Airtight User Account on Macbook Pro

user-account

Solution 1:

The only way to avoid a user being able to access your data is to remove your data from the machine. This is due to the fact that a user could enable the root user via Single User mode on boot and can then have unfettered access to the system. You can put up blocks to hinder this as well, but that depends on your desire to keep all information secure.

A standard user account is the easiest option and is somewhat effective. However, your friend will not be able to do certain things on the machine since they won't have admin rights. The level of access necessary would hinge on how much the friend would need to do while they have the machine.

Solution 2:

You can come pretty close, but not absolutely lock the computer down. There are three critical steps to this:

  • Put all of the files you want to keep private in private directories, e.g. in your Documents folder. The top level of your home folder is readable by all users, and the default permissions for newly created files and folders is similarly readable. Note that this includes things like unix-style configuration files (including invisible "dotfiles") created at the top level of your home folder.

    If you want to, you can remove permissions for other users to read your home folder at all with the command chmod go= ~ -- but note that this will lock other users out of your Public folder as well.

    Also, make sure you don't have any private files stored outside your home folder.

  • Give your friend a "Standard" (or Managed with Parental Controls) account, and make sure they don't know the password(s) to your Administrator account(s).

  • Set a firmware password on the computer. This will prevent your friend from invoking single-user mode (which @smoooosher mentioned), recovery mode, and a number of other startup-time modes that'd let your friend take full control of the computer.

    Don't tell your friend the firmware password.

    Do make sure you remember (i.e. record) the firmware password, so you can remove it later. Resetting a lost firmware password is a major operation on modern Macs, and you don't want to have to go through it.

With these steps, your MacBook Pro will be pretty well locked down, but not absolutely so. There are a couple of possible ways your friend could still bypass security:

  • They could open the MBP up, remove the drive, and read it directly on another computer. Note that enabling FileVault encryption won't really help with this, since any account password (including your friend's) could be used to unlock and read the disk.

  • They could hope for a privilege escalation vulnerability to be discovered in OS X that'd let them get admin or root access from their standard account. You can mitigate this a bit by enabling as much update automation as possible (in System Preferences -> App Store pane).

p.s. You might also want to enable Find My Mac linked to your iCloud account -- this'll let you track and (if necessary) remote-wipe your Mac. Be sure you have a good backup before enabling this, though. Actually, be sure you have a good backup anyway.

p.p.s. From the Ten Immutable Laws Of Security (Version 2.0): "Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

Related

"Open with" equivalent on Mac
macOS High Sierra how to remove Bootcamp?
Enable 3-finger swipe for home and end in Chrome
Syncing Contacts and iCal between multiple Macs and iOS?
iPad turned itself off and won't turn back on
Alternative to FaceTime or iMessages to communicate with Android devices?
Why does Xcode open when I start OS X?
Why is it called MagSafe?
How to restore default fonts on Mavericks?
Alfred keeps asking for Contacts permission
How to view home directory with Finder
What hard drive is used for the 500 GB Macbook Pro option from Apple?