Permission question for a admin Home folder and the folders beyond

The Home folder itself should be:

Owner = username with r/w privileges
Group = admin with r/w privileges
Everyone = read-only privileges

The standard folders inside the Home folder are the same.

You can open the Terminal application in your Utilities folder and enter the following:

sudo chown -R username:admin

There should be a "space" after "admin." Drag the Home folder to the Terminal window and press RETURN. You will be prompted for your admin password which will not be echoed.

sudo chmod -R 755

Place a "space" after "755" then drag the Home folder into the Terminal window and press RETURN.

In the above "username" is your short name.

Kappy wrote:
The Home folder itself should be:

Owner = username with r/w privileges
Group = admin with r/w privileges
Everyone = read-only privileges

That's not correct.

In Leopard the default is:

Owner = username with r/w privileges
Group = staff with read-only privileges
Everyone = read-only privileges

If you have migrated your user accounts from a previous version of OS X, there might be a different name specified for group, such as "wheel", or a group matching the username, or "admin" if the account had been an admin account.

The standard folders inside the Home folder are the same.

That's also incorrect; the permissions on most of the default ones (Documents, Desktop, Library, Pictures, Movies, Music) are read and write for the user, and No Access for group and others. The Public and Sites folders, as well as any folders the user creates himself, are read and write for the user, and read only for group and others.

You can open the Terminal application in your Utilities folder and enter the following:

sudo chown -R username:admin

There should be a "space" after "admin." Drag the Home folder to the Terminal window and press RETURN. You will be prompted for your admin password which will not be echoed.

sudo chmod -R 755

Place a "space" after "755" then drag the Home folder into the Terminal window and press RETURN.

That is also not correct. Running that command is going to give all users read access to his Documents, Desktop, Music, Pictures, Movies, and Library folders. He can certainly set it up that way if he wants and give other users read access to his entire home folder, but that is NOT the OS X default. The default on all of those folders is No Access to group and others.

Running the chmod -R 755 command as you wrote it will also add the executable but to all the user's files in addition to his folders. That is also not correct. Files should not have the executable bit set unless they are meant to be so (such as on shell scripts and the like).

Yes. The Home folder belongs to the admin group, and you are an admin user so you belong to the admin group. An admin user has limited access to every users Home folder, not just yours.

Berti, what you can do to reset your home folder permissions to defaults, is boot up from your Leopard DVD. Under the Utilities menu, there's a Reset Password utility. Choose that, and at the bottom, click Repair Home Folder Permissions. That should set all of the default home folder bits back to their original privilege settings.

I'm sorry to differ with you Kappy, you being such an experienced user and all. But that's completely wrong. Home folders belong to a user, not to any group. A group may be assigned to a home folder, but the home folder does not belong to that group. My own home folder belongs to me, not to the wheel group.

berti wrote:
ok is it correct that the complete admin group get acess to one specific Home folder?

No, that's incorrect. Each user has full access to his own home folder, and access to the /Users/Shared folder, and read only access to the Public areas of other users' accounts. This is true regardless of whether the user is an admin user or not. Without further authentication, admin users do not have extra privileges to peek into other users' accounts, not even other admin accounts.

Admin users can authenticate to root, and then they pretty much own the computer. They can change permissions on other users' files, and can change and delete other users' entire accounts.

Sorry, but I'm looking right at a fresh Leopard installation. Staff is no longer used as the default group. That ceased with Tiger. However, using staff as the group is OK although the staff group has been deprecated since Tiger. In Leopard the default group is admin with r/w privileges (but read-only is fine.) In Snow Leopard the default for the Home folder's group is admin with read-only privileges. Folders within the Home folder have no default group membership. Only owner and Everyone (the latter is read-only.)

In any event it's not that relevant an issue into what group you assign the home folders.

As for the Terminal commands they are correct.

Thanks for confusing the matter.

I confess to have looked at the wrong system, not Leopard. On my freshly installed Leopard system:

Owner=username with r/w privileges
Group=wheel with read-only privileges
Everyone is read-only

Within the Home folder:

Owner=username with r/w privileges
Everyone is No Access

Any group can be assigned to any folder if desired (although not appropriate to change system folders or files.) Home folders are "owned" by the user but can be assigned to a group. The groups typically involved are staff and admin although the staff group was deprecated after Tiger. And, the user may change the defaults for files or folders within his/her Home folder but only if the user knows what they are doing and has a known goal in mind with regards to access.

Now, in that post, I agree with everything you have said. 🙂

But on my system, creating a brand new user account, admin or standard, results in the group staff being assigned; not wheel.

Here's what's on page 139 of the Leopard Security Configuration guide, under the Securing User Home Folders section:

In Mac OS X version 10.5 Leopard all users are a member of the "staff" group, not of a group that has the same name as their user name.

So I'm not sure why you're getting wheel on your accounts instead of staff. Are you sure your accounts were created +while running+ Leopard, and not migrated from some earlier OS installation?

berti wrote:

Ok now the only question is the permissions of the application folder and the sub folders and apps

and the terminal commands to reset them

Use Disk Utility to repair permissions and it will all be done for you.

Or, if you prefer to get under the hood on your own:

sudo chown -R root:admin /Applications
sudo chmod -R ug+rwX /Applications
sudo chmod -R o-w /Applications

That will make everything there owned by root, writeable by admin users, and read-only for all others.

Note that third party applications that install by drag & drop to the /Applications folder will be read & write for the user that installed them, and read-only for group and others. That is different from what Apple supplies with its own programs, but it really isn't a concern.