Apple - Home folder has 'everyone' Read-Only permissions

If you wish new folders at the top level of your home folder to by default be non-readable by anyone but you, add the following two ACLs to your home folder. DO NOT PROPAGATE PERMISSIONS. The first ACL makes all new folders unreadable, unwritable, and unsearchable by everyone. The second ACL makes an exception for you. Be sure to enter them in this order, so the second entry can push itself to the front.

chown +a "group:everyone deny list,add_file,search,add_subdirectory,delete_child,directory_inherit,limit_inherit,only_inherit" ~
chown +a# 0 "user:$USER allow list,add_file,search,add_subdirectory,delete_child,directory_inherit,limit_inherit,only_inherit" ~

But truth be told, it's easier to just fix up the permissions on any subfolders you create directly under your home folder. I mean, it's not like you're going to do that often, right?

And besides, who's to say you want these new folders readable only by you? What if you want a folder that is group-readable for some group but not world readable? These inherited ACLs are just going to get in your way then.

Creating a top-of-home-folder folder should be a rare event. Ad hoc solutions are best for rare events.


This is the standard permissions configuration and has been around since the beta days of Mac OS X when Unix underpinnings were established for Apple’s new computer OS.

The root of your home folder is global read, but standard macOS folders within such as Desktop and Documents should be global no access. Feel free to set the permissions of other folders which you create in the root of your home folder to match the permissions on the standard folders.

If you wish new folders to, by default, be global no access, change the permissions on the root of your home folder, propagate the permissions recursively and set up ACLs to inherit permissions for new folders, however I am unsure as to any effects this may have.


Wow I was quite shocked when I realized this.

Another solution is to lock the home directory for everyone else:

chmod 700 ~

Tags:

Macos

Security

Finder

Permission

Recent Posts