Posted by lionking on December 29, 2009
The initial account used to administer the system, as well as any accounts created prior to changing the umask, will allow all users read access to the files in their home folders. It is recommended that this be changed so that only owners and groups have read access to these files. For all users on the system, execute the following command:
sudo chmod –R 740 /Users/username
Where username is the name of the user. This operation will have to be performed every time a new user is added to the system. This has the added effect of preventing other users from reading the contents of ~/Public and ~/Sites folders and from writing files to the ~/Public/Drop Box folder. It is recommended that the permissions on these folders be changed on a per user basis.
Posted by lionking on December 17, 2009
The Mac OS X Keychain allows users and applications to store and access authentication details in one place. It uses the familiar paradigm of a keychain to store and access private authentication credentials. Users can lock or unlock the keychain with a single password; applications can only access authentication details when the keychain is unlocked. Multiple keychains can be created to group similar authentication credentials. By default, a keychain called “login” is used to store credentials used by most applications. The password for this keychain is the same as the login password and the Keychain is automatically unlocked when a user logs in and is locked again upon logout. The security of the “login” keychain can be further improved by changing its password to something other than the login password.
This will ensure that the keychain has to be explicitly unlocked before any items can be accessed and also prevents keychain items from being accessed if the login credentials are compromised. From the Keychain Access application in Applications -> Utilities, choose Edit -> Change password for Keychain “login”. A keychain should also be locked after a period of inactivity and when the system wakes from sleep. These options are accessed from the Edit -> Change settings for Keychain “login” menu in the Keychain Access application. The Keychain Access application also allows individual access controls to be placed on each key in the Keychain. Where keys grant access to particularly sensitive information, it is recommended that the access control be changed to ‘ Ask for Keychain password’
Posted by lionking on December 8, 2009
The default umask on Mac OS X systems is 022, this means that by default all users are granted read access to all newly created files. It is recommended that this be changed to 027 so that only users in the same group are permitted automatic read access to new files. Organisational security standards may dictate an alternative umask. Since the umask setting must be specified as a decimal value, the octal value 027 would be 23 in decimal notation. To change the default umask, execute the following command
sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 23