The macOS system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-209607 | AOSX-14-002065 | SV-209607r610285_rule | Medium |
| Description |
|---|
| Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. |
| STIG | Date |
|---|---|
| Apple OS X 10.14 (Mojave) Security Technical Implementation Guide | 2021-11-19 |
Details
| Check Text ( C-9858r282303_chk ) |
|---|
| For each listing, with the exception of "Shared", verify that the directory is owned by the username, that only the owner has "write" permissions, and the correct Access Control Entry is listed. To verify permissions on users' home directories, use the following command: # ls -le /Users drwxr-xr-x+ 12 Guest _guest 384 Apr 2 09:40 Guest 0: group:everyone deny delete drwxrwxrwt 4 root wheel 128 Mar 28 05:53 Shared drwxr-xr-x+ 13 admin staff 416 Apr 8 08:58 admin 0: group:everyone deny delete drwxr-xr-x+ 11 test user 352 Apr 8 09:00 test 0: group:everyone deny delete If the directory is not owned by the user, this is a finding. If anyone other than the user has "write" permissions to the directory, this is a finding. If the Access Control Entry listed is not "0: group:everyone deny delete", this is a finding. |
| Fix Text (F-9858r282304_fix) |
|---|
| To reset the permissions on a users' home directory to their defaults, run the following command, where "username" is the user's short name: sudo diskutil resetUserPermissions / username |