All files on home account are available for viewing under guest account?

Discussion in 'OS X Mavericks (10.9)' started by ideal.dreams, Dec 27, 2013.

  1. ideal.dreams macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #1
    I was setting up an iPhone in my guest account and noticed when I used Spotlight to search for something, all of the files that are under my account came up. If I clicked on one of the files, sure enough it opened for full viewing and editing.

    What's the point of a guest account if everything is still readily available? When I went under Macintosh HD > Users > myusername and tried to click on any of the folders, it said permission was denied, but I'm still able to access the contents via Spotlight.

    Is this a glitch in Mavericks? Is there a setting I have to change to prevent this?
     
  2. ideal.dreams thread starter macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #2
    To anyone with this issue - Go to System Preferences > Spotlight > Privacy and add the Macintosh HD to the list of places that Spotlight won't search. Then restart the computer and go to the Spotlight settings again. Then remove Macintosh HD from the list of places not to search and the issue should be resolved.
     
  3. sjinsjca, Dec 29, 2013
    Last edited: Dec 29, 2013

    sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #3
    How very odd.

    On my machine, which is running Mavericks (10.9.1), the Guest account has Safari only-- no Spotlight functionality is available whatsoever.

    Also, I tried switching from my normal user account to another user account (this one a fully privileged Admin account) to see if I could Spotlight stuff in my normal user account. Nope.

    Now, I'd attached a USB external drive while in my normal user account, and when I switched to my Admin account, Spotlight could of course still see the files on the USB disk. Plus it could see things in my shared folders and Dropbox folder, which all my user accounts can access. But Spotlight returned nothing from, say, ~NormalUserAccount/Documents or ~NormalUserAccount/Desktop.

    So this behavior you describe is mystifying indeed.

    Is the "Guest" account of which you speak the official Guest account OS X optionally sets up, or a "Guest" account of your own construction?

    UPDATE: Digging further, it turns out that the Safari-only configuration of the Guest account on my machine is a consequence of my having FileVault2 turned on. I'd surmise FV2 is not turned on in your machine, but even if it isn't, I would not expect any software or process in a Guest account to be able to access anything in any other account... except folders that are explicitly shared. SO that suggests you should go to your user account and check whether you've inadvertently set some folders to be shared.
     
  4. ideal.dreams thread starter macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #4
    I had FileVault 2 enabled but I disabled it a week or so ago and I noticed this issue without FV enabled. The guest account is the account that comes with OS X, not one I made myself. I didn't have any USB devices attached to my MBP when this issue occurred so it's definitely reading the files from my account, which is a full privileged admin account.

    The "fix" I posted above actually does not work - as soon as Spotlight was done indexing, all of the files were again available if I searched for them.

    Must be a bug.
     
  5. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #5
    It's a hellish one if so. Really hard to imagine what could be happening; OS X is Unix, and what you're describing is a total breach of userspace separation, which is baked deep in the pudding in Unix.

    1) Have you reviewed your folder permissions?

    2) If so, have you advised Apple? If you have verified that you have not inadvertently made folders (or your whole userspace) shared, please take your machine to a genius bar if you can, and request the attention of a senior genius. This is very serious stuff you're describing.


    Also: why did you turn off FileVault2? Just wondering.
     
  6. ideal.dreams thread starter macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #6
    A lot of things have been off with my computer lately...a keyboard shortcut that I used for years stopped working for no reason and I have no clue why or how to fix it, the animations when using Mission Control have become horribly choppy and slow and I've tried everything to fix that issue with no luck, and now this issue arises. I have no clue what the hell is going on with my system lately but it seems issues are coming right after another.

    I am an hour away from the closest Apple Store and I don't have the time to make the drive up there. I disabled FileVault 2 because it was interfering with safe booting - when I had it enabled it wouldn't allow my computer to safe boot so I disabled it.

    It seems my only option at this point is to wipe the system clean and start over but I do not have the time or patience to do that.
     
  7. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #7
    Yes, that would be my advice.

    Back it up, ideally to two different external hard disks. Boot into the recovery partition. Wipe the disk. Reinstall OS X. Once running, reinstall your software (no trouble at all for App Store items). Then go into Time Machine and drag your documents (no apps!) back over.

    It'll take some hours but should resolve all your issues.
     
  8. ideal.dreams thread starter macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #8
    I called Apple today and the senior advisor I spoke with ended up telling me that it is normal behavior for Spotlight to search across the entire drive, even in guest accounts, as of Mavericks. Which is either false or the absolute biggest security flaw ever...if my computer is stolen, all someone has to do is Spotlight search for documents and they can obtain anything I have on my computer. Definitely needs to be addressed.
     
  9. Mr. Retrofire macrumors 601

    Mr. Retrofire

    Joined:
    Mar 2, 2010
    Location:
    www.emiliana.cl/en
    #9
  10. w0lf, Dec 30, 2013
    Last edited: Dec 30, 2013

    w0lf macrumors 65816

    w0lf

    Joined:
    Feb 16, 2013
    Location:
    USA
    #10
    Couldn't you just disable the guest account?

    Where are the items you're talking about located? By default all items in ~/ except for public should have chmod 700 and files inside those should be protected by that.

    I'd just start by going to terminal on your account and typing

    Code:
    ls -al ~/
    Every folder (except public) should look like this:

    drwx------+ [#] [user] staff

    If they don't then somehow you've messed up your account.

    If you don't want guests accessing your stuff you could just run:

    Code:
    chmod 700 /folder_with_the_porn
    700 would be full access (rwx) for only the owner and no privileges to anyone else.

    If your account is set up proper, your guest should not have access and it should not be able to see any of your files through spotlight, safari, terminal, finder or any other system browser.

    Edit:

    For exact replication of default folder settings you also want to run

    Code:
    sudo chmod +a "group:everyone deny delete" /folder_with_the_porn
     
  11. ideal.dreams thread starter macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #11
    Not a single folder that was listed in Terminal has those permissions. Here is a screenshot.

    Also, people don't keep porn on their computers anymore. This is 2013, don't be ridiculous :D. No one else uses my computer so it's not an issue, but if my computer gets stolen or something crazy like that, the guest account can be used to pull up calendar events, emails, messages, documents, etc. Things more important than porn :p.
     
  12. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #12
    Agreed, this is a horrendous security flaw... if it exists, and if that Advisor was telling you the straight story.

    I don't have a non-FileVault'ed Mac to play with, but at least on my systems the Advisor's comment is NOT true: Account A does NOT have Spotlight access to Account B's files, in my testing here.

    Nor should it. And frankly I doubt the Advisor was correct. Seems Apple would have had to break all sorts of stuff in Unix for this to happen. Given that OS X is trumpeted by Apple as a "POSIX-compliant, Open Brand UNIX 03 Registered Product" I really have my doubts this could be the case.

    We need others in the community here to check out the behavior on their machines, and to raise holy hell with Apple if this turns out to be true.
     
  13. w0lf, Dec 31, 2013
    Last edited: Dec 31, 2013

    w0lf macrumors 65816

    w0lf

    Joined:
    Feb 16, 2013
    Location:
    USA
    #13
    Based on that screenshot this pasted into terminal should fix you up (you'll need to input your password for the sudo commands to work):

    Code:
    chmod 700 /Users/$(whoami)/Desktop
    chmod 700 /Users/$(whoami)/Documents
    chmod 700 /Users/$(whoami)/Downloads
    chmod 700 /Users/$(whoami)/Library
    chmod 700 /Users/$(whoami)/Movies
    chmod 700 /Users/$(whoami)/Music
    chmod 700 /Users/$(whoami)/Pictures
    chmod 700 /Users/$(whoami)/School\ Work
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Desktop
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Documents
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Downloads
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Library
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Movies
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Music
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/Pictures
    sudo chmod +a "group:everyone deny delete" /Users/$(whoami)/School\ Work
    
    Not sure how it got to be the way it is in your screenshot but that is not normal and here are the most likely scenarios that caused it:

    1) You accidentally changed it and forgot
    2) A program you used changed it with/without your knowledge
    3) If this was a restore from a backup or other drive it's possible the properties were not maintained on transfer
    4) Problem with FileVault but I've never used that and it should not be doing that even if you turn it on/off
     
  14. ideal.dreams thread starter macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #14
    I got the issue fixed.

    1. I never mess around with permissions so I definitely was not the reason this happened.
    2. It's possible but I haven't downloaded any new apps recently.
    3. I didn't restore from a backup.
    4. It's possible, since I did have FileVault enabled.

    No way to know why how this happened but at least it's fixed. The Sr. Advisor was clearly wrong in saying this is expected behavior.
     

Share This Page