From 43cedc5d1c30fc154add8105248ba2347a683528 Mon Sep 17 00:00:00 2001
From: Greg Neagle <gregneagle@mac.com>
Date: Tue, 19 Jun 2018 15:30:38 -0700
Subject: [PATCH] Before copying a directory for a copy_from_dmg item, ensure
 it is owned by root (in addition to the 0700 check)

---
 code/client/munkilib/installer/dmg.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/code/client/munkilib/installer/dmg.py b/code/client/munkilib/installer/dmg.py
index 33dc0f32..59b3d07d 100644
--- a/code/client/munkilib/installer/dmg.py
+++ b/code/client/munkilib/installer/dmg.py
@@ -200,9 +200,11 @@ def copy_items_from_mountpoint(mountpoint, itemlist):
         # one last permissions check before we copy
         if os.path.isdir(destination_path):
             mode = os.stat(destination_path).st_mode & 0o7777
+            owner_uid = os.stat(destination_path).st_uid
             # destination path that is a directory should have set the mode
-            # to 0700. if mode doesn't match, something insecure is happening
-            if mode != 0o0700:
+            # to 0700 and owner should be root. if mode and owner don't match,
+            # something insecure is happening
+            if mode != 0o0700 or owner_uid != 0:
                 display.display_error(
                     "Error copying %s to %s: destination path is insecure.",
                     source_path, destination_path)