Wrong permissions for the log directory in /Library/Application Support/NoMachine/var on macOS affects installations of NoMachine Enterprise Client and NoMachine Free Edition. While the issue is not remotely exploitable, this makes it possible to local users to create logical links and overwrite unintended files.

This problem has been reported to MITRE, the associated CVE ID is: CVE-2023-39107.

As a workaround, modify the NoMachine log directory ownership and permissions so that only the nx user has read and write permissions set. To do that, run the appropriate command in a terminal, as explained below.

For Enterprise Client package

sudo chmod 775 /Library/Application\ Support/NoMachine/var/log && sudo chown root:wheel /Library/Application\ Support/NoMachine/var/log

For NoMachine Free Editions

sudo chmod 775 /Library/Application\ Support/NoMachine/var/log && sudo chown nx:wheel /Library/Application\ Support/NoMachine/var/log