Secure /Users/Shared too in SecureUsersHomeFolders.zsh (#203)#256
Open
theneiljohnson wants to merge 1 commit intomicrosoft:masterfrom
Open
Secure /Users/Shared too in SecureUsersHomeFolders.zsh (#203)#256theneiljohnson wants to merge 1 commit intomicrosoft:masterfrom
theneiljohnson wants to merge 1 commit intomicrosoft:masterfrom
Conversation
Resolves microsoft#203. The script previously only chmod'd individual user home folders and silently exited 0. Devices kept being flagged by Defender / Secure Score because: 1. /Users/Shared was completely ignored. The expected state is mode 1777 (sticky bit, world-writable) owned by root:wheel - if it drifted (e.g. someone chmod 777'd it), the device stayed non-compliant. 2. The script never verified the resulting permissions or surfaced failures. Anything that didn't take (locked file, immutable flag, SIP-protected path, etc.) was logged but exit 0 was still returned. Changes: - Add an explicit handler for /Users/Shared that resets it to 1777 root:wheel. - Replace the old find-pipe-grep loop with a clearer loop that uses -name filters and verifies each folder's mode after chmod against the CIS-acceptable set {700, 711, 750}. - Track failures and exit 1 if any home folder or /Users/Shared could not be remediated. - Require root. - Switch from /System/Volumes/Data/Users to /Users (firmlinked, same inodes) since /Users is the path the Defender posture check evaluates. - README documents the new behaviour and links to the Tech Community thread that prompted the fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #203.
Thanks @paulh-NC for raising and @DJITS-NL for the Tech Community link in the comments — that pointed straight at the cause.
Why devices stayed non-compliant
The previous script only chmod'd individual user home folders and silently exited
0. Two problems:/Users/Sharedwas completely ignored. Defender / Secure Score expects it to be mode1777(sticky bit, world-writable) owned byroot:wheel. If it drifted from that — for example someone chmod'd it to777— the device kept being flagged even though every user folder was perfectly fine.chmodquietly failed (locked file, immutable flag, SIP-protected path) the script still exited0, so Intune saw success while the device was still non-compliant.Fix
SecureSharedFolder()resets/Users/Sharedto1777root:wheel.SecureUsersHomeFolders()rewritten with-namefilters instead ofgrep, and now stats each folder after the chmod and checks the result against the CIS-acceptable set{700, 711, 750}.1if anything couldn't be remediated, so Intune surfaces the failure./System/Volumes/Data/Usersto/Users(firmlinked, same inodes) —/Usersis the path the Defender posture check evaluates./Users/Sharedrequirement.