[zsh] zsh compinit: insecure directories

What does it mean and how can I fix it?

zsh compinit: insecure directories, run compaudit for list.
Ignore insecure directories and continue [y] or abort compinit [n]?

Running the compaudit returns the follows:

There are insecure directories:
/usr/local/share/zsh/site-functions

compaudit | xargs chmod g-w

will do the trick, see http://www.wezm.net/technical/2008/09/zsh-cygwin-and-insecure-directories/

Following worked on M1

ProductName:    macOS
ProductVersion: 11.1
BuildVersion:   20C69

% compaudit
/opt/homebrew/share

Changed group permission from 775 to 755

% sudo chmod 755 /opt/homebrew/share

drwxr-xr-x   33 xenea  admin   1056 Feb  2 01:28 share

Most answers come with a solution, but do not mention why this warning occurs. Here's an excerpt from ZSH's compinit:

For security reasons compinit also checks if the completion system would use files not owned by root or by the current user, or files in directories that are world- or group-writable or that are not owned by root or by the current user. If such files or directories are found, compinit will ask if the completion system should really be used. To avoid these tests and make all files found be used without asking, use the option -u, and to make compinit silently ignore all insecure files and directories use the option -i. This security check is skipped entirely when the -C option is given.

Hence, the solution implies fixing one (or all) of the following:

• setting the current user as the owner of all the directories/subdirectories/files in cause:

  compaudit | xargs chown -R "$(whoami)"
  

• removing write permissions for group/others for the files in cause:

  compaudit | xargs chmod go-w
  

Another approach would be to skip these checks by using

compinit -u

but I don't really suggest this, as hiding problems under a rug only solves problems in the short run.

These two lines have fixed for me.

sudo chown -R _user_:root /usr/local/share/zsh

sudo chown -R _user_:root /usr/local/share/zsh/*

I got the same warnings when I sudo -i starting a root shell, @chakrit's solution didn't work for me.

But I found -u switch of compinit works, e.g. in your .zshrc/zshenv or where you called compinit

compinit -u

NB: Not recommended for production system

See also http://zsh.sourceforge.net/Doc/Release/Completion-System.html#Initialization

This answer is mostly a reference for myself to use in the future, as most answers do not provide a full-fledged solution. Here it is:

First run:

compinit

use compaudit if above does not work

For every single path that is printed run the following the commands:

sudo chown $(whoami) PATH_HERE

sudo chmod -R 755 PATH_HERE

Simple example, let's say one of the paths that gets printed after running compinit is "/usr/local/share/zsh". Then:

sudo chown $(whoami) /usr/local/share/zsh

sudo chmod -R 755 /usr/local/share/zsh

MAC OS X solution :

$ sudo chmod -R 755 /usr/local/share/zsh
$ sudo chown -R root:staff /usr/local/share/zsh

Also "user:staff = default root user on OSX.

I had the same warning lately on Catalina. An easy workaround is to put this to the top of your .zshrc

ZSH_DISABLE_COMPFIX=true

running this command worked for me on my mac OS Catalina:

compaudit | xargs chmod g-w,o-w

My suggestion would be to run compaudit and then just fix permissions on the directories found by the audit. Make sure the identified directories do not have write permissions for group or other.

None of the solutions listed worked for me. Instead, I ended up uninstalling and reinstalling Homebrew, which did the trick. Uninstall instructions may be found here: http://osxdaily.com/2018/08/12/how-uninstall-homebrew-mac/

I fixed it by doing

sudo chown root:staff -R /usr/local/share/zsh

in my case other directories inside share/ also have "staff" group assigned

I got this issue after running the google-cloud-sdk install script, which adds command-completion to the shell via an entry in .zshrc.

Following Homebrew's instructions for configuring completions in zsh was helpful.

Additionally, if you receive “zsh compinit: insecure directories” warnings when attempting to load these completions, you may need to run this: chmod -R go-w "$(brew --prefix)/share"

This works for my Mac since High Sierra update.

Remove the group write access:

sudo chmod g-w /usr/local/share/zsh/site-functions
sudo chmod g-w /usr/local/share/zsh

It’s best to keep the change limited to zsh directories.

My machine:

System Version: macOS 10.15.4 (19E287)
Kernel Version: Darwin 19.4.0

So here is what I did,

1. run compaudit and it will give you a list of directories it thinks are unsecure.

2. run sudo chmod -R 755 target_directory (example: sudo chmod -R 755 /usr/local/share/zsh)

Exmaple:

compaudit

returns:

/usr/local/share/zsh

so I run

sudo chmod -R 755 /usr/local/share/zsh

read more here link

on Mojave, this did the trick : sudo chmod go-w /usr/local/share

On macOS Sierra you need to run: sudo chown -R $(whoami):staff /usr/local

1. run compaudit and it will give you a list of directories it thinks are insecure

2. sudo chown -R username:root target_directory

3. sudo chmod -R 755 target_directory

Once you understand the cause, solution is trivial and unequivocal.

• Cause: the directories output by compaudit have write permission by either group or others (world-writable); or those files are owned by somebody else other than root or yourself.

• Example: In my case, compaudit gave me that:

% compaudit 
There are insecure directories:
/usr/local/share/zsh/site-functions
/usr/local/share/zsh

And if we list the permission of those files/directories we have (in this case)

% ls -lh /usr/local/share 
total 0
drwxr-xr-x  12 chbrandt  admin   384B Aug 14 10:45 aclocal
drwxr-xr-x   8 chbrandt  admin   256B Aug 14 10:45 doc
drwxr-xr-x   3 chbrandt  admin    96B Jul 24 21:00 fish
lrwxr-xr-x   1 chbrandt  admin    36B Aug 14 10:45 gettext -> ../Cellar/gettext/0.21/share/gettext
lrwxr-xr-x   1 chbrandt  admin    41B Aug 14 10:45 gettext-0.21 -> ../Cellar/gettext/0.21/share/gettext-0.21
lrwxr-xr-x   1 chbrandt  admin    37B Aug 14 10:45 gtk-doc -> ../Cellar/libidn2/2.3.0/share/gtk-doc
drwxr-xr-x   9 chbrandt  admin   288B Aug 14 10:45 info
drwxr-xr-x  58 chbrandt  admin   1.8K Aug 14 10:45 locale
lrwxr-xr-x   1 chbrandt  admin    41B Jul 27 17:12 luajit-2.0.5 -> ../Cellar/luajit/2.0.5/share/luajit-2.0.5
drwxr-xr-x   5 chbrandt  admin   160B Jul 27 17:12 man
lrwxr-xr-x   1 chbrandt  admin    33B Aug 14 10:45 nvim -> ../Cellar/neovim/0.4.4/share/nvim
drwxrwxr-x   3 chbrandt  admin    96B Jul 24 20:57 zsh
%
% ls -lh /usr/local/share/zsh 
total 0
drwxrwxr-x  4 chbrandt  admin   128B Jul 24 21:00 site-functions
%
% ls -lh /usr/local/share/zsh/site-functions 
total 0
lrwxr-xr-x  1 chbrandt  admin    39B Jul 24 21:00 _brew -> ../../../Homebrew/completions/zsh/_brew
lrwxr-xr-x  1 chbrandt  admin    44B Jul 24 21:00 _brew_cask -> ../../../Homebrew/completions/zsh/_brew_cask

Now we easily spot the issue, don't we? Notice how zsh/ and zsh/site-functions directories differ from the others... That 'w' allowing the admin group to modify them is not appreciated by zsh.

• Solution: Turn off that group-writable permission!

% chmod g-w /usr/local/share/zsh 
% chmod g-w /usr/local/share/zsh/site-functions 

That's it! You're good to go. Open a new terminal and you should not see the "zsh compinit: insecure directories" message anymore ;)

This was the only thing that worked for me from https://github.com/zsh-users/zsh-completions/issues/433#issuecomment-600582607. Thanks https://github.com/malaquiasdev!

  $ cd /usr/local/share/
  $ sudo chmod -R 755 zsh
  $ sudo chown -R root:staff zsh

The accepted answer did not work for me on macOs Sierra (10.12.1). Had to do it recursive from /usr/local

cd /usr/local
sudo chown -R <your-username>:<your-group-name> *

Note: You can get your username with whoami and your group with id -g

Send a y character to the input stream of the script using compinit, in order to automatically answer the Ignore insecure directories and files and continue [y] or abort compinit [n]? question

echo "y" > source <GOOGLECLOUDSDK>/completion.zsh.inc

The solution is useful when

• you can't make ownership/access changes to the folders
• when you can't use the -u option to remove the warning (probably because you don't explicitly call 'compinit' yourself, but it's called by a script you call)

Remark: It doesn't fix the problem and only hides the warning (as opposed to others answers here which involve removing 'group write access' or 'change ownership to root').

This morning, some packages in my system updated, and left me with this error message. I am using Ubuntu 18.04.

Apparently, something in the update changed the username and group to numbers, instead of root, as so:

# There are insecure files: /usr/share/zsh/vendor-completions/_code
# sudo ls -alh
-rw-r--r-- 1  131  142 2.6K 2019-10-10 16:28 _code

I simply changed the user and group for this file back to root and the problem went away. I did not need to change any permissions, and would caution against doing so unless the underlying cause of the problem is understood.

sudo chown root _code && sudo chgrp root _code

After switching 131 and 142 back to root, this error message from zsh went away.