User profile for user: Andrew Shalit
Andrew Shalit Author
User level: Level 1
87 points

Limiting permissions on files and folders

I have a separate user on my Macintosh that contains files I would like to keep private. I don't want these files to be accessible from the main user.


By default, all files and folders on a Mac provide Read Only access to Staff (which is the group that contains everyone) and Read Only access to Everyone (which, I guess, is all users). The owner of the file/directory has read/write access.


I believe the correct thing for me to do is to remove the Staff and Everyone permissions for the files and folders in that separate user. That way they won't turn up in searches and won't be viewable from the main user account.


Will making this change break anything? Are there unforeseen consequences I should be aware of?


Also, is it possible to specify that new files and folders not be given permission that all Read Only access by Staff and Everyone?


Thanks.

MacBook Air (M2, 2022)

Posted on Jul 11, 2023 3:20 PM

Reply
Question marked as Best reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,944 points

Posted on Jul 11, 2023 4:17 PM

Staff only has read permission on the outer home directory.

Folders inside of home (except sites and public) do not have a group set.

When you create a folder, it will inherit the parent folder permissions (and the user who created it).

So, if you create a folder directly inside of Home, it will have the staff group set to read.

Get Info on that folder and delete the group.

Any folder you create inside the other folders (Desktop, Documents, Downloads) will not have a group set as it inherits that from the parent directory.

View in context

Similar questions

11 replies
Question marked as Best reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,944 points

Jul 11, 2023 4:17 PM in response to Andrew Shalit

Staff only has read permission on the outer home directory.

Folders inside of home (except sites and public) do not have a group set.

When you create a folder, it will inherit the parent folder permissions (and the user who created it).

So, if you create a folder directly inside of Home, it will have the staff group set to read.

Get Info on that folder and delete the group.

Any folder you create inside the other folders (Desktop, Documents, Downloads) will not have a group set as it inherits that from the parent directory.

Reply
User profile for user: Andrew Shalit
Andrew Shalit Author
User level: Level 1
87 points

Jul 11, 2023 4:22 PM in response to Andrew Shalit

I have asked a specific question and would appreciate answers to that question from people who understand the specific uses of permissions and the Staff group on MacOS. I've been around Unix, Linux, and MacOS enough to know what permissions are, how to use CHMOD, etc. I have specific questions about the effect of limiting permissions on files and directories in OS X: will there be problems ifI don't give Staff Read permissions to a set of files and directories? Possible answers would be things like, "It will prevent spotlight from indexing them," or "Migration assistant ignores permissions, so you'll have to reset them after you migrate to a new machine."


Thank you.

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,944 points

Jul 11, 2023 4:46 PM in response to Andrew Shalit

I have specific questions about the effect of limiting permissions on files and directories in OS X: will there be problems ifI don't give Staff Read permissions to a set of files and directories?

That is how all of a user's files should be set. Did you look at them. Most of the folders are set that way, too, as I described. The net effect of removing the group will be to work exactly the same as the files inside the standard subfolders like Desktop, Documents, Downloads, Music, etc.

Reply
User profile for user: Andrew Shalit
Andrew Shalit Author
User level: Level 1
87 points

Jul 11, 2023 4:55 PM in response to Barney-15E

Thank you, Barney. This is very helpful and it's what I thought and expected.


I think what I'm running into is a bug in Migration Assistant. I've just moved to a new Mac, and I used Migration Assistant to bring over the users from my old machine. Unfortunately, Migration Assistant didn't do anything special to preserve the file permissions that were set on the old machine. Instead, it appears to have just copied the files and folders.


As a result, when it created new folders inside the home folder, those new folders inherited the staff read staff read permissions.


This is easy enough to fix, and I'll do that. I'll also report the bug to Apple. For a company that is so careful about security in so many ways, this is a significant oversight.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
53,381 points

Jul 11, 2023 5:10 PM in response to Andrew Shalit

The "main" user most likely has "admin" rights. With admin rights, they can read anything on the file system they want regardless of the file permissions you put on the files and directories/folders.


Now whether on not your "main" user knows how to do that, is another thing, but if they are determined to read your files, then file permissions are not going to stop them.


If you want to keep those files secret, then you need to use Applications -> Utilities -> Disk Utility and create an encrypted disk image file (aka a .dmg file), where ONLY you know the encryption key-password. Create a read/write .dmg so that you can add files, modify existing files, and delete files. It will mount on your system as if it was a disk. MAKE SURE you unmount the .dmg when you are not using it, because as long as it is mounted, it will be readable by the "main" user. But unmounted, it will be encrypted with a password only you know.


Admin rights will not bypass an encrypted file.


If you do not know what an encrypted .dmg files is, then start doing some Googling to learn more.

Reply
User profile for user: Andrew Shalit
Andrew Shalit Author
User level: Level 1
87 points

Jul 11, 2023 5:57 PM in response to BobHarris

Thank you for the suggestion. I'm familiar with the encrypted DMG approach, and that's not what I want to use in this situation. It's good to be reminded that a user with admin privileges can access anything they want on the machine, pretty much. That's not my concern. I'm more concerned with accidental leakage caused by improperly set privileges.

Reply

Limiting permissions on files and folders

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up