How to set up my Mac for multiple users, but keeping folder and file access private? On my Mac it is currently not possible to select "No access" for a second user. The least is "Read only". What am I doing wrong?
MacBook Air 15″, macOS 26.1
This sounds like you are trying to be compliant with rule 5.1.1 - Secure User's Home Folder, of the CIS Security Guidelines. Please note: user accounts must be standard as admins will have access to sudo and be able to circumvent the permissions restrictions. Here is the guideline. Reference the latest CIS Benchmark for more details.
The system MUST be configured to prevent access to other user's home folders.
By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system. The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions. Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.
The easiest way to implement this is with an MDM. If you have Jamf Pro, enable the Compliance module and set this rule to be enforced. If you do not have Jamf, but you have an MDM, you can create a recurring policy to enforce this on a periodic schedule. Alternatively, if you are able, you can use watched paths though launchd or even watched folder via AppleScript (not recommended as it is more complicated) to monitor the Users folder.
Here is the main issue. Apple's default folders (Desktop, Documents, Downloads, Library, Music, Movies, and Pictures are set to POSIX permissions 700 (rwx------), allowing only the owner to open and view. Ah, but if a user creates a new folder in the home folder, that folder will be created with the standard POSIX permissions of 755 (rwxr-xr-x), allowing group and other read and access rights. Here is an example.
John and Mary are sharing a machine and each has a home folder and a unique account. Mary creates a folder titled HR at the root of her home folder. If no action is taken, then John will be able to see, open, and copy files inside the HR directory.
The CIS guide provides a bash script to automate the management of this:
IFS=$'\n'
for userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" ); do
/bin/chmod og-rwx "$userDirs"
done
unset IFS
But, as noted, this needs to be automated to handle the actions of the future. If you run this script today, it will impact the folders that are present today. Thus, if Mary creates a folder called Salaries tomorrow, that folder will be accessible to John until the script runs again. The CIS Benchmark provides the solution but does not provide the automation process. Again, if you do not have an MDM, this becomes more complicated as you need to implement manually on each machine. You can install the script and then either create a launch deamon or cron entry to have it repeat at a fixed interval.
Hope this is helpful.
This sounds like you are trying to be compliant with rule 5.1.1 - Secure User's Home Folder, of the CIS Security Guidelines. Please note: user accounts must be standard as admins will have access to sudo and be able to circumvent the permissions restrictions. Here is the guideline. Reference the latest CIS Benchmark for more details.
The system MUST be configured to prevent access to other user's home folders.
By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system. The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions. Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.
The easiest way to implement this is with an MDM. If you have Jamf Pro, enable the Compliance module and set this rule to be enforced. If you do not have Jamf, but you have an MDM, you can create a recurring policy to enforce this on a periodic schedule. Alternatively, if you are able, you can use watched paths though launchd or even watched folder via AppleScript (not recommended as it is more complicated) to monitor the Users folder.
Here is the main issue. Apple's default folders (Desktop, Documents, Downloads, Library, Music, Movies, and Pictures are set to POSIX permissions 700 (rwx------), allowing only the owner to open and view. Ah, but if a user creates a new folder in the home folder, that folder will be created with the standard POSIX permissions of 755 (rwxr-xr-x), allowing group and other read and access rights. Here is an example.
John and Mary are sharing a machine and each has a home folder and a unique account. Mary creates a folder titled HR at the root of her home folder. If no action is taken, then John will be able to see, open, and copy files inside the HR directory.
The CIS guide provides a bash script to automate the management of this:
IFS=$'\n'
for userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" ); do
/bin/chmod og-rwx "$userDirs"
done
unset IFS
But, as noted, this needs to be automated to handle the actions of the future. If you run this script today, it will impact the folders that are present today. Thus, if Mary creates a folder called Salaries tomorrow, that folder will be accessible to John until the script runs again. The CIS Benchmark provides the solution but does not provide the automation process. Again, if you do not have an MDM, this becomes more complicated as you need to implement manually on each machine. You can install the script and then either create a launch deamon or cron entry to have it repeat at a fixed interval.
Hope this is helpful.
When you create users normally on a mac, everything inside one user's home folder is inacessible to other users, except for the "Public" folder, so usually you do not have to do anything.
Each user's content is private by default.
You can test this.
In Finder, press Command-Shift-H to go to your home folder; then press Command-upArrow to go one level up.
You will see the home folders of users.
Now try to open another user's home folder.
You will see something like the image below. Notice all those forbidden signs. If you try to open any these folders, you won't be able to.
Ya... the Get Info window has been broken for so long I can't recall when it was useful.
If you are handy with Terminal, you can do this on a per folder basis for testing. Again, a scenario. Replace with your users.
Mary (/Users/mary) creates a folder called "My Private Stuff" using the Finder. This folder has standard umask of 755. While logged in as Mary, open terminal and execute the following command:
chmod 700 /Users/mary/My\ Private\ Stuff
In the example above, replace the home folder name with the one on your test machine. And replace the path to the actual folder name (I used an example of a folder with spaces to show how you must escape the spaces).
Once the permissions are changed, log out of Mary's account and log into John's. John will see "My Private Stuff" in Mary's home folder but it will now have the prohibited sign on it, preventing traversal.
Hope this is helpful. Remember, to truly enforce, you must repeat the actions, constantly looking for the creation of new folders at the root of the home.
KWK4711 wrote:
Hi Strontium90,
Thanks for your quick response. This helps me a lot. I am surprised that the Mac does not let me change the rights via the "Get Info -> Share .. " route in a user friendly way.
You can. I can’t quite understand what you’re trying to accomplish. For any given user no other user has any access to their home folder, except reading the folder itself in order to provide access to your public dropbox and the Sites folder. Every sub folder will either be readable because it’s public or have no access for everyone. If you create a new folder inside your home, it will inherit the parent folders permissions, which includes read only for the staff group and everyone. You should delete the staff group and set everyone to no access for those folders if you do not want them to be read by others. POSIX permissions are not the same as Windows permissions. On Windows, by default, every user has access to everything and must be specifically prohibited from accessing things. In Unix, every user has no access to anything by default and must be given specific access. So, you don’t have to deny access to the other user as it is already denied. No access is not a user permission because it is already no access by default.
Hi Luis,
Thanks for your quick response. This works as you describe. However, apart from the standard folders shown above, I created several other folders in my home folder. Those do not have the forbidden sign and are accessible by the other user on the Mac. I changed the access level for the "everyone" group to "No access" but this does not become effective. When I try to change the rights for the other user on my Mac, I do not get the option "No access". This seems to be a very strange behaviour of the OS to me.
Is this a bug or am I doing something wrong?
KWK4711 wrote:
Hi Luis,
Thanks for your quick response. This works as you describe. However, apart from the standard folders shown above, I created several other folders in my home folder. Those do not have the forbidden sign and are accessible by the other user on the Mac. I changed the access level for the "everyone" group to "No access" but this does not become effective. When I try to change the rights for the other user on my Mac, I do not get the option "No access". This seems to be a very strange behaviour of the OS to me.
Is this a bug or am I doing something wrong?
There is no "everyone" group. There is yourself. Then there is your group, which is probably "staff". Then "everyone" is everyone else. If you want to restrict access to just you, you must change both "staff" and "everyone".
Thanks. I have 40 years IT experience in enterprise environments and have a little bit of Linux hands on experience.
For my private Mac your explanation, the chmod command, and some guidelines for my "Mary", will be sufficient to keep things secure.
Thanks very much again 😊
Hi Strontium90,
Thanks for your quick response. This helps me a lot. I am surprised that the Mac does not let me change the rights via the "Get Info -> Share .. " route in a user friendly way.
How to revoke access to files for a second user on my Mac
