Home folder has 'everyone' Read-Only permissions

macos security finder permission

I just realized that my home folder (/HD/Users/Bob) has Everyone 'ReadOnly' permissions set at its root level.

If I browse this folder from another account, I can view the folders, but I'm not allowed to open the standard OS X folders (Desktop, Documents, Music, Movies, etc...). However, I have created a few folders on the root level of my home folder, and those ARE accessible to this other user. They can open folders, and open some of the documents with ReadOnly access.

Is anyone else seeing this? Is this a standard configuration, or is my Mac screwed up? This seems like a security hole to allow users to access files of other users on the system.

I'm running a fairly clean build of Yosemite 10.10.1 - this was installed about a month ago. I restored my old files from a hard drive. They were not restored via Time Machine


This is the standard permissions configuration and has been around since the beta days of Mac OS X when Unix underpinnings were established for Apple’s new computer OS.

The root of your home folder is global read, but standard macOS folders within such as Desktop and Documents should be global no access. Feel free to set the permissions of other folders which you create in the root of your home folder to match the permissions on the standard folders.

If you wish new folders to, by default, be global no access, change the permissions on the root of your home folder, propagate the permissions recursively and set up ACLs to inherit permissions for new folders, however I am unsure as to any effects this may have.


If you wish new folders at the top level of your home folder to by default be non-readable by anyone but you, add the following two ACLs to your home folder. DO NOT PROPAGATE PERMISSIONS. The first ACL makes all new folders unreadable, unwritable, and unsearchable by everyone. The second ACL makes an exception for you. Be sure to enter them in this order, so the second entry can push itself to the front.

chown +a "group:everyone deny list,add_file,search,add_subdirectory,delete_child,directory_inherit,limit_inherit,only_inherit" ~
chown +a# 0 "user:$USER allow list,add_file,search,add_subdirectory,delete_child,directory_inherit,limit_inherit,only_inherit" ~

But truth be told, it's easier to just fix up the permissions on any subfolders you create directly under your home folder. I mean, it's not like you're going to do that often, right?

And besides, who's to say you want these new folders readable only by you? What if you want a folder that is group-readable for some group but not world readable? These inherited ACLs are just going to get in your way then.

Creating a top-of-home-folder folder should be a rare event. Ad hoc solutions are best for rare events.

Related

MacOS X - iptables?
GPU Panic: OS X 10.11, El Capitan stability issues and spontaneous restarts
How do you remove SSL certificate exceptions on OS X?
Using Apple's Screen Sharing, can I redirect gestures and keys for controlling Spaces to the shared machine?
Can Disk Utility format an SD card with FAT32?
What's the racoon doing in my apple?
Is there a way to restore the iPhone's oleophobic screen coating once it's worn off?
Is there a way to set multiple artists for one song?
How to migrate the whole system to a new machine?
How to make a home server using Ubuntu desktop?
Should I edit my resolv.conf file to fix wrong DNS problem?
Dual-Booting OS X or macOS with Linux without rEFInd