MacOS – Protecting a user home folder using chmod and umask

foldersmacospermissionprivacy

I want to create a standard (non-administrator) user on my Mac, and ensure that they cannot access my files.

Does the following make sense, and will there be any adverse consequences?

sudo launchctl config user umask 077 (when creating new files and folders, ensure group and others can't see them)

chmod -R go-rwx ~ (for existing files and folders in my home folder: remove read, write and execute permissions for group and others)

In particular, I'm worried about:

Messing up any extended permissions
Whether it's OK to alter permissions on my ~/Library and ~/Applications and ~/Applications (Parallels) and ~/tmp folders
Is there anything outside of my home folder I need to think about protecting?

Is there anything I'm missing, before I try this and potentially brick my system?

I'm actually shocked that what I've described above is not the default configuration for MacOS, as it would prevent different users from seeing each others' files.

Best Answer

macOS by default sets the permission on the standard directories (Documents, Pictures, Music, Library etc) to 0700. If this somehow got changed you can easily run

chmod 0700 ~/{Documents,Pictures,Music,Library,Downloads,Movies}

to fix it. And of course you can use the same command to change the access rights for other directories as needed.

To also protect any dot files etc you can also run

 chmod 0700 ~.

In any case you don't need to specially treat subfolders if the parent folder is already protected.

Related Solutions

MacOS – How Should I Correct the Owners and Permissions in an OS X User Folder

The first step I would recommend is to try resetting your home folder permissions with the Reset Password utility in Lion Recovery. (Despite the name of the utility, you won't actually be resetting any passwords.)

Resetting the home folder permissions with the Reset Password utility will reset both the owner and the permissions.

Restart your Mac holding ⌘+R to boot into Lion Recovery, which will bring you to the Repair Utilities screen.
Open Terminal from the Utilities menu.
In Terminal, enter resetpassword to open the Reset Password utility.
Choose your hard drive icon at the top, then choose your user from the drop-down menu below. Do not reset the password here.
At the bottom of the window, under "Reset Home Directory Permissions and ACLs", click the "Reset" button. This may take awhile if you have a lot of files in your home folder.

This should solve your permissions problems for most apps. However, it's possible you may have a few apps which had saved files with special permissions that are different from the user's default permissions (like preferences or application support files). For those apps, you may need to delete their preferences or reinstall the app.

If resetting your home folder permissions doesn't work, then you may need to try restoring from a backup or transferring your data to an external drive.

MacOS – Migrating to new user account: must chown old account’s files… I think

You can check and re-assign ownership recursively over a directory tree with find, stat and chown.

#!/bin/bash

olduser=<oldusername> # replace this with your old username
newuser=<newusername> # replace this with your new username
dir=<dir> # replace this with the directory you want to run through

find $dir | while read filename
do
  owner=$(stat "$filename" | cut -d ' ' -f 5)
  if [ $owner == $olduser ]
  then
    chown $newuser $filename
  fi
done

Best Answer

Related Solutions

MacOS – How Should I Correct the Owners and Permissions in an OS X User Folder

MacOS – Migrating to new user account: must chown old account’s files… I think

Related Question