Manualshelf

Setup guide

ManualsBrandsApple ManualsComputer equipmentMac OS X Panther
71727374757677787980
UNCLASSIFIED
UNCLASSIFIED
68
Chapter 6 –
Future Guidance
12. Click on the unlocked lock icon at the bottom of the panel to re-lock the
preferences panel.
Managed User: Simple Finder
Finally, a user can be restricted to a Simple Finder set of limitations: this user is
not given full access to the System Preferences panel, and is only allowed to run
applications listed by the administrator. Also, a user with Simple Finder privileges
can only open one folder located on the Dock. This type of account also restricts
security features, such as the ability of a user to change his password. Use of a
managed user account restricted to Simple Finder privileges is not
recommended.
Securing Users’ Accounts
This section describes user account settings that should be implemented before a
user is given access to the account.
Restrict Home Folder Permissions
When FileVault is not enabled, the permissions on the home folder of a newly
created user account allow any other user to browse its contents. These permissions
are needed to allow the Public and Public/Drop Box folders within each home
folder to operate properly. However, users may inadvertently save sensitive files
directly into their home folder, instead of into the more-protected Documents,
Library, or Desktop folders. Although it will break the intended function of the
Public and Public/Drop Box folders, the permissions on each each user’s home
folder should be changed to prevent other users from browsing its contents. To
change the permissions, issue the following command from a Terminal window:
sudo chmod 750 /Users/<username>
where <username> is the name of the account. This command should be executed
immediately after the creation of a new account. The 750 permission setting still
allows members of the group owning the folder to browse it, but on Mac OS X 10.3
that group consists only of the user. If more advanced group management is
performed, and members of the group owning the folder should not be granted
permission to browse it, then the command above should be issued with the
permission 700 instead of 750.
The user, as the owner of his home folder, can alter its permission settings at any
time.