Manualshelf

Setup guide

ManualsBrandsApple ManualsComputer equipmentMac OS X Panther
51525354555657585960
UNCLASSIFIED
Restricting Administrator’s Home Folder Permissions
UNCLASSIFIED
47
Chapter 4-
Configuring System Settings
When FileVault is not enabled, the permissions on the home folder of the
just-created administrator account allow any user to browse its contents. To change
the permissions on the administrator’s home folder, issue the following command in
a Terminal window, where <adminname> is the name of the account. The 700
permission setting allows only the administrator to read and browse files in his home
folder.
sudo chmod 700 /Users/<adminname>
Securing the Root Account
Like other UNIX-based systems, Mac OS X includes a root account that can perform
any action on the system. Administration on most UNIX-based systems is
performed through the root account and sometimes multiple administrators share
access to the root account, which can make it impossible to distinguish the actions of
one administrator from another in the audit logs. Mac OS X installs with the root
account disabled, preventing direct root login, and it is strongly recommended that
the root account remain disabled. Administrative accounts offer additional
mechanisms that force authentication before performing critical functions. The root
account does not support such mechanisms. If root logins are used to perform
administration, then it will be impossible to log individual administrator actions.
This configuration guide has only been
verified on version 10.3.x of the
operating system. Other versions of the
system may behave differently.
Incorrectly carrying out these
procedures may cause the system to
become inaccessible, or corrupt the
system to the point where a complete
reload of the system would be necessary,
it is imperative that the administrator
perform the procedures exactly as
described, and only on the version of the
operating system covered by this
guidance.
If the root account has been enabled, it should now be disabled using the following
procedure. There are multiple methods of enabling root access, and this procedure
is designed to disable the root account regardless of the method used to enable it. To
perform this procedure:
1. Log into an administrator account and start the NetInfo Manager
application found in /Applications/Utilities.
2. Click on the users item located in the second column at the top of the NetInfo
Manager panel. This will open the list of users in the third column.