The root / of an OS X system drive should be owned by user root, group admin. One reason is that it prevents bad software from changing things it shouldn't. Another reason is that some system software runs as root, and needs to do things in that path.
But multiple times now, in different versions of OS X, I have noticed that the ownership of / is changed. This causes errors, and repair permissions in Disk Utility won't fix it. It needs to be fixed from the console. There could be a lot of Macs out there with this problem. How is it happening? What brain-dead process is changing the ownership of /?
Today, I figured it out. I am about to upgrade to OS X Yosemite. I had connected my iPhone for a final sync and I opened the console while I waited, wondering if iTunes 12.0 still spews "Failed to create replacement string" messages to the console, like iTunes 11 did.
Instead, today's log vomit was as follows:
2014-10-17 10:44:40.884 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.
2014-10-17 10:44:41.240 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.
2014-10-17 10:44:41.240 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.
2014-10-17 10:44:41.256 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.
2014-10-17 10:44:43.884 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.
2014-10-17 10:44:44.055 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.
Great. I've seen this one before. To fix it, you just change ownership of / back to root. But this has happened several times. What keeps doing this?
The first thing I noticed is that the root directory's modification time was very recent.
Andromeda:~ justin$ ls -l /
total 16469
drwxrwxrwx 35 justin staff 1258 17 Oct 10:32 .
drwxrwxrwx 35 justin staff 1258 17 Oct 10:32 ..
drwxrwxr-x+ 177 root admin 6018 17 Oct 03:39 Applications
drwxrwxr-x 6 root admin 204 23 Oct 2013 Incompatible Software
drwxr-xr-x+ 66 root wheel 2244 28 Feb 2014 Library
drwxr-xr-x@ 2 root wheel 68 24 Aug 2013 Network
drwx------ 4 justin staff 136 17 Oct 10:32 OS X Install Data
...
I have an "OS X Install Data" in the root. That's pretty damning. I run an admin account and I had to give my password to the installer.
I scan back in the console to when the Can't create kext cache messages started. 3:01 AM yesterday. At 3:00 AM, I had just finished a code marathon and I was setting the computer to start installing Yosemite before I retired to bed.
The Yosemite installer has:
- the means -- it has asked for my password more than once;
- the motive -- the
OS X Install Datadirectory it created in/using my user; and - the opportunity -- it has been running since before the
kext cachemessages started appearing.
Guilty, your honour.
But I'm not going to change the permissions of / back, not yet. I don't have a lot of confidence in an install procedure that changes the ownership of /, but I have even less confidence that the installer can handle me changing it back.
Apple, this looks like a hack to get around expiring privilege elevation for the installer, and it has been damaging systems in the wild. Fix it.
Addendum: the fix
Logged in as an admin, run sudo chown root:admin /. As I explained, I wouldn't do this while an OS X upgrade installer is running.
Unlike in previous instances, the installer changed ownership back to root:admin when it was done.