Finder Security Bug or Feature?

My Powerbook’s hard drive was filling up. So I used the WhatSize tool to see which directories were using my disk space. I discovered that I could see how much disk space was being used by another user on the computer. My laptop has three users: an admin (which is used only to install system updates and applications), and two regular users (one for my day job, and for my personal life).

WhatSize actually showed me the directory and file structure inside of my other user’s Home folder. So using the Finder I moved into Home, then into the home folder for my other user. And I discovered that I could actually see most of the files in that user. I could not see inside the “standard” directories (Documents, Desktop, Pictures, etc…) but any other folder or file in the Home folder I could.

I am familiar with the home folder setup under Linux. When I log into one of my Red Hat Enterprise boxes, and try to look inside user’s home folders, I am not allowed to see anything at all. I had always assumed that OS X, built from the unix based BSD, was built with the same restrictions.

I submitted a security report to Apple: “It looks like a permissions issue when new files or folders are created. They are given permissions of 755 rwxr-xr-x instead of 700 rwx——.”

Apple responded promptly, less than one hour later.

After examining your report we do not believe that this issue is a security exposure. The permissions that you describe are correct for a default installation. There are several options for the user that wishes to make the contents of the home directory itself unreadable by other users:

a) Enable File Vault
b) Change the permissions of the home directory using Finder: “Get Info” on the home directory, and set “Ownership & Permissions” as appropriate
c) Change the permissions of the home directory using Terminal: “chmod 0711 ~” from a command line

Note that if one wishes folders such as Public, Drop Box, and Sites to be accessible by other users, then method (c) must be used.

If you have any questions or concerns please feel free to let us know. However, please note that due to the nature and complexity of technical issues, we are not able to provide technical support through email.

So, is this a security issue? Or a feature of the Finder to allow easy filesharing? It is at least a privacy issue. I had always assumed, based on my experience with Linux, that a Home folder was private and inaccessible to other users on the computer. Is this simply a training issue that I should not ever create new folders or files in my Home folder? Should Apple offer an option at system setup, e.g. Do you want to make your home folder private? If the user says “Yes” then the Public, Drop Box, and Sites folders aren’t created, and Home is set to 711 permissions. If No, then the current system is used. What are your thoughts?