Setup guide
UNCLASSIFIED
UNCLASSIFIED
46
Chapter 4 –
Configuring System Settings
3. If necessary, uncheck the checkbox in front of Check for updates: to disable
the capability.
4. Exit the System Preferences application.
User policy should state that this capability is to remain disabled. If a user re-
enables this capability, risk is minimal because administrator authentication is still
required for download and installation.
Setting the Global umask
The umask setting determines the permissions of new files and folders created by a
user. The default umask setting, 022, removes group and world write permissions.
With a umask setting of 027, files and folders created by a user will not be readable
by every other user on the system but will still be readable by members of his
assigned group. The owner of the file or folder can still make it accessible to others
by changing the permissions in the Finder’s Get Info window or by using the chmod
command. The NSUmask setting for all users can be set to 027 (decimal equivalent
23) by issuing the following command in a Terminal window:
sudo defaults write
/Library/Preferences/.GlobalPreferences NSUmask 23
Note that the path above refers to the
domain .GlobalPreferences, not to the
file .GlobalPreferences.plist, which might
accidentally be filled in while using the
shell autocomplete feature.
This command will affect the permissions on files and folders created by programs
that respect the Mac OS X NSUmask settings. Programs should follow the value set
for NSUmask, but there is no guarantee that they will. Also, users can override their
own NSUmask setting at any time. The changes to the umask settings take effect at
next login.
Securing Initial System Accounts
Two accounts on the system require attention before adding and configuring user
accounts. First, the permissions on the home folder of the initial administrator
account should be changed. Second, any necessary modifications to the root account
should be performed.