Standard User Accounts: Can they see the administrators files?

Discussion in 'Mac Basics and Help' started by macboy2008, Dec 16, 2009.

  1. macboy2008 macrumors newbie

    Joined:
    Dec 16, 2009
    #1
    I as the administrator on my macbook am about to set up a standard account for my brother. I wanted to keep all my files private, previously I had pacific private folders in the MACINTOSH HD folder these folders you could see in the standard account. I read online and moved the folders into my pacific HOME folder, so basically from what I understand he wont be able to see my files in this folder from his account?

    When logging onto his account from FINDER I can see my user account, now in here there are 11 icons to choose from, four of them carry a little red circled minus.

    • Desktop
    • Downloads
    • Library
    • Movies

    Whilst the other seven don't have these little minus signs, however the first three (below) give the same prompt as the four (above), "The folder <folder name> could not be opened because you do not have sufficient access privileges". The four (marked with *) from below with these I am able to browse the folders.

    • Documents
    • Music
    • Pictures
    • Apps*
    • Public*
    • Restore*
    • Sites*

    Is this how it should be? Should I be worried about the folders without the minus signs, and then the few that are accessible from the standard account, why are they accessible? such as the sites folder does it contain cookies etc.
     
  2. flatfoot macrumors 65816

    Joined:
    Aug 11, 2009
    #2
    If I were in your place I would do the following:
    1. open a terminal window
    2. enter "/Users" (which brings you to the folder in which all user folders are stored)
    3. enter "ls -l" to verify the name of your home folder
    4. enter "sudo chmod -R 700 <name of your home folder>" (this sets permissions so that only you can access your home folder and all its subfolders)
    5. enter your admin password when prompted
    6. open DiskUtility and repair permissions so that everything that might have been messed up before or by the previous terminal command is rectified again
     
  3. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #3
    Do not do what flatfoot said. No offense, but if you're there, I don't want to be.

    1. So far so good. Terminal is found at /Applications/Utilities/Terminal.app.

    2. The command should be cd /Users

    3. For reference, this command is all lowercase, so ls -l

    4. This is where things start to go oh so wrong. sudo chmod -R 700 will change every file in your home folder and in all subfolders, which has serious repercussions and is not easily fixable down the road. Instead, I'd run the following:

    cd [your home folder name]
    sudo chmod go-rwx *
    sudo chmod 755 Public Sites


    This will prevent unauthorized access, won't affect files if subsequently moved/shared outside of your home folder, and will protect access to your Public and Sites folders, which you do want others to be able to access.

    (Technical note: I used go-rwx in the first command because I didn't want to mess with the existing user permissions, so any files with the execute bit not set won't suddenly wake up to find themselves with new exciting permissions. In number two, I used the ### form because I named two directories explicitly and know what permissions they should have.)

    5. I'm with you there. Bear in mind that unlike elsewhere in Mac OS X, the shell doesn't show ********* as you type. It's listening anyway.

    6. If you set permissions properly in the first place, you won't need to go back and use Disk Utility to hack together a fix.
     
  4. macboy2008 thread starter macrumors newbie

    Joined:
    Dec 16, 2009
    #4
    confused

    Wow. No offense guys but i am further confused than when I began, I have never done anything like this before such as using terminals and commands. Are they nessacery for what I need to do? Thanks for your replys
     
  5. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #5
    Leaving aside terminal commands, if I understand your description correctly, it is appears to be set up the way it should be by default. The four that are accessible from other accounts is because they're considered public by the system, which is the correct default behavior.

    The Sites directory, to answer your question, has nothing to do with sites you visit, or cookies, or browser preferences, or anything of the sort. It is where websites you create go, such that someone connecting to your computer with a web browser will be able to view them. That's why it's got permissions such that other users can see the content--that's the point of it. If you enable Web Sharing in the Sharing preference pane, you can try typing http://localhost/~[YourShortUserName]/ into a web browser (replacing the thing in brackets with the name used on your user's folder), you will get a listing of that directory (or a web page, if there's one in there).

    Of course, most people never create anything to put in there, so it sits not doing anything. This is fine. And of course, if you don't have Web Sharing enabled, it also won't do anything. Fine to leave it alone, though.

    Basically, while the commands outlined by BlueRevolution would set things up to make absolutely sure no non-admins have access to anything, the permissions are probably already set with enough security for your purposes.
     
  6. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #6
    Sorry, I've been incommunicado for a while, but just thought I'd check back to see if you'd taken flatfoot's advice and screwed up your system as a consequence.

    What Makosuke says is true. The default permissions are enough to protect your personal data from casual inspection, and the Sites folder can be and should be viewable to the public. Don't delete it, but it's fine sitting there doing nothing. Unless you modify it, it looks exactly the same from every user's account and by default contains nothing of any interest to anyone, unless you're interested in setting up a web server. If you do modify it manually, it'll be because you want other users to be able to see your modifications. If you want to see what it's for, open it up and double-click on index.html.

    Huh, I just tried it for the first time on Leopard. This is what it had to say:

    That's just embarrassing. I would have expected better writing from Apple. Hell, I wouldn't even expect an error like that from Microsoft.

    Bottom line: don't put anything directly into your home folder and you'll be fine. As long as your sensitive files are in ~/Documents or the other folders you mentioned, no problem. If not, bear in mind that any other files or folders created in ~ (the home folder) by you or by applications will be readable unless you use the method I posted above to make sure they're not. Even if you do so, it'll only affect files currently in there, so it's best just to put your stuff in documents, photos, etc. unless you have a reason not to do so.

    Of course, any other competent users with administrator access to your system will be able to read your files regardless of what permissions you set. Never share your password, only create admin accounts for people you trust and who have a legitimate reason for it, and so forth. Refusing to make an admin account need not be an indication that you mistrust someone, just that you want to maintain control of your computer. Don't feel ashamed to do so.

    If I take my computer in to the shop, I go so far as to back up my hard drive, erase it completely, and create a fresh install just for them.

    If you're concerned about privacy, enable FileVault to encrypt your entire home folder. Even other administrators won't be able to access your data without the password then. Be aware that some sharing features may not be compatible with FileVault.
     
  7. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #7
    Also be aware that if you forget your password and are using FileVault, you will not be able to get to any of your files, period. Not a big problem for most people, but something to be aware of--encryption is a two-edged sword.

    For reference, if you're not using FileVault and someone has physical access to the computer and sufficient time, they can get anything they want off it that's not encrypted. "It's not a bug, it's a feature."

    Point being not to scare or confuse you, just to keep in mind that, as BlueRevolution said, the default permissions will prevent normal non-admin users from digging around in your Documents folder, which is probably plenty for most uses. If, however, you want more serious security, FileVault and a good password are your best bet.
     
  8. flatfoot macrumors 65816

    Joined:
    Aug 11, 2009
    #8
    BlueRevolution, calm down. He would not have screwed up his system if he had followed my advice.
    I did it this way before and it worked each and every time.
     
  9. Mumford macrumors regular

    Joined:
    Oct 8, 2006
    Location:
    Altadena, CA
    #9
    Depending on what he uses his system for, he very well could have. BlueRevolution's warning is exactly spot-on. If he hadn't posted it, I would have. Screwing around with permissions can get you in trouble fast.

    Oh, and you might want to investigate why you can remove -R from that chmod command, and achieve essentially the same result without blowing away the permissions on everything in your home directory.
     

Share This Page