5.1.1 Ensure Home Folders Are Secure

Information

By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a 'Documents' folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.

The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions.

Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.

Rationale:

Allowing all users to view the top level of all networked users' home folder may not be desirable since it may lead to the revelation of sensitive information.

Impact:

If implemented, users will not be able to use the 'Public' folders in other users' home folders. 'Public' folders with appropriate permissions would need to be set up in the /Shared folder.

Solution

Terminal Method:
For each user, run the following command to secure all home folders:

$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/<username>

Alternately, run the following command if there needs to be executable access for a home folder:

$ /usr/bin/sudo /bin/chmod -R og-rw /Users/<username>

example:

$ /usr/bin/sudo /bin/chmod -R og-rw /Users/thirduser/

$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/fourthuser/

# /bin/ls -l /Users/

total 0
drwxr-xr-x+ 12 Guest _guest 384 24 Jul 13:42 Guest
drwxrwxrwt 4 root wheel 128 22 Jul 11:00 Shared
drwx--x--x+ 18 firstuser staff 576 10 Aug 14:36 firstuser
drwx--x--x+ 15 seconduser staff 480 10 Aug 09:16 seconduser
drwx--x--x+ 11 thirduser staff 352 10 Aug 14:53 thirduser
drwx------+ 11 fourthuser staff 352 10 Aug 14:53 fourthuser

See Also

https://workbench.cisecurity.org/benchmarks/14563

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 57ba2d6aa2f4449d03425394690f9b8063c19d883029995371e25db55b664c90