System Folder Security

One aspect of computer security is the security of system files and folders — files and folders created by macOS to run your computer. The security is primarily controlled by the ownership and permissions of the files and folders that make up macOS and the applications and data on your computer.

Tunnelblick checks the security of itself and of the parts of macOS that it uses. That sometimes results in Tunnelblick complaining that a system folder is not secure, and refusing to connect a VPN. For example, you might see the following message after launching Tunnelblick:

window with title 'System Requirements Not Met' and 'Help', 'Continue', and 'Quit' buttons

Other problems with system folder security may only appear when you try to connect to a VPN.

Tunnelblick repairs the security of all of its own files and folders, but does not repair files and folders that it does not create, such as system folders.

How System Folders Become Insecure

System folders are secure when macOS is installed, and usually only become insecure as the result of a program installer behaving improperly. System folders could become insecure because of malware, but that is rare:

In May 2014, Apple's iTunes 11.2 update caused each system boot to set insecure permissions on /Users and /Users/Shared. This was corrected in iTunes 11.2.1.
There are reports that some older MacPorts installers makes /usr insecure, and that some SPSS and xQuartz installers and some player application installers for Vulkano streaming video make /Applications insecure.

Repairing System Folder Security

On OS X 10.11 and higher, some system folders are protected by "System Integrity Protection". However, other folders are not, and the "Disk Utility" does not include "Repair Disk Permissions". Apple sometimes provides instructions for repairing permissions on items in your home folder, but they frequently change and are very involved.

On OS X 10.6 - 10.10, the ownership and permissions of system folders can be repaired by using the "Disk Utility" application (/Applications/Utilities/Disk Utility). Select the boot volume in the list on the left, and click on "Repair Disk Permissions".

Disk Utility in OS X 10.5 and lower does not fix the ownership and permissions of system folders; they must be repaired manually using the Terminal application (/Applications/Utilities/Terminal).

Correct System Folder Ownership and Permissions

System folder ownership and permissions vary from folder to folder and from one version of macOS to another. The following table lists the standard (secure) ownership and permissions for selected system folders under various versions of OS X and macOS.

For OS X 10.11 and higher (including all versions of macOS):

Folder	Owner	Group	Permissions	Octal	Terminal command to repair
/Applications	root	admin	rwxrwxr-x	0775	sudo chown root:admin /Applications; sudo chmod 0775 /Applications
/Library	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /Library; sudo chmod 0755 /Library
/Library/Application Support	root	admin	rwxr-xr-x	0755	sudo chown root:admin /Library/Application\ Support; sudo chmod 0755 /Library/Application\ Support
/private	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /private; sudo chmod 0755 /private
/private/tmp	root	wheel	rwxrwxrwt	1777	sudo chown root:wheel /private/tmp; sudo chmod 01777 /private/tmp
/Users	root	admin	rwxr-xr-x	0755	sudo chown root:admin /Users; sudo chmod 0755 /Users
/usr	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /usr; sudo chmod 0755 /usr
/usr/bin	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /usr; sudo chmod 0755 /usr/bin
/tmp (10.11 - 10.14, 10.16, 11.0)	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /tmp; sudo chmod 0755 /tmp
/tmp (10.15 only)	root	admin	rwxr-xr-x	0755	sudo chown root:admin /tmp; sudo chmod 0755 /tmp

For OS X 10.7 - 10.10: Use "Repair Disk Permissions" in Disk Utility

Folder	Owner	Group	Permissions	Octal
/Applications	root	admin	rwxrwxr-x	0775
/Library	root	wheel	rwxr-xr-x	0755
/Library/Application Support	root	admin	rwxr-xr-x	0755
/private	root	wheel	rwxr-xr-x	0755
/Users	root	admin	rwxr-xr-x	0755
/usr	root	wheel	rwxr-xr-x	0755
/usr/bin	root	wheel	rwxr-xr-x	0755

For OS X 10.6: Use "Repair Disk Permissions" in Disk Utility

Folder	Owner	Group	Permissions	Octal
/Applications	root	admin	rwxrwxr-x	0775
/Library	root	wheel	rwxr-xr-t	1755
/Library/Application Support	root	admin	rwxr-xr-x	0755
/private	root	wheel	rwxr-xr-x	0755
/Users	root	admin	rwxrwxr-x	0775
/usr	root	wheel	rwxr-xr-x	0755
/usr/bin	root	wheel	rwxr-xr-x	0755

For OS X 10.5:

Folder	Owner	Group	Permissions	Octal	Terminal command to repair
/Applications	root	admin	rwxrwxr-x	0775	sudo chown root:admin /Applications; sudo chmod 0775 /Applications
/Library	root	admin	rwxrwxr-t	1775	sudo chown root:admin /Library; sudo chmod 1775 /Library
/Library/Application Support	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /Library/Application\ Support; sudo chmod 0755 /Library/Application\ Support
/Users	root	admin	rwxrwxr-x	0775	sudo chown root:admin /Users; sudo chmod 0775 /Users
/usr	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /usr; sudo chmod 0755 /usr
/usr/bin	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /usr; sudo chmod 0755 /usr/bin

For OS X 10.4:

Folder	Owner	Group	Permissions	Octal	Terminal command to repair
/Applications	root	admin	rwxrwxr-x	0775	sudo chown root:admin /Applications; sudo chmod 0775 /Applications
/Library	root	admin	rwxrwxr-t	1775	sudo chown root:admin /Library; sudo chmod 1775 /Library
/Library/Application Support	root	admin	rwxr-xr-x	0755	sudo chown root:wheel /Library/Application\ Support; sudo chmod 0755 /Library/Application\ Support
/Users	root	admin	rwxrwxr-t	1775	sudo chown root:admin /Users; sudo chmod 1775 /Users
/usr	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /usr; sudo chmod 0755 /usr
/usr/bin	root	wheel	rwxr-xr-x	0755	sudo chown root:wheel /usr/bin; sudo chmod 0755 /usr/bin