Home > Bash scripting, Mac administration, Office 2011 > Fixing permissions after installing the Office 2011 SP 2 14.2.0 full installer

Fixing permissions after installing the Office 2011 SP 2 14.2.0 full installer

Dave Castelletti found recently that the Office 2011 SP 2 14.2.0 volume licensed installer does something both dangerous and dumb: it makes the /Applications/Microsoft Office 2011 folder and all of the enclosed files and applications readable and writable by all users on the system. This is otherwise known as setting world-writable permissions.

Why is this bad?

The short version, since everything in the folder is owned ultimately by the root user, is that it can lead to programs running with root permissions which shouldn’t be. The worst case I can think of is if a user modifies a program or script inside that directory (which he/she can do because of the global writing-permissions), but root does not know about the changes and runs the application with root privileges. Depending on what that change is, all sorts of Bad Things could result.

In summary, world-writable Office 2011 folder and apps = possible bad day for an sysadmin.

Going by the permissions used by previous Office installations, the permissions should look like this:

Owner: system (aka root): read/write/execute permissions

Group: admin: read/write/execute permissions

Everyone else: read/execute permissions

Screen Shot 2012-05-19 at 8.01.39 AM

When installed by the Office 2011 SP 2 14.2.0 installer, the permissions look like this:

Owner: system (aka root): read/write/execute permissions

Group: wheel: read/write/execute permissions

Everyone else: read/write/execute permissions

Screen Shot 2012-05-19 at 8.32.10 AM

I’ve written a script that should find and fix the incorrect group and world-writable permissions and set them to the following permissions:

Owner: system (aka root): read/write/execute permissions

Group: admin: read/write/execute permissions

Everyone: read/execute permissions

This script needs to be run with root privileges and may take a couple of minutes to execute. I’ve also built a script-only installer package for this, to help folks who want to automate running this.


#!/bin/sh

if [ -d /Applications/Microsoft\ Office\ 2011 ]; then
   /usr/sbin/chown root:admin /Applications/Microsoft\ Office\ 2011
   /bin/chmod 775 /Applications/Microsoft\ Office\ 2011
   /usr/bin/find /Applications/Microsoft\ Office\ 2011 ! -group admin -exec chown root:admin {} \;
   /usr/bin/find /Applications/Microsoft\ Office\ 2011 ! -perm 775 -exec chmod 775 {} \;
fi

Both the script and installer package are available here on my GitHub repo.

  1. May 21, 2012 at 1:44 pm

    Just to clarify, having access to a root owned folder doesn’t mean you can run apps as root. You would need to set the suid on the executable for it to run as root. This world writable folder just means that any user can modify the contents.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 164 other followers

%d bloggers like this: