User Guide

ManualsBrandsApple ManualsOtherMAC OS X 10.4

101

102

103

104

105

106

107

108

109

110

Chapter 6 Securing Data and Using Encryption 103

To change the global umask:

1 Open Terminal.

2 Change the NSUmask setting to be the decimal equivalent of the umask setting:

$ sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 23

You must be logged in as a user who can use sudo to perform these operations.

This example sets the global umask to 027, which has the decimal equivalent of 23.

Replace 23 with the decimal equivalent of your desired umask setting. This command

requires that you use the decimal equivalent, and not a hexidecimal number.

Important: Make sure the path you enter is .GlobalPreferences—not

.GlobalPreferences.plist, which might be accidentally added by Terminal’s

autocompletion feature.

3 Log out.

Changes to umask settings take effect at the next login. Users can use the Finder’s Get

Info window or the chmod command-line tool to change permissions for individual files

and folders.

Securing Your Home Folder

Change the permissions of each user’s home folder so that they are no longer

world-readable or world-searchable. When FileVault is not enabled, the permissions on

the home folder of a newly-created user account allow any other user to browse its

contents. The ~/Public and ~/Public/Drop Box folders within each home folder require

these permissions. However, users may inadvertently save sensitive files directly into

their home folder, instead of into the more-protected ~/Documents, ~/Library, or

~/Desktop folders. Although ~/Public and ~/Public/Drop Box folders will no longer

work as intended, the permissions on each user’s home folder should be changed to

prevent other users from browsing its contents.

Enter the following command to change home folder permissions:

$ sudo chmod 750 /Users/

username

Replace username with the name of the account.

Run this command immediately after everytime someone creates a new account.

The 750 permission setting still allows members of the group owning the folder to

browse it, but in Mac OS X version 10.3 or later that group consists only of the user.

If more advanced group management is performed and members of the group owning

the folder should not be granted permission to browse it, then the command above

should be issued with the permission 700 instead of 750. The user, as the owner of his

home folder, can alter its permission settings at any time, and can change these

settings back.