OS X multiuser security question
April 11, 2008 12:16 PM   Subscribe

This is an OS X multi-user question. My parents have an older iMac running OS X 10.3 and various people use it at different times. I want to set up a guest account so anyone logged in on it will not have access to my parents' private information, settings, etc. I tried setting up a "test" account on my own iMac (OS X 1.4.11) but I find when I log in to it I am still able to see folders and view contents that had been created with my regular (admin) account. How do I set up an additional account so it is only able to view its own content and not that of any other account? (I don't want to use FileVault due to the potential for catastrophic data loss or denial if my parents crash their iMac with FileVault in use.)
posted by ranebo to Computers & Internet (12 answers total)
 
If you are willing to upgrade to 10.5, it includes the ability for a password-less guest account. I just tested it, and it handles all the permissions for you, so that the guest can't see into other accounts. It also deletes all the guest's files on logout.
posted by procrastination at 12:20 PM on April 11, 2008


Make sure the new user isn't an administrator. "Allow user to administrate this computer" shouldn't be checked, in the Accounts pane of System Preferences.

If that doesn't help, it probably depends on the permissions that are set on the folders that you created. Just change the permissions so they're only visible to you, or only visible to administrators, not everyone.
posted by xil at 12:22 PM on April 11, 2008


As xil said: you probably just need to change the permissions on the other accounts' home directories so that they don't allow access to everyone. You can do this in Finder (get info, permissions, details) or in Terminal with the standard unix tools (chmod).
posted by hattifattener at 12:42 PM on April 11, 2008


Thank you, procrastination, but 10.5 isn't the solution because their Mac is too old (RAM &/or CPU would be insufficient).

@xil -- Thanks very much. This seems to do the trick!

@hattifattener -- Just so I'm understanding you. . . Say my two accounts are "parents" (admin) and "guest" (regular user). I was able to lock out prying eyes with xil's suggestion, but are you saying there is a way for "parents" to set permissions of some sort on "guest" so that nothing that is not within "guest" directories is viewable? I was successful in specifically setting hierarchies of "parents" directories as No Access (so "guest" wouldn't be able to see contents), but it sounds like you are saying "parents" can set permissions on the "guest" home directory so that "guest" cannot see anything in any directories other than "guest" home directory (and its sub-dirs).

I don't see how to do this. Or am I misunderstanding you?
posted by ranebo at 1:23 PM on April 11, 2008


As xil said: you probably just need to change the permissions on the other accounts' home directories so that they don't allow access to everyone. You can do this in Finder (get info, permissions, details) or in Terminal with the standard unix tools (chmod).

Do not do this. Manually mucking with the permissions of Home folders is a recipe for disaster.

I suspect that, as xii suggested, you've mistakenly given this guest account admin access. Otherwise, there's no reason you should be seeing anything in another user's Home folder. If you've created folders that live outside the Home directories, that's an entirely other ball of wax.
posted by mkultra at 1:27 PM on April 11, 2008


On a bit further poking around- it looks like it's possible to create folders directly at ~/ which are by default global Read. The easy fix for this is to move them to ~/Documents.
posted by mkultra at 1:30 PM on April 11, 2008


@mkultra -- Thanks for the cautionary. Actually the "test" account I set up on my own computer IS a Standard account and not Admin. But I do have many directories set up outside my home directory (most of my data is on an external hard drive, for example).

So, I'm gathering that my best solution is to create a Standard ("guest") account on my parents' computer and then from their Admin ("parents") account, set permissions to No Access (using get info) for any directories that should be kept private.

Thanks everyone!
posted by ranebo at 1:41 PM on April 11, 2008


Even admins normally have no access to other peoples files if they are in the users folder. Are the files and folders you speak of stored elsewhere on the drive i.e. outside of the folder called Users?
posted by Gungho at 1:43 PM on April 11, 2008


on preview I see you've found the problem. You can set permissions on external drives etc. It is pretty easy.
posted by Gungho at 1:45 PM on April 11, 2008


@Gungho -- Yes, I think I'll be OK with creating a Standard account and then setting permissions on the directories that need to be private. I'm not sure what the user folder setup is on my parents' computer at this time; I'll have to wait until I can get them (well, my brother, actually) on the phone. Thanks again.
posted by ranebo at 1:57 PM on April 11, 2008


If you 'cripple' 10.5 by turning off Spotlight and the Dashboard (and maybe some other stuff if you're creative about it) it's as fast as 10.3 in my experience. I have it running on a couple old 'colorful' iMacs that way. Seems fine.
posted by rokusan at 4:10 PM on April 11, 2008


Seems fine.
Well, apart from being ugly and having crashy DNS, no classic support and very little actual benefits, I guess. (Just a warning for other readers: Wish I could go back to Tiger)
posted by bonaldi at 4:50 PM on April 11, 2008


« Older Amazon and eBay best practices?   |   on pins and needles Newer »
This thread is closed to new comments.