What Keeps Changing the Ownership of / in OS X?

The root / of an OS X system drive should be owned by user root, group admin. One reason is that it prevents bad software from changing things it shouldn't. Another reason is that some system software runs as root, and needs to do things in that path.

But multiple times now, in different versions of OS X, I have noticed that the ownership of / is changed. This causes errors, and repair permissions in Disk Utility won't fix it. It needs to be fixed from the console. There could be a lot of Macs out there with this problem. How is it happening? What brain-dead process is changing the ownership of /?

Today, I figured it out. I am about to upgrade to OS X Yosemite. I had connected my iPhone for a final sync and I opened the console while I waited, wondering if iTunes 12.0 still spews "Failed to create replacement string" messages to the console, like iTunes 11 did.

Instead, today's log vomit was as follows:

2014-10-17 10:44:40.884 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.  
2014-10-17 10:44:41.240 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.  
2014-10-17 10:44:41.240 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.  
2014-10-17 10:44:41.256 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.  
2014-10-17 10:44:43.884 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.  
2014-10-17 10:44:44.055 AM com.apple.kextd[12]: Can't create kext cache under / - owner not root.  

Great. I've seen this one before. To fix it, you just change ownership of / back to root. But this has happened several times. What keeps doing this?

The first thing I noticed is that the root directory's modification time was very recent.

Andromeda:~ justin$ ls -l /  
total 16469  
drwxrwxrwx   35 justin  staff     1258 17 Oct 10:32 .  
drwxrwxrwx   35 justin  staff     1258 17 Oct 10:32 ..  
drwxrwxr-x+ 177 root    admin     6018 17 Oct 03:39 Applications  
drwxrwxr-x    6 root    admin      204 23 Oct  2013 Incompatible Software  
drwxr-xr-x+  66 root    wheel     2244 28 Feb  2014 Library  
drwxr-xr-x@   2 root    wheel       68 24 Aug  2013 Network  
drwx------    4 justin  staff      136 17 Oct 10:32 OS X Install Data  
...

I have an "OS X Install Data" in the root. That's pretty damning. I run an admin account and I had to give my password to the installer.

I scan back in the console to when the Can't create kext cache messages started. 3:01 AM yesterday. At 3:00 AM, I had just finished a code marathon and I was setting the computer to start installing Yosemite before I retired to bed.

The Yosemite installer has:

  • the means -- it has asked for my password more than once;
  • the motive -- the OS X Install Data directory it created in / using my user; and
  • the opportunity -- it has been running since before the kext cache messages started appearing.

Guilty, your honour.

But I'm not going to change the permissions of / back, not yet. I don't have a lot of confidence in an install procedure that changes the ownership of /, but I have even less confidence that the installer can handle me changing it back.

Apple, this looks like a hack to get around expiring privilege elevation for the installer, and it has been damaging systems in the wild. Fix it.

Addendum: the fix

Logged in as an admin, run sudo chown root:admin /. As I explained, I wouldn't do this while an OS X upgrade installer is running.

Unlike in previous instances, the installer changed ownership back to root:admin when it was done.