New User/Home Directory Fixes

I apologize for the length of this article but I would rather put in as much detail as possible so that anyone who wants to use this will have some useful info. If you just want to install and don’t care about the details scroll to the bottom 🙂

The following package I created to solve an issue with the default home directory template in Mac OS X, specifically OS X 10.6 – though I have updated this for 10.7 with some twists. This package may work with 10.5 but I don’t feel like reinstalling 10.5 to find out.

You may notice that when you create a new user account in OS X by default the permissions on every user accounts home directory permits anyone to view an item placed within that directory. If a user places it within a sub folder the data is protected by the permissions of those sub folders. Teaching a user to not place data in the “root” of their home folder, i.e. “/Users/chris”, is a chore and often unreliable. Moreover, all new folders created in the root of a users directory or other programs that create a folder in the users root, i.e. Dropbox, are also visible (read only) to any other users who have access to the system. To make matters worse, turn on file sharing by accident ( or on purpose ) and now anyone on the network can see these folders and their content. To solve this problem Apple recommends changing the permissions of each users home directory so that only the owner can read, write, and execute. That works assuming you remember to do this every time you create a new user but completely impractical if this machine is going on a network bound to a directory server; Active Directory, LDAP, or Open Directory.

You can read about this security risk in the Mac OS X Security Configuration Guide on Page 153.

Running this package will install or do the following:

  • A script called NewUserFixes.sh – This is put in the directory /usr/local/bin
  • A launchagent called NewUserTemplateFixes.plist – This is placed in “/System/Library/User Template/English.lproj/Library/LaunchAgents”
  • This launchagent will be copied into each new account created on OS X. The first time the user logs in it will run the NewUserFixes.sh which will set the more secure permissions on their home directory and then promptly delete itself so it won’t run ever again.
  • During the install process I run a script to change any currently created users.

Here is the one side affect I know of when running this package.

The Public folder will not work properly anymore. In other words, if you are allowing users to use their “/Users/chris/Public/Drop Box” it will no longer function. I suggest that they try using “/Users/Shared” folder instead.

If you just want a command to fix all the home directories currently on your machine run the following command in the terminal app as an admin:

sudo find /Users/* -type d -maxdepth 0 -not \( -type d -name Shared \) -exec chmod 700 {} \;

If you want to allow web site sharing run this command in terminal as an admin.

sudo find /Users/* -type d -maxdepth 0 -not \( -type d -name “Shared” -prune \) -exec chmod +a “_www allow execute,read” {} \;

This package is most useful when creating a master image for environments where you have multiple users on a computer or your Mac is bound to a Directory for user data. It can and will work fine in standalone environments.

Download:  NewUserTemplateFixesv1.4

Versions:

1.0 – Initial offering

1.01 – Minor tweaks to text in installer

1.02 – Added post script fix for current users

1.03 – Added post script command that adds an ACE to allow the “Sites” folder to work with Web Sharing

1.04 – Added fix for NewUserFixes.sh so that it will add an ACE for all new users. See 1.3

1.1 –    Added Java WebStart Plugin activation for new users in Safari (Inspiration from Rich Trouton)

1.4 – Added .vimrc settings

3 thoughts on “New User/Home Directory Fixes

  1. Pingback: Github | Musings

  2. jemmyn

    I am working in a server environment and wanted to apply this same idea to my server but I have all the home directories in a different drive in separate folders according to what group they are a part of. Since this is a school environment we have 3 separate groups: office, teachers, students each of these groups have separate root home folders: /Volumes/users/office, /Volumes/users/teachers, /Volumes/users/students I needed to adapt this script to work in this environment. All my clients connect to a MacOS 10.7 Server for opendirectory and filesharing.

    I messed something up with my sharing privileges and rights to home folders because the home folders were restricting access to other users seeing their Desktop and Documents folders but the rest were readable by the every other user. I am not a fan of how Mac Server by defaults allows you into every users home folder and just restricts access to the subfolders inside of the home folder anyway. It makes more sense to have the whole entire home folder set to 700 so only the owner can get to it. This way if a user saves a document to their home folder by accident rather than Desktop or Documents, not everyone else in the server has access to it.

    I found it was essentially the same principal since when a new user is created and they login they download the /System/Library/User Templates/English.lproj from the server and use it as their own home folder so I already had a customized one of these setup.

    The main things I had to do differently is where the above script defines the home folder based on whoami and then just sticks /Users before it I changed the path the be based on $HOME instead that way no matter where the root home folder was for that group of users it would still execute the script correctly and the LaunchAgent would work too. This in fact may be a better more reliable way to to it across the board. I have not done any testing on any other systems or environments but I think this should work for everyone.

    Oh I also referenced this page in order to make the LaunchAgent work correctly. I used the example at the bottom of the page: http://apple.stackexchange.com/questions/36552/run-bash-script-at-login-stored-in-the-home-folder

    Here are my changes. Thanks for the hard work on the initial LaunchAgent and shell script, if you had not done this in the first place I would not have known where to start. NOTE: I did not test the web side of the script.

    https://drive.google.com/folderview?id=0B3s5Og_ZhO6IUV9RLVR5MlhzZmc&usp=sharing

    Reply
    1. Christopher Silvertooth Post author

      Awesome. I haven’t looked at this script in a while and am not sure if it still works in 10.9 – though I would assume so. I will definitely take at look some of your changes… You can never learn enough 😉 I should finish adding it to GIT so you can pull down the latest and add back in.

      Cheers,

      Chris

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *