sudo chown root:wheel /Library/Application\ Support; sudo chmod 0755 /Library/Application\ Support
/Users root admin rwxrwxr-t 1775 sudo chown root:admin /Users; sudo chmod 1775 /Users
/usr root wheel rwxr-xr-x 0755 sudo chown root:wheel /usr; sudo chmod 0755 /usr
/usr/bin root wheel rwxr-xr-x 0755 sudo chown root:wheel /usr/bin; sudo chmod 0755 /usr/bin