Home > Mac administration, Mac OS X, macOS > macOS Sierra’s /Volumes folder is no longer world-writable

macOS Sierra’s /Volumes folder is no longer world-writable

One of the changes made in macOS Sierra is summed up by my colleague @n8felton below:

/Volumes is the invisible directory used by OS X and macOS as the OS’s default mount point for accessing the filesystems of other storage (like external hard drives, USB flash drives, mounted disk images, network fileshares, etc.)

Sierra 2016 09 21 at 8 56 48 AM

Up to OS X El Capitan, the /Volumes directory was world-writable and had the following permissions:

ElCap 2016 09 21 at 11 20 51 AM

ElCap 2016 09 21 at 11 21 07 AM

This meant that any process or user could create a directory inside /Volumes or store files there.


World-writable directories are generally seen as a security risk, which may explain why Apple chose to change the permissions on the /Volumes directory. As of macOS Sierra, the permissions on the directory are as follows:

Sierra 2016 09 21 at 8 57 11 AM

Sierra 2016 09 21 at 8 56 42 AM


This change means that the /Volumes directory is readable by anyone but can only be written to by processes using root privileges.

This permissions change should not affect the system’s ability to mount storage devices or fileshares from network servers, as the OS itself is the one handling the mounting and has all the necessary permissions.

  1. NZ
    September 21, 2016 at 8:39 pm

    Damn. Just as I’d rolled out a login script that does a bunch of mkdir /Volumes/bar and mount //foo/bar /Volumes/bar.
    This runs as the AD user to mount selectively based on group membership
    Options :
    -mounting to something in /var, /tmp, ~/ …
    -the “open” command
    -passing a list of shares to a launch agent running as root

    I guess the first option would be the easiest. Open needs Finder, but realistically, by the time Outset starts the script, Finder has been up for a few seconds. The others are ludicrous.

  2. September 25, 2016 at 12:03 pm

    Ahh … maybe that’s why there are tons of dead mountpoint folders …
    In the past … after OSX waking up from sleep mode, sometimes I missed some mounted server shares. Because I’m lazy, i write some Applescript looking for missing shares and remount it. This works without a flaw till Sierra.
    Now it still mounts missing shares, but there are tons of dead mount folder. Something like share-1, share-2, share-3… share-N. In between my mounted mountpoint.

  3. September 27, 2016 at 7:16 am

    Same issue here. I have a script that runs on a cron job that creates a directory in /Volumes and then mounts a server to it using mount_smbfs and then performs an rsync with a folder on the local machine. When it finishes, it unmounts the server and removes the mountpoint directory. After Sierra update it kept failing due to permissions issues on /Volumes. Tried just brute-forcing the permissions of /Volumes to 777 but that only lasted until the next reboot. The fix was to edit the script and everywhere I referenced /Volumes/Public (the mountpoint I was creating) I changed it to /tmp/Public and voila, it all works as it used to. Apple makes weird decisions sometimes.

  4. September 27, 2016 at 6:58 pm

    To those that are using /Volumes as a holding location, I would suggest looking into the command ‘mktemp’ (likely with the -d argument) instead.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: