All files on home account are available for viewing under guest account?

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
I was setting up an iPhone in my guest account and noticed when I used Spotlight to search for something, all of the files that are under my account came up. If I clicked on one of the files, sure enough it opened for full viewing and editing.

What's the point of a guest account if everything is still readily available? When I went under Macintosh HD > Users > myusername and tried to click on any of the folders, it said permission was denied, but I'm still able to access the contents via Spotlight.

Is this a glitch in Mavericks? Is there a setting I have to change to prevent this?
 

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
To anyone with this issue - Go to System Preferences > Spotlight > Privacy and add the Macintosh HD to the list of places that Spotlight won't search. Then restart the computer and go to the Spotlight settings again. Then remove Macintosh HD from the list of places not to search and the issue should be resolved.
 

sjinsjca

macrumors 68020
Oct 30, 2008
2,188
509
How very odd.

On my machine, which is running Mavericks (10.9.1), the Guest account has Safari only-- no Spotlight functionality is available whatsoever.

Also, I tried switching from my normal user account to another user account (this one a fully privileged Admin account) to see if I could Spotlight stuff in my normal user account. Nope.

Now, I'd attached a USB external drive while in my normal user account, and when I switched to my Admin account, Spotlight could of course still see the files on the USB disk. Plus it could see things in my shared folders and Dropbox folder, which all my user accounts can access. But Spotlight returned nothing from, say, ~NormalUserAccount/Documents or ~NormalUserAccount/Desktop.

So this behavior you describe is mystifying indeed.

Is the "Guest" account of which you speak the official Guest account OS X optionally sets up, or a "Guest" account of your own construction?

UPDATE: Digging further, it turns out that the Safari-only configuration of the Guest account on my machine is a consequence of my having FileVault2 turned on. I'd surmise FV2 is not turned on in your machine, but even if it isn't, I would not expect any software or process in a Guest account to be able to access anything in any other account... except folders that are explicitly shared. SO that suggests you should go to your user account and check whether you've inadvertently set some folders to be shared.
 
Last edited:

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
How very odd.

On my machine, which is running Mavericks (10.9.1), the Guest account has Safari only-- no Spotlight functionality is available whatsoever.

Also, I tried switching from my normal user account to another user account (this one a fully privileged Admin account) to see if I could Spotlight stuff in my normal user account. Nope.

Now, I'd attached a USB external drive while in my normal user account, and when I switched to my Admin account, Spotlight could of course still see the files on the USB disk. Plus it could see things in my shared folders and Dropbox folder, which all my user accounts can access. But Spotlight returned nothing from, say, ~NormalUserAccount/Documents or ~NormalUserAccount/Desktop.

So this behavior you describe is mystifying indeed.

Is the "Guest" account of which you speak the official Guest account OS X optionally sets up, or a "Guest" account of your own construction?

UPDATE: Digging further, it turns out that the Safari-only configuration of the Guest account on my machine is a consequence of my having FileVault2 turned on. I'd surmise FV2 is not turned on in your machine, but even if it isn't, I would not expect any software or process in a Guest account to be able to access anything in any other account... except folders that are explicitly shared. SO that suggests you should go to your user account and check whether you've inadvertently set some folders to be shared.
I had FileVault 2 enabled but I disabled it a week or so ago and I noticed this issue without FV enabled. The guest account is the account that comes with OS X, not one I made myself. I didn't have any USB devices attached to my MBP when this issue occurred so it's definitely reading the files from my account, which is a full privileged admin account.

The "fix" I posted above actually does not work - as soon as Spotlight was done indexing, all of the files were again available if I searched for them.

Must be a bug.
 

sjinsjca

macrumors 68020
Oct 30, 2008
2,188
509
Must be a bug.
It's a hellish one if so. Really hard to imagine what could be happening; OS X is Unix, and what you're describing is a total breach of userspace separation, which is baked deep in the pudding in Unix.

1) Have you reviewed your folder permissions?

2) If so, have you advised Apple? If you have verified that you have not inadvertently made folders (or your whole userspace) shared, please take your machine to a genius bar if you can, and request the attention of a senior genius. This is very serious stuff you're describing.


Also: why did you turn off FileVault2? Just wondering.
 

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
It's a hellish one if so. Really hard to imagine what could be happening; OS X is Unix, and what you're describing is a total breach of userspace separation, which is baked deep in the pudding in Unix.

1) Have you reviewed your folder permissions?

2) If so, have you advised Apple? If you have verified that you have not inadvertently made folders (or your whole userspace) shared, please take your machine to a genius bar if you can, and request the attention of a senior genius. This is very serious stuff you're describing.


Also: why did you turn off FileVault2? Just wondering.
A lot of things have been off with my computer lately...a keyboard shortcut that I used for years stopped working for no reason and I have no clue why or how to fix it, the animations when using Mission Control have become horribly choppy and slow and I've tried everything to fix that issue with no luck, and now this issue arises. I have no clue what the hell is going on with my system lately but it seems issues are coming right after another.

I am an hour away from the closest Apple Store and I don't have the time to make the drive up there. I disabled FileVault 2 because it was interfering with safe booting - when I had it enabled it wouldn't allow my computer to safe boot so I disabled it.

It seems my only option at this point is to wipe the system clean and start over but I do not have the time or patience to do that.
 

sjinsjca

macrumors 68020
Oct 30, 2008
2,188
509
A lot of things have been off with my computer lately...a keyboard shortcut that I used for years stopped working for no reason and I have no clue why or how to fix it, the animations when using Mission Control have become horribly choppy and slow and I've tried everything to fix that issue with no luck, and now this issue arises. I have no clue what the hell is going on with my system lately but it seems issues are coming right after another.

I am an hour away from the closest Apple Store and I don't have the time to make the drive up there. I disabled FileVault 2 because it was interfering with safe booting - when I had it enabled it wouldn't allow my computer to safe boot so I disabled it.

It seems my only option at this point is to wipe the system clean and start over but I do not have the time or patience to do that.
Yes, that would be my advice.

Back it up, ideally to two different external hard disks. Boot into the recovery partition. Wipe the disk. Reinstall OS X. Once running, reinstall your software (no trouble at all for App Store items). Then go into Time Machine and drag your documents (no apps!) back over.

It'll take some hours but should resolve all your issues.
 

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
Yes, that would be my advice.

Back it up, ideally to two different external hard disks. Boot into the recovery partition. Wipe the disk. Reinstall OS X. Once running, reinstall your software (no trouble at all for App Store items). Then go into Time Machine and drag your documents (no apps!) back over.

It'll take some hours but should resolve all your issues.
I called Apple today and the senior advisor I spoke with ended up telling me that it is normal behavior for Spotlight to search across the entire drive, even in guest accounts, as of Mavericks. Which is either false or the absolute biggest security flaw ever...if my computer is stolen, all someone has to do is Spotlight search for documents and they can obtain anything I have on my computer. Definitely needs to be addressed.
 

w0lf

macrumors 65816
Feb 16, 2013
1,233
75
USA
Couldn't you just disable the guest account?

Where are the items you're talking about located? By default all items in ~/ except for public should have chmod 700 and files inside those should be protected by that.

I'd just start by going to terminal on your account and typing

Code:
ls -al ~/
Every folder (except public) should look like this:

drwx------+ [#] [user] staff

If they don't then somehow you've messed up your account.

If you don't want guests accessing your stuff you could just run:

Code:
chmod 700 /folder_with_the_porn
700 would be full access (rwx) for only the owner and no privileges to anyone else.

If your account is set up proper, your guest should not have access and it should not be able to see any of your files through spotlight, safari, terminal, finder or any other system browser.

Edit:

For exact replication of default folder settings you also want to run

Code:
sudo chmod +a "group:everyone deny delete" /folder_with_the_porn
 
Last edited:

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
Couldn't you just disable the guest account?

Where are the items you're talking about located? By default all items in ~/ except for public should have chmod 700 and files inside those should be protected by that.

I'd just start by going to terminal on your account and typing

Code:
ls -al ~/
Every folder (except public) should look like this:

drwx------+ [#] [user] staff

If they don't then somehow you've messed up your account.

If you don't want guests accessing your stuff you could just run:

Code:
chmod 700 /folder_with_the_porn
700 would be full access (rwx) for only the owner and no privileges to anyone else.

If your account is set up proper, your guest should not have access and it should not be able to see any of your files through spotlight, safari, terminal, finder or any other system browser.

Edit:

For exact replication of default folder settings you also want to run

Code:
sudo chmod +a "group:everyone deny delete" /folder_with_the_porn
Not a single folder that was listed in Terminal has those permissions. Here is a screenshot.

Also, people don't keep porn on their computers anymore. This is 2013, don't be ridiculous :D. No one else uses my computer so it's not an issue, but if my computer gets stolen or something crazy like that, the guest account can be used to pull up calendar events, emails, messages, documents, etc. Things more important than porn :p.
 

sjinsjca

macrumors 68020
Oct 30, 2008
2,188
509
I called Apple today and the senior advisor I spoke with ended up telling me that it is normal behavior for Spotlight to search across the entire drive, even in guest accounts, as of Mavericks. Which is either false or the absolute biggest security flaw ever...if my computer is stolen, all someone has to do is Spotlight search for documents and they can obtain anything I have on my computer. Definitely needs to be addressed.
Agreed, this is a horrendous security flaw... if it exists, and if that Advisor was telling you the straight story.

I don't have a non-FileVault'ed Mac to play with, but at least on my systems the Advisor's comment is NOT true: Account A does NOT have Spotlight access to Account B's files, in my testing here.

Nor should it. And frankly I doubt the Advisor was correct. Seems Apple would have had to break all sorts of stuff in Unix for this to happen. Given that OS X is trumpeted by Apple as a "POSIX-compliant, Open Brand UNIX 03 Registered Product" I really have my doubts this could be the case.

We need others in the community here to check out the behavior on their machines, and to raise holy hell with Apple if this turns out to be true.
 

w0lf

macrumors 65816
Feb 16, 2013
1,233
75
USA
Not a single folder that was listed in Terminal has those permissions. Here is a screenshot.

Also, people don't keep porn on their computers anymore. This is 2013, don't be ridiculous :D. No one else uses my computer so it's not an issue, but if my computer gets stolen or something crazy like that, the guest account can be used to pull up calendar events, emails, messages, documents, etc. Things more important than porn :p.
Based on that screenshot this pasted into terminal should fix you up (you'll need to input your password for the sudo commands to work):

Code:
chmod 700 /Users/$(whoami)/Desktop
chmod 700 /Users/$(whoami)/Documents
chmod 700 /Users/$(whoami)/Downloads
chmod 700 /Users/$(whoami)/Library
chmod 700 /Users/$(whoami)/Movies
chmod 700 /Users/$(whoami)/Music
chmod 700 /Users/$(whoami)/Pictures
chmod 700 /Users/$(whoami)/School\ Work
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Desktop
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Documents
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Downloads
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Library
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Movies
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Music
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Pictures
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/School\ Work
Not sure how it got to be the way it is in your screenshot but that is not normal and here are the most likely scenarios that caused it:

1) You accidentally changed it and forgot
2) A program you used changed it with/without your knowledge
3) If this was a restore from a backup or other drive it's possible the properties were not maintained on transfer
4) Problem with FileVault but I've never used that and it should not be doing that even if you turn it on/off
 
Last edited:

ideal.dreams

macrumors 68020
Original poster
Jul 19, 2010
2,312
853
Ohio
Based on that screenshot this pasted into terminal should fix you up (you'll need to input your password for the sudo commands to work):

Code:
chmod 700 /Users/$(whoami)/Desktop
chmod 700 /Users/$(whoami)/Documents
chmod 700 /Users/$(whoami)/Downloads
chmod 700 /Users/$(whoami)/Library
chmod 700 /Users/$(whoami)/Movies
chmod 700 /Users/$(whoami)/Music
chmod 700 /Users/$(whoami)/Pictures
chmod 700 /Users/$(whoami)/School\ Work
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Desktop
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Documents
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Downloads
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Library
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Movies
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Music
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Pictures
sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/School\ Work
Not sure how it got to be the way it is in your screenshot but that is not normal and here are the most likely scenarios that caused it:

1) You accidentally changed it and forgot
2) A program you used changed it with/without your knowledge
3) If this was a restore from a backup or other drive it's possible the properties were not maintained on transfer
4) Problem with FileVault but I've never used that and it should not be doing that even if you turn it on/off
I got the issue fixed.

1. I never mess around with permissions so I definitely was not the reason this happened.
2. It's possible but I haven't downloaded any new apps recently.
3. I didn't restore from a backup.
4. It's possible, since I did have FileVault enabled.

No way to know why how this happened but at least it's fixed. The Sr. Advisor was clearly wrong in saying this is expected behavior.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.