6 Replies Latest reply: Nov 1, 2011 10:12 PM by BDAqua
autochthon Level 1 Level 1 (115 points)
As admin on my Mac, I created a second, standard user.
When I log in as that standard user, and open any folder, 3 folder icons appear at the bottom of the left panel of any folder window: "All Images", "All Movies", and "All Documents".
If, while logged in as the second, standard user, I open the "All Documents" item, I get a list of all the documents on my hard drive, not just those located in the second user account's My Documents folder. I can see all my Admin account's documents. And, I can open them all.

I thought being logged in as a different user, would restrict me so I could only see, or access, the documents of that different user'...not all the docs on the hard drive. Where am I going wrong?

1 G4/400 AGP Tower + 1 15" Alum. Powerbook G4+aluminum Mac Mini, Mac OS X (10.6.4), My first OS was CP/M - does anyone remember that?
  • 1. Re: Security Q: should a Standard user be able to access an Admin's docs?
    Austin Kinsella1 Level 6 Level 6 (11,505 points)
    Yes, I remember CP/M!

    Note that I am using Leopard (10.5, where you posted) not Snow Leopard (10.6, which you say you are using), so things may be different.

    If the standard user (let's call him Stan) tries to navigate in a Finder window via the hard disk icon to your admin user's (hey, let's call him/you Adam) account, he (Stan) will see a "No Entry" sign on the Documents, Library, Movies etc - the Apple-created directories - folders and won't be able to enter them. Files in these folders will not show up in Stan's "All Documents" list.

    If however Adam has created folders at his top level, rather than within one of the Apple-created folders, these folders will have the default permissions, where everyone can read them, and so the contents will appear, and be readable, in Stan's "All Documents". Stan won't be able to change those files, nor add new files to the folders.

    The solution is to move those folders containing stuff that Adam doesn't want Stan to see inside one of the Apple-created folders, or do Get Info (Command-i) and change the permissions for "Everyone" to no access.

    AK
  • 2. Re: Security Q: should a Standard user be able to access an Admin's docs?
    jsd2 Level 5 Level 5 (6,200 points)
    No user, whether admin or standard, should able to access the contents of these system-supplied subfolders of another user, whether admin or standard:

    Desktop, Documents, Downloads, Library, Movies, Music, Pictures

    If you log into the standard account and navigate with Finder to the home folder of the admin account, do you see these folders as restricted?

    !http://i53.tinypic.com/2rfvbkj.jpg!
    .
    The restriction only applies to the contents of these system-supplied folders. If you create your own folder at the top level of your Home folder, that folder and its contents won't be protected.

    Also, could any of the items that you see actually be on a different disk? If you log into the standard account and Get Info on one of the documents from the admin account that you are able to access, what does GetInfo>General say for "Where?"
  • 3. Re: Security Q: should a Standard user be able to access an Admin's docs?
    autochthon Level 1 Level 1 (115 points)

    Thanks so much for your ideas and suggestions!

     

    Standard User's documents are all located within his "Documents" folder inside his Home directory on the one HD.  Furthermore, I've set Standard User's home directory to "Everyone-No Access".

     

    One would expect that this would result in Standard User's home directory and everything within it, becoming locked to everyone except Standard User.

     

    However, this is not the case! When I log in as Admin, I can STILL see and access everything within Standard User's home folder.  Same goes if I log in as 'standard user2'....standard user2  can also access, read and write everyting in Standard User's home folder.

     

    Whereas when I am logged in as Standard User, everything in Administrators' home folder has the red 'no access' icon, and the same goes with standard user2's home folder....those all are locked with 'no access'.

     

    Reparing permissions, does nothing to correct this misbehavior.

     

    How can I fix this?

  • 4. Re: Security Q: should a Standard user be able to access an Admin's docs?
    BDAqua Level 10 Level 10 (116,475 points)

    In the Get Info window for those folders, who is owner & rights, & what group & what rights?

  • 5. Re: Security Q: should a Standard user be able to access an Admin's docs?
    autochthon Level 1 Level 1 (115 points)

    OK, here goes:

     

    Standard User is a standard user, and not file-vaulted.

    Standard User1 is a file-vaulted standard user.

    Admin is an admin, and not file-vaulted.

     

    ====WHEN LOGGED IN AS STANDARD USER: ====

    Standard User1's home directory is a folder with a red 'no access' icon on it, and cannot be opened.

    Standard User's home directory is a little house and can be opened and totally accessed.

    Admin's home directory is a regular folder which, when opened, reveals that all of its subfolders have red 'no access' icons.

     

    Standard User's Home Directory getinfo permissions are:

       "You have custom access"

       Standard User (Me) - Read & Write

       staff - Read only

       everyone - no access

     

    Standard User's Documents folder's permissions are:

       "You can read and write"

       (unknown) - read and write

       Standard User (Me) - read and write

       staff - read only

       everyone - No Access

    (I have no idea who (unknown) or "staff" is - I didn't create either of these entities.)

     

    ====WHEN LOGGED IN AS STANDARD USER1: ====

    Standard User1's home directory is a little house whose contents are fully accessible.

    Standard User's home directory appears as a folder, not a little house, and can be opened and totally accessed.

    Admin's home directory is a regular folder which, when opened, reveals that all of its subfolders have red 'no access' icons.

     

    Standard User's home directory permissions are:

    "you can only read"

    Standard User - read and write

    staff - read only

    everyone - No Access

     

    Standard User's Documents folder's permissions are:

    "you can only read"

    (unknown) - read and write

    Standard User - read and write

    staff - read only

    everyone - No Access

     

    ====WHEN  LOGGED IN AS ADMIN: ====

    Standard User's home directory appears as a folder, not a little house, and can be opened and totally accessed.

    Admin's home directory is a little house whose contents are fully accessible.

    Standard User1's home directory is a folder with a red 'no access' icon on it, and cannot be opened.

     

    Standard User's home directory permissions are:

    "you can only read"

    Standard User - read and write

    staff - read only

    everyone - No Access

     

    Standard User's Documents folder's permissions are now:

    "you can only read"

    (unknown) - read and write

    Standard User - read and write

    staff - read only

    everyone - No Access

  • 6. Re: Security Q: should a Standard user be able to access an Admin's docs?
    BDAqua Level 10 Level 10 (116,475 points)
    (I have no idea who (unknown) or "staff" is - I didn't create either of these entities.)

    I think that results from a Migration or Copying, where the UUID & username does not matc the new order... Say you imort user#1 with UUID of 501 to another drive where there already is a UUID of 501, new user gets 502 or whatever is next, 501 & 502 no longer have the same rights & if the Migrated one doesn't exist with the same UUID & username, you get unk.

     

    I can't point to a single instance of VileFault saving anyone's behind, but could likely point out 100's of thousands of cases where it was the death knell.

     

    If youre careful this is a powerful far more yseful tool for changing Rights...

     

    Might try BatchMod, it's much better/easier than the Finder for recursive Permission changes...

     

    ww.lagentesoft.com