How to secure the files in my OSX account?

Discussion in 'macOS' started by wavicle, Apr 2, 2015.

  1. wavicle macrumors newbie

    Joined:
    Sep 10, 2013
    Location:
    Dublin, Ireland
    #1
    Hi guys!

    I'm a bit of a newbie here. I often read the forums, but this is my first post.
    I'm a Mac user for more than 5 years and whenever I have a problem or a question I can usually find the answer on my own.

    However, I can't find the answer to what seems like a simple question to me.
    Basically I'd like to know how secure are the files in my OSX account.
    Throughout the time I've had a Mac I've always had just one account on it - mine.
    Now I'd like to create another account for occasions when a friend/colleague would like to use my computer. I know about the standard Guest account in OSX, but that's limited just to the use Safari. So I decided to create another regular account for guests.

    I'd like to know whether the other users have a way to gain access to the files and folders in my account?
    I guess they can't, because I assume that's the way OSX is designed. But I remember that, in Windows, a user can go into the system folders and look at and open another user's files and folders. Can that happen in OSX?

    If it matters I'm on OS10.9.5 (Mavericks) and I use an admin account (since it's the only one in the system other than the Guest one). Btw I also use FileVault, so I believe I have the whole SSD encrypted.
     
  2. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #2
    Try this:
    1. Create a new account.
    2. Login to it.
    3. Check whether you can read files from your other account.
    In short, try it and see what happens.

    If you don't want to keep the new account, logout from it, login to your main account, and delete the trial account.
     
  3. grahamperrin macrumors 601

    grahamperrin

    Joined:
    Jun 8, 2007
    #3
    With FileVault 2

    A standard user, without admin credentials, can access only what other users wish to be accessible. Loosely speaking, those areas are:

    ~/Public
    ~/Sites

    An admin user can typically access everything in all home directories that are in the same logical volume.

    Without FileVault 2

    All users can access all files.

    Methods of doing so are not immediately obvious – most users think in terms of Finder – but the methods are well known and easily applied.
     
  4. wavicle thread starter macrumors newbie

    Joined:
    Sep 10, 2013
    Location:
    Dublin, Ireland
    #4
    Thank you chown33 and grahamperrin!

    I ended up creating a new account, managed with Parental Controls.
    Once I was inside the new account, to my huge surprise, I could look into the home folder of my own admin account, the subfolders and the files!
    Prior to that, I thought that OSX was designed in a way that would not allow user to look into each other's home directories.
    I went back to my own account and changed the permissions of my home folder to No Access for everyone. But even after that I can still see the subfolders' names. For some reason, there seems to be no way to just deny access to the whole home directory, or is there? I had to change the structure of my home folder and change permissions for each subfolder left in it.

    The problem stems from the fact that I'd like to be able to allow friends/family to occasionally use my Mac if they ask to. I don't want to be a weird guy who won't allow people to touch his computer.
    Normally, the standard Guest account in OSX would be perfect for this. But I have FileVault enabled and that changes the Guest account to Safari-only. Is there a workaround to this?

    Are things any better in Yosemite?
     
  5. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #5
    The path for a user's home directory is "/Users/username".

    By default on my Mac, the permissions are set such that all users may see the contents of those directories. You can change them if you'd like.

    1. Change /Users so that users cannot list the contents, but they can traverse the directory to get to directories they know exist

    Code:
    sudo chmod og-r /Users
    2. Change your home directory such that other users cannot read it or list the contents.

    Code:
    chmod og-rx /Users/username
    Change the "-" symbols to "+" to put the permission back to what it was.

    FileVault2 wouldn't change any of this behavior. It's happening at a much lower level.
     
  6. wavicle thread starter macrumors newbie

    Joined:
    Sep 10, 2013
    Location:
    Dublin, Ireland
    #6
    Thank you mfram!

    I tried both options you gave me. The problem I have with the first one (sudo chmod og-r /Users) is that the Shared folder is inaccessible even if I go Finder->Go to Folder.

    The second option seems to be what I was looking for and both users can still access the Shared folder.


    So then:
    • FileVault is on;
    • I am the only admin on my Mac;
    • I have used "chmod og-rx /Users/MyAccount" to cut off the other users from accessing that account.
    Are my files now completely unaccessible by anyone other than me? (not counting the possibility that Apple/governments may gain access through the FileVault recovery key that Apple has). But I mean there's no way for the other user in the system to change permissions or do some magic trick to access my account?
     
  7. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #7
    Not unless they can use 'sudo'.

    Using the first command, you should still be able to access the /Users/Shared folder. But you wouldn't be able to see the contents of /Users in Finder.
     
  8. wavicle thread starter macrumors newbie

    Joined:
    Sep 10, 2013
    Location:
    Dublin, Ireland
    #8
    But they can't use the "sudo", because that requires the admin password, which they don't have. Also, they can't even open Terminal because that requires a password as well, due to the account being managed with Parental Controls.
    So now they have no way to break in, right?

    I just tried again, but what that does is that it blocks access to the "Users" folder and the "Shared" folder is inside "Users". I can't access it even through my admin account - in Finder I can't open up "Users" and if I go Finder->Go->Go to Folder->"/Users/Shared", it says "The folder "Users" can't be opened because you don't have permission to see its contents."

    Or was I supposed to do the "sudo" command like that:
    Code:
    sudo chmod og-r /Users/MyAccount
     

Share This Page