This problem has bothered me enough to come up with below script to check and fix the /Applications and /Library directory trees. (I leave /System, /usr, /bin etc. alone since I found no problems here on my machines, but the script will still display a short report about “noteworthy stuff” in these directories, too.)

Enjoy!
Arndt

#!/bin/bash -e
# vi: set ts=4 sw=4 ai:

# normalize file ownerhip and permissions for /Applications and /Library
# version: 1.0 2013-08-03 for Mac OS X 10.8.4

DOIT=-1 # default: ask for confirmation before making any changes
AREA=ALO # default: do /Applications, /Library and other checks

while (($# > 0))
do
case “$1” in
-y|–yes) DOIT=1;; # don’t ask, just do it
-n|–no) DOIT=0;; # don’t ask, don’t do it
-A) OAPP=1;; # select /Applications
-L) OLIB=1;; # select /Library
-O) OOTH=1;; # select other checks
*) echo >&2 “${0##*/}: bad args”; exit 2;;
esac
shift
done

[[ -z “$OAPP$OLIB$OOTH” ]] || AREA=”${OAPP:+A}${OLIB:+L}${OOTH:+O}”

if [[ $(id -u) != 0 ]]
then
echo “${0##*/}: please run this script as root”
exit 2
fi

M() { (IFS=” “; printf “\n### %s\n\n” “$*”) }

A()
{
if ((${#ITEMS[*]} == 0))
then
echo “(nothing to do)”
return 0
fi

# list all offending files and dirs
printf “%s\n” “${ITEMS[@]}” | tr ’12’ ” | xargs -0 ls -leOd

if (($DOIT == 0))
then
return 0

elif (($DOIT < 0))
then
while :
do
(IFS=" "; echo -n "Command for these items: $* — execute (y|n) ? ")
read yn
[[ $yn = n ]] && return 2
[[ $yn = y ]] && break
done
fi

# execute the given command on all offending files and dirs
if [[ $1 != SetOwnerGroup ]]
then
printf "%s\n" "${ITEMS[@]}" | tr '12' '' | xargs -0t "$@"
return $?
else
for i in "${ITEMS[@]}"
do
grp=$(stat -f %Sg "${i%/*}") && [[ $grp = admin ]] || grp=wheel
(set -x; chown -h "root:$grp" "$i")
done
fi
}

# IFS must be set to \n for the ITEMS=($(…)) assignments below
IFS="${IFS#??}"

if [[ $AREA = *A* ]]
then
echo
echo ====== /Applications ======

M remove .DS_Store files except those inside an app and belonging to root

ITEMS=($(
find -s /Applications \
-name .DS_Store "(" ! -user root -or ! -path "*.app/.DS_Store" ! -path "*.app/*/.DS_Store" ")"
))

A rm -f

M make everything below /Applications world readable and executable

ITEMS=($(
find -s /Applications ! -perm -0044 -or -perm +0100 ! -perm -0011
))

A chmod -h go+rX

M revoke write permission for group and other

ITEMS=($(
# valid as of 10.8.4:
# all files and dirs should be ???r-Xr-X, except
# – g=w: /Applications/, /Applications/System Preferences.app//
# – g=w is okay if user=root and group=admin
# A violation of the exception condition (i.e. if o=w) will cause
# the removal of the g=w permission, too.
find -sE /Applications \
! "(" -regex "/Applications/System Preferences.app(/.*)?" -or -user root -group admin ")" -perm +0022 \
-or -perm +0002
))

A chmod -h go-w

M assign all apps, subdirectories and files to user root, group wheel

ITEMS=($(
# 10.8.4: all files and dirs should be root:wheel or root:admin
find -s /Applications ! "(" -user root "(" -group wheel -or -group admin ")" ")"
))

A chown -h root:wheel
fi

if [[ $AREA = *L* ]]
then
echo
echo "====== /Library ======"

M remove all .DS_Store files

ITEMS=($(
find -s /Library -name .DS_Store
))

A rm -f

M ensure universal readability and executability

ITEMS=($(
find -s /Library \
-user root -or -path "/Library/Caches/*" \
-or "(" ! -perm -0044 -or -perm +0100 ! -perm -0011 ")" -print
))

A chmod -h go+rX

M revoke write permission for other

ITEMS=($(
# generally leave files alone which are owned by root, but make sure
# /Library/Application Support// gets fixed
find -sE /Library \
-regex "/Library/Application Support(/.*)?" -perm +0002 -print \
-or -user root -or -path "/Library/Caches/*" -or -path "/Library/Preferences/*" \
-or -perm +0002 -print
))

A chmod -h o-w

M assign stray items of group wheel or admin to user root

ITEMS=($(
find -s /Library \
! -path "/Library/Caches/*" ! -path "/Library/Logs/*" \
! -user root "(" -group wheel -or -group admin ")" |
while read i; do
# filter by uid to ignore items owned by system users
[[ $(stat -f %u "$i") -lt 500 && $(stat -f %Su "$i") != "("*")" ]] || echo "$i"
done
))

A chown -h root

# only proceed if above step has been successfully executed
if (($? == 0 && $DOIT != 0))
then
M for stray items of other groups, use the group of the parent dir

ITEMS=($(
find -s /Library \
! -path "/Library/Caches/*" ! -path "/Library/Logs/*" \
"(" ! -user root -or ! -group wheel ! -group admin ")" |
perl -e 'print reverse ‘ |
while read i; do
# filter by uid to ignore items owned by system users
[[ $(stat -f %u “$i”) -lt 500 && $(stat -f %Su “$i”) != “(“*”)” ]] || echo “$i”
done
))

A SetOwnerGroup
fi
fi

if [[ $AREA = *O* ]]
then
echo
echo “====== other checks ======”

M check for unsual permissions and ownerships in /bin, /etc, /sbin, /usr, /System

# ignores softlinks, and items owned by root with group wheel or admin
# which don’t have the setuid, setgid and sticky bit set and which are
# only writable by user; lists everything else
find -s /bin /etc /sbin /usr /System \
-type l -or -user root “(” -group wheel -o -group admin “)” ! -perm +7022 -or -ls
fi

###