fiddleaway

Q: Is default new file privilege '700 OK?

In my new Mountain Lion installation I noticed that new files were created with privileges set to:

 

Me (owner):full access

staff (group): read only

everyone: read only

 

IOW - '744 in octal

 

Being a Tiger dinosaur up to now, that didn't make me feel real comfortable, so I looked around and found a pretty recent (Feb 2012) source from UC davis that recommends setting the new file defaults to:

 

owner: full access

group: no access

everyone: no access

 

I'd like to get a blessing from someone with a lot of experience as to whether or not its OK to set new file priviliges as recommend and whether the method recommended in the cited article is the right way to do it.

Posted on Feb 9, 2013 12:52 AM

Close

Q: Is default new file privilege '700 OK?

  • All replies
  • Helpful answers

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Feb 9, 2013 7:47 AM in response to fiddleaway
    Level 10 (207,963 points)
    Applications
    Feb 9, 2013 7:47 AM in response to fiddleaway

    Unless you have more than one local user, this is a non-issue.

     

    By default, the top-level subfolders of the home folder are read/write/search only by the owner, apart from the Public folder, which is world-readable by design. So only the files at the root of the home folder are readable by other users. Again by default, there are no such files. If you create any, you should set their permissions as desired. If you don't use the Public folder, set the mode of your home folder to 700.

     

    If, nevertheless, you do want to change the umask for applications, the correct way to do it is given here:

     

    Mac OS X: Setting a custom umask

  • by fiddleaway,

    fiddleaway fiddleaway Feb 9, 2013 3:59 PM in response to Linc Davis
    Level 1 (5 points)
    Feb 9, 2013 3:59 PM in response to Linc Davis

    Actually, I have 3 accounts, one admin acct and two standard accounts for myself and my wife.  I established the separate admin account primarily to be the installer of apps, per security concerns that I inherited from my early Tiger days (and may not be necessary anymore).

     

    I know that the privilege settings for the top-level subfolders of the home folder generally act as locked gates to all but the owner for access to what's inside each of them.  But, I wasn't sure if someone might be able to access a resource inside such a subfolder if (1) the privilege settings of the resource allow it ('644 for example) (2) the access request provides the full path to the resource.

     

    So I did some experiments with Finder and also with Terminal ... and discovered that at least my simple straight-forward attempts to access a file by it's full path failed.  I'm no UNIX mavin, so my Terminal experiments didn't prove there was no way for a more knowledgeable non-admin to go around a blocking folder ... ergo I sent out this inquiry. 

     

    If there were a way for a non-admin user to circumvent the privilege blocks in the primary home sub-folders (by giving the full path) ... I can image a scenario where one of our standard accounts is inadvertently infected by malware, which would exploit the vulnerability of unprotected files lying inside a protected folder.

     

    It sounds as if you're telling me that to your knowledge this is not possible.