1 Reply Latest reply: Feb 26, 2008 11:01 PM by Gerrit DeWitt
edgillies Level 1 Level 1 (0 points)
We have an issue with account synchronization, when the end users synchronize between their Mac workstations/Mac Books they can view the data in all other users home drives.

Once Synchronization has completed they can not view any home drive apart from their own.

Has anyone else seen this. The Server is using MAC OS as are the clients which are a mixture of Tiger and Leopard

Thanks in advance

Ed

Mac OS X (10.4)
  • 1. Re: Open directory security issue/question
    Gerrit DeWitt Level 4 Level 4 (3,900 points)
    Yes, I think you're referring to the fact that the default permissions for user home directories provide read-only access to their top-level. In other words, others can view the contents of the user's home but cannot navigate into folders like Documents and Desktop. There's a reason for this, and you can change this default behavior easily.

    First, the reason is to allow access to each user's Public folder and corresponding Drop Box. It works the same way on a standalone Mac OS X computer. Make a couple of users and navigate to /Users - up one level from the standard local home path - and you'll be able to read at the top level of the home to get into the Public folder.

    With that said, it is important to note that the default umask sets permissions for newly-created files and folders. The umask is 0022 by default, so this means that new folders get 0755 POSIX permissions (owner read/write/execute, everyone else just read/execute), and files get 0644 (no execute bits set). This is OK if the new item is being created in, for example, the user's Desktop, which has 0700 POSIX permissions by default. No other user than the owner can "get into" the folder regardless of the permissions of its contents. There's a very good reason why new files and folders are created with POSIX group and POSIX everyone fields set to allow only reading: when a file is copied, the copying party becomes the POSIX owner of the copy, and others can just read the contents, copy it or Save As and edit from there. On the flip side, any new folders or files created in or saved to the top-level of the user's home (like ~/Projects, for example) would have read (and execute, if the item is a folder) permission set for everyone.

    So, to change this, all you have to do is the following. Use Terminal to change the POSIX permissions of each user's home directory. For an example, let's say that the home directory share point is at /Volumes/Data-Disk/Home-Share. So, Sally and Ron have homes in /Volumes/Data-Disk/Home-Share/sally and /Volumes/Data-Disk/Home-Share/ron respectively. This command will change the POSIX permissions of Sally's and Ron's homes (and anyone else's in the Home-Share folder) such that only the POSIX owner can read/write/execute. Since the POSIX owner is the particular user, this means that only Sally has access to her home and Ron has access to his.

    sudo chmod 700 /Volumes/Data-Disk/Home-Share/*

    Note that you could use chmod with the recursive (-R) option to change the permissions of the contents, but that's not strictly necessary as blocking access to the parent folder (in this case the user's home) is sufficient. The only time that this would not be sufficient is if you have added an Allow ACL entry that would otherwise grant access; this is not a default scenario, however.

    Also note that the trailing solidus (/) and wildcard asterisk (*) are critical. Do not change the permissions of the home directory share point itself to 0700 - if you do so, users will not be able to mount it at all.

    Hope this helps!

    --Gerrit