Permissions error?

(briantvt) #1

I started getting an error message from my Sophos virus protection app. early last week: “Please contact your system administrator. Your Mac is running with non-standard permissions on key directories and your Mac may be insecure.”

I’ve run 2 Onyx scans to fix permissions and perform other maintenance, and it still comes up every time my old MacBookPro restarts. Sophos’ support website (entry #131959) suggests a complex Terminal-based fix that I’m not comfortable trying. I’m running Sierra (macOS 10.12.6) on a 2012-vintage MBP (with an added SSD drive) that otherwise runs fine. Any suggestions?

RE: [TidBITS Talk] Permissions error?
(Al Varnell) #2

Apple deprecated fixing permissions when it introduced System Integrity Protection (SIP) which makes it impossible for even a user with root permissions to change permission on protected files and folders. That’s why running OnyX wasn’t able to fix your problem. You have a couple of choices. You can run those Terminal commands from Recovery to temporarily disable SIP, fix permissions and then re-enable them or, again from Recovery, re-install Sierra. The latter won’t touch your user data or 3rd party apps, it just gives you a fresh macOS.


(briantvt) #3

Many thanks, Al. What are the pros and cons of the 2 suggested solutions? I know I should have a backup copy of Sierra, but I don’t — where would I find one? To clarify, I used to do sorts of system adjustments back in the pre-OS X days but have been quite shy about it for a decade or more and have just not kept up with the technology, typically relying on Onyx and Apple system updates to keep my system together. I may need to seek out some in-person assistance.

(Al Varnell) #4

December 5
Many thanks, Al. What are the pros and cons of the 2 suggested solutions?

Since I don’t know exactly what those Terminal commands you referenced were, I can’t really say. I was just guessing they had something to do with disabling SIP. If so, then that will take longer than simply updating Sierra.

I know I should have a backup copy of Sierra, but I don’t — where would I find one?

From Recovery, as mentioned earlier.

Or you can download it from


(briantvt) #5

Can I trust that nothing else will change beside having to redo system settings?

(Al Varnell) #6

Is this about restoring macOS? I’m not seeing any of the previous discussion here.

Which of the three choices have you decided on?


(briantvt) #7

I asked: "Can I trust that nothing else will change beside having to redo system settings? “

That was in response to your suggestion that re-installing Sierra was probably the more straightforward solution to my permissions issue. I’m just feeling very rusty around addressing system-level issues, which I’ve mostly avoided for 15 years or more, so not as confident as I once was.

(briantvt) #8

Amidst my other (non-IT) commitments I’m having difficulty setting aside the time to reinstall Sierra to address the permissions error identified by Sophos last week. I’ve not seen any other problems, though I understand there may be hidden vulnerabilities.

Is there any way to asses the urgency of this fix?

(frederico) #9

Just stepping in with my opinion here, reinstalling (dirty install/ System Restore) really shouldn’t take terribly long, once you’ve downloaded the most recent installer (assuming you have decent hardware and not a terribly slow or badly fragmented/overly-full HDD); you shouldn’t be presented with much of anything in terms of restoring preferences or even network settings, but you will be logged out of and forced to log back into iCloud on every account and the Mac App Store (along with the requisite 2FA auth codes); you’ll want to immediately also check for and run System Updates to get the most recent security updates that might not be in your installer.

If I were you, I’d also disable Sophos until you’ve completed the whole process; nothing else should matter. It also never hurts to run Disk First Aid from within the Installer before you restore.

You might run into an odd app here or there requiring reactivating, as well.

(briantvt) #10

Many thanks. It’s feeling less daunting now. But I don’t know what a 2FA code is.

(frederico) #11

Two Factor Authentication. If you have an AppleID (you almost certainly do), and you have enabled 2FA via your online AppleID account (you should), you will need to reauthorize each iCloud account (AppleID) for each user account by entering a six digit code you will receive on a trusted device, such as an iPhone, another Mac, or frequently the very Mac you are using (assuming it has already been authorized as a trusted device).

(frederico) #12

PS: having only just now carefully reread this thread, I strongly suggest you download the full installer from the link above, and do not attempt to do a System Restore/reinstallation from Recovery mode; the latter method will effectively take much longer to complete, as it must download the installer during the process; whereas you are free to keep working while downloading the standalone installer. Once downloaded, just run it while logged in (after disabling Sophos as advised previously) and once rebooted from the macOS Sierra Installer, run Disk Utility to then run Disk First Aid (Repair Disk), then choose ‘Reinstall macOS’.

The 2FA bits come after your first login attempt, and when you open the Mac App Store to check for and install any additional updates.

(briantvt) #13

Many thanks for spelling this all out. Seems much less intimidating now.

(briantvt) #14

Oops, one more question arose after I downloaded the OS installer. Do I need to run it from my backup drive, or will I be able to reboot from the installer directly from my internal SSD?

(Simon) #15

You can run it straight from within the booted volume. It will eventually log you out and restart on its own.

(Al Varnell) #16

As stated, you can, but be aware that the installer will be deleted in the process, so if you think you might ever want to do this again, be sure and hide a copy somewhere else.

What I do is make a bootable USB Thumb drive, which can either be done with some Terminal commands or using something like DiskMakerX

<> and run the installation from the there, where it won’t be erased.


(briantvt) #17

Thanks. Is that better than just saving a copy of the installer on a backup drive in case I need it again? My internal SSD is a lot faster than any of the likely alternatives, I believe.

(Richard Rettke) #18

I just duplicate the installer and rename it, so macOS is renamed Install macOS, these are all kept in the application folder.

I keep copies of all the installers that way (Yosemite thru Mojave).

(frederico) #19

Correct. And another reminder to everyone you can create a temporary 16GB (or larger) partition on your internal SSD and build an installer disk targeting that volume, should have the need and lack a thumb drive or other external.

I have an SSD with all the installer disks from Maverick forward, plus it has a large number of both Apple Hardware Tests and Apple Service Diagnostics for common family/work models. Super handy, and way, way faster than (most) thumb drives.

(briantvt) #20

I’m confused about why I’d want to do that. Why not just run the installer from my applications folder, already having saved a backup copy of the installer on my regular backup drive?