UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The macOS system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.


Overview

Finding ID Version Rule ID IA Controls Severity
V-209607 AOSX-14-002065 SV-209607r610285_rule Medium
Description
Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.
STIG Date
Apple OS X 10.14 (Mojave) Security Technical Implementation Guide 2021-11-19

Details

Check Text ( C-9858r282303_chk )
For each listing, with the exception of "Shared", verify that the directory is owned by the username, that only the owner has "write" permissions, and the correct Access Control Entry is listed.

To verify permissions on users' home directories, use the following command:

# ls -le /Users

drwxr-xr-x+ 12 Guest _guest 384 Apr 2 09:40 Guest

0: group:everyone deny delete

drwxrwxrwt 4 root wheel 128 Mar 28 05:53 Shared

drwxr-xr-x+ 13 admin staff 416 Apr 8 08:58 admin

0: group:everyone deny delete

drwxr-xr-x+ 11 test user 352 Apr 8 09:00 test

0: group:everyone deny delete

If the directory is not owned by the user, this is a finding.

If anyone other than the user has "write" permissions to the directory, this is a finding.

If the Access Control Entry listed is not "0: group:everyone deny delete", this is a finding.
Fix Text (F-9858r282304_fix)
To reset the permissions on a users' home directory to their defaults, run the following command, where "username" is the user's short name:

sudo diskutil resetUserPermissions / username