Archive

Archive for May 19, 2012

Fixing permissions after installing the Office 2011 SP 2 14.2.0 full installer

May 19, 2012 1 comment

Dave Castelletti found recently that the Office 2011 SP 2 14.2.0 volume licensed installer does something both dangerous and dumb: it makes the /Applications/Microsoft Office 2011 folder and all of the enclosed files and applications readable and writable by all users on the system. This is otherwise known as setting world-writable permissions.

Why is this bad?

The short version, since everything in the folder is owned ultimately by the root user, is that it can lead to programs running with root permissions which shouldn’t be. The worst case I can think of is if a user modifies a program or script inside that directory (which he/she can do because of the global writing-permissions), but root does not know about the changes and runs the application with root privileges. Depending on what that change is, all sorts of Bad Things could result.

In summary, world-writable Office 2011 folder and apps = possible bad day for an sysadmin.

Going by the permissions used by previous Office installations, the permissions should look like this:

Owner: system (aka root): read/write/execute permissions

Group: admin: read/write/execute permissions

Everyone else: read/execute permissions

Screen Shot 2012-05-19 at 8.01.39 AM

When installed by the Office 2011 SP 2 14.2.0 installer, the permissions look like this:

Owner: system (aka root): read/write/execute permissions

Group: wheel: read/write/execute permissions

Everyone else: read/write/execute permissions

Screen Shot 2012-05-19 at 8.32.10 AM

I’ve written a script that should find and fix the incorrect group and world-writable permissions and set them to the following permissions:

Owner: system (aka root): read/write/execute permissions

Group: admin: read/write/execute permissions

Everyone: read/execute permissions

This script needs to be run with root privileges and may take a couple of minutes to execute. I’ve also built a script-only installer package for this, to help folks who want to automate running this.


#!/bin/sh

if [ -d /Applications/Microsoft\ Office\ 2011 ]; then
   /usr/sbin/chown root:admin /Applications/Microsoft\ Office\ 2011
   /bin/chmod 775 /Applications/Microsoft\ Office\ 2011
   /usr/bin/find /Applications/Microsoft\ Office\ 2011 ! -group admin -exec chown root:admin {} \;
   /usr/bin/find /Applications/Microsoft\ Office\ 2011 ! -perm 775 -exec chmod 775 {} \;
fi

Both the script and installer package are available here on my GitHub repo.

%d bloggers like this: