Kernel Extension Ownership and Permissions

Because kernel extensions (KEXTs) contain code and data that are loaded into the kernel, the most protected environment in the operating system, their file ownership and permissions must be set to prevent unauthorized tampering. In fact, a KEXT will not load into the kernel unless its ownership and permissions are correct. Read this article to find out what the correct values are and how to make sure your KEXT has them.

For security reasons, no component of a KEXT should be writable by any user other than the superuser. Specifically, this means that:

All files and folders in the KEXT, including the KEXT itself, must be owned by the root user (UID 0).
All files and folders in the KEXT, including the KEXT itself, must be owned by the wheel group (GID 0).
All folders in the KEXT, including the KEXT itself, must have the permissions 0755 (octal) or rwxr-xr-x (as shown by ls -l).
All files in the KEXT must have permissions 0644 (octal) or rw-r--r-- (as shown by ls -l). Note that a KEXT is not the place to store a user-space executable.

There are two common ways to ensure that your KEXT has the correct ownership and permissions:

One way is to temporarily assume root-user privileges and copy the KEXT to a temporary location, as shown below:
% sudo cp -R MyKEXT.kext /tmp
Password:
You use the -R option with the cp command to make sure that both the KEXT directory and its entire subtree are copied.
Note: This method leaves the permissions and ownership of your original KEXT alone, so you can continue to revise and save it. However, this means that every time you make changes to the original KEXT and rebuild it, you must repeat the copy action shown above to make sure the new version has the correct ownership and permissions.
Another way to give your KEXT the correct ownership and permissions is to include this task in post-build and post-install scripts. To do this, you can include the following shell script commands:
/usr/sbin/chown -R root:wheel MyKEXT.kext
find MyKEXT.kext -type d -exec /bin/chmod 0755 {} \;
find MyKEXT.kext -type f -exec /bin/chmod 0644 {} \;
To find out more about packaging scripts with your KEXT, see “Anatomy of a Package.”

< Previous PageNext Page >

Hide TOC

Did this document help you?
Yes: Tell us what works for you. It’s good, but: Report typos, inaccuracies, and so forth. It wasn’t helpful: Tell us what would have helped.