Set home folder permission per CIS benchmark

New Contributor

I'm attempting to follow the CIS macOS 10.12 security benchmark. One of the recommendations (5.1.1) is to remove read and execute from group and global. Easy enough to document , but for a live environment we'd want something to run when a new home folder is created.

Testing has revealed that sudo is required so I'm thinking a script to loop through home folders and run:

sudo chmod -R og-rwx /Users/<username>

Issue I have, being a macOS admin n00b, is what should the daemon/plist be configured to monitor to ensure I'm running the script at the correct time. Or perhaps there is a master "home folder" permission template I can modify to ensure new home folders adhere to the CIS recommendation.


Valued Contributor

FYI - if you haven't yet, you may want to look at JAMF's scripts for implementing CIS...

I'm not trying to run it when the home folder is created, but you could run it periodically, or run it at login to probably achieve the desired result.

Valued Contributor

Please note that use of CIS recommendations must be tempered by usability. Be careful and test all workflows and apps in your environment against this change.

As you're a self-described "macOS admin n00b", please know that modifying the way one's home folder behaves may result in unexpected operations and/or downtime.

Unless your users are both sharing computers with individuals unauthorized to see their files and storing their files in improper/nonstandard locations, there is little, if any risk from the default home folder permissions.