Help restricting folder access

ajf · 6 May 2011 at 23:00

I have a second (standard) user account on my iMac and want to make sure my own files are not available.
Logged in as the second user and browsing the hard disk to my own user folder, most of the folders are already restricted, but two, which I have created rather than system created are available to the second user.

I cannot see why this is.
The permissions on the folder when I log in are:
Me - read & write
everyone - No Access
Staff - Read Only

What/who is the Staff access for? I have not knowingly added it and I cannot remove it or change to No Access.

Thank you
Andrew

PardonTheWait · 7 May 2011 at 23:33

Staff is a default group, I think everyone is in it, Standard accounts included.

Admin accounts are in the Staff group and the Wheel group, Standard accounts are in the Staff group.

If you set your entire user folder to Write Only for Staff it'll fix it, but obviously it'll make your entire home folder inaccessible to everyone. And by everyone I mean everyone not just the everyone group

You *can* remove access for Staff but you have to do it through Terminal I think and if I'm honest I really can't remember how. I've done the course that covers it and got the cert but it didn't stick!

Slogan · 8 May 2011 at 00:20

PardonTheWait said:
Staff is a default group, I think everyone is in it, Standard accounts included.

Admin accounts are in the Staff group and the Wheel group, Standard accounts are in the Staff group.

I thought only root was in the wheel group, with administrators part of the staff group?

As has been stated, you can probably view these files on the second account because standard users are put into the staff group - so the 'staff - read only' is where you're giving away that access.

There's no reason why you shouldn't be able to delete that staff group from the list. Make sure you're authenticated to make changes in the folder's Get Info window, ensuring that the lock in the bottom right of the Get Info window is unlocked, otherwise it'll only look like you can add people/groups.

If it is unlocked and you're still having no joy, you can make the changes in Terminal (assuming you're comfortable with it) by using the following command and hitting return:

chmod 700 ~/FOLDERNAMEHERE

The above command assumes the folders you want to hide are within the Home folder, which is what the ~ stands for.

PardonTheWait · 8 May 2011 at 00:28

Could be that only root is in the wheel group, as I said I'm not mega clued up on it. I've been taught it but a lot of it didn't stick if I'm honest, too complicated for me!

I made a new folder in my home folder, changed to another user and tried to get in, and I could, so I tried to change Staff to no access, and I couldn't. Tried to delete the Staff group from the list and couldn't (as an admin) so I assume you do have to do it through Terminal, but as I said I couldn't remember the command, and chmod is it. I'm next to useless with Terminal stuff from memory. Tell me what to do and I'll do it but that's as far as it goes for me

Does there not have to be a -r in there somewhere to make it recursive? Again, I'm pretty useless at command line stuff so tell me if I'm barking up the wrong tree, as it's quite likely I am, and I won't be offended

Slogan · 8 May 2011 at 00:54

I didn't think it would need a recursive as it's allowing zero access into the top-level folder (the same as anything in the Home folder excluding Public and Sites). But recursive always confuses me slightly so I created a new folder in my Home and dropped a PNG into it.

As the other standard user, I'm not allowed access into this folder (as is the case with Pictures, Music, Movies etc...) and if I search for the PNG file within one of those folders, it doesn't appear at all.

I'm currently studying for the OS X technician exam so my advice could be wrong but I think that should be enough to hide away the folders (and their content) from other users.

PardonTheWait · 8 May 2011 at 01:05

all recursive does is apply the change to the folder you're in and all the folders within it, so for permissions changes you really will want to be adding it.

With me the other admin user was allowed in to the folder but I don't have any Standard accounts so I didn't try it. The nitty gritty of OSX does confuse me a bit and I tend to do it by trial and error.

Believe it or not I'm an Apple Certified Support Professional

I took the exam and passed it on my own merit but it was just after the training, and if I'm honest I've forgotten a lot of it. For my needs I know enough, I'm the manager of a Premium Reseller so 99% of our customers are home users so I know plenty, I'd be way out of my depth running any sort of proper network though!

Slogan · 8 May 2011 at 01:21

That is quite unusual. I just tried to access the folders with an admin (other) and standard account and neither of them can get into my Home folders from the GUI. The chmod 700 really should just allow the creator and no one else to look inside the folders, unless there's something superseding that I'm missing.

Can't blame you for forgetting some of it, I'm only halfway through the book and have pages and pages of notes on each chapter alone. I was considering doing the Server exam after this but I'm almost afraid to preview the chapters.

PardonTheWait · 8 May 2011 at 01:24

I felt like my brain was going to squirt out of my ears a few times when I did Support Essentials. (Which is the ACSP course/exam)

All good stuff to know though and I did take away plenty of stuff that I've used since, it was absolutely worth doing and I can see why the firm put all the store managers on it. Definitely glad I did it

Dewotter · 8 May 2011 at 05:30

Do Apple have a document that denotes all these terms?

I'm very much used to the Windows way of managing permissions.

iraiguana · 8 May 2011 at 09:29

If you were to google the equivalent rights access commands for linux they will most likely work.