User home directories. Fixing permissions and other bits.

I apologize for the length of this article but I would rather put in as much detail as possible so that anyone who wants to use this will have some useful info. If you just want to install and don’t care about the details scroll to the bottom 🙂

The following package I created to solve an issue with the default home directory template in Mac OS X, specifically OS X 10.6 – though I have updated this for 10.7 with some twists. This package may work with 10.5 but I don’t feel like reinstalling 10.5 to find out.

You may notice that when you create a new user account in OS X by default the permissions on every user accounts home directory permits anyone to view an item placed within that directory. If a user places it within a sub folder the data is protected by the permissions of those sub folders. Teaching a user to not place data in the “root” of their home folder, i.e. “/Users/chris”, is a chore and often unreliable. Moreover, all new folders created in the root of a users directory or other programs that create a folder in the users root, i.e. Dropbox, are also visible (read only) to any other users who have access to the system. To make matters worse, turn on file sharing by accident ( or on purpose ) and now anyone on the network can see these folders and their content. To solve this problem Apple recommends changing the permissions of each users home directory so that only the owner can read, write, and execute. That works assuming you remember to do this every time you create a new user but completely impractical if this machine is going on a network bound to a directory server; Active Directory, LDAP, or Open Directory.

You can read about this security risk in the Mac OS X Security Configuration Guide on Page 153.

Running this package will install or do the following:

  • A script called NewUserFixes.sh – This is put in the directory /usr/local/bin
  • A launchagent called NewUserTemplateFixes.plist – This is placed in “/System/Library/User Template/English.lproj/Library/LaunchAgents”
  • This launchagent will be copied into each new account created on OS X. The first time the user logs in it will run the NewUserFixes.sh which will set the more secure permissions on their home directory and then promptly delete itself so it won’t run ever again.
  • During the install process I run a script to change any currently created users.

Here is the one side affect I know of when running this package.

The Public folder will not work properly anymore. In other words, if you are allowing users to use their “/Users/chris/Public/Drop Box” it will no longer function. I suggest that they try using “/Users/Shared” folder instead.

If you just want a command to fix all the home directories currently on your machine run the following command in the terminal app as an admin:

[php]
sudo find /Users/* -type d -maxdepth 0 -not \( -type d -name Shared \) -exec chmod 700 {} \;
[/php]

If you want to allow web site sharing run this command in terminal as an admin.

[php]

sudo find /Users/* -type d -maxdepth 0 -not \( -type d -name "Shared" -prune \) -exec chmod +a "_www allow execute,read" {} \;

[/php]

This package is most useful when creating a master image for environments where you have multiple users on a computer or your Mac is bound to a Directory for user data. It can and will work fine in standalone environments.

Download:  NewUserTemplateFixesv1.1


Leave a Reply

Your email address will not be published. Required fields are marked *