File permissions are something systems administrators deal with every day. Usually when somebody can’t read something on the server, and they need you to figure out why. In multi-user environments, however, what people can’t read is often as important as what they can, and by default the Mac OS X Finder may allow people to read far more than your users expect.

A Complex Explanation of Unix Permissions:

In cross-platform deployments, permissions may most often be Windows-style ACLs (access control lists), allowing a wide variety of context-sensitive settings but requiring a degree of administrative overhead to set up and maintain. On native Mac OS X systems, you’ll most likely be dealing with POSIX-style permissions (also known as Unix permissions) which define file access as granted to the owner, the group, and others. This information is available for every file and folder in the Finder by highlighting an item and choosing “Get Info” in the “File” menu, then selecting “Ownership and Permissions” in the window that appears.

The underlying Unix operating system keeps track of those file permissions as numeric values, where 4 represents read, 2 represents write, and 1 represents execute (which the Finder doesn’t report). These values are additive, so that a file which allows read and write access to it’s owner and read-only access to it’s group and others is denoted as 644, with the 6 being the sum of 4 for read and 2 for write. For a directory these read and write permissions are denoted as 755 (without execute permissions a user is unable to interact with or even list directory contents, so an additional 1 is added to each position). It’s these numeric values that are used by Unix commands like chown and chmod, which change ownership and permissions mode respectively.

When you create a new file the default permissions are defined by a value called the umask. This value is subtracted from 666 for regular files (and 777 for directories) to determine their access privileges. So when creating a new folder, a umask of 022 would yield permissions of 755, allowing the owner to both read and write enclosed files while the group and others are able to read them. Unfortunately, these are the settings used by the Finder in a new OS X installation.

A Simple Way to Improve Finder Security:

By default, the Finder creates folders with permissions that allow read access to anyone who can log in to your machine. This isn’t a problem if users only save files in the pre-existing folders in their home directory (like Documents), as their permissions already prevent access by anyone but the user.

When users create additional directories, however, the documents stored inside them can be accessed by other users on that computer (or in the case of servers and when file-sharing is enabled, by anyone on the network). This is seldom the behavior that users expect, and in many settings it can present a serious security problem.

There are lots of ways to adjust the umask system-wide, depending on the OS version you’re using (such as the GlobalPreferences.plist and the NSUmask property). Unfortunately, setting the umask for the entire system is also a really good way to break things unexpectedly.

The easy way to solve this issue is to adjust the Finder’s umask settings by creating a new preferences file on the command line. So long as the files your applications save are inside folders the Finder created, you’ll have the security you need to prevent casual snooping. While logged in as an administrative user, open the Terminal and type:

defaults write /Library/Preferences/com.apple.finder \
umask -int 077

On their next login, users who create new folders in the Finder will have their permissions set automatically to 700 — allowing them to read and write the contents but preventing access by any other users entirely.

Recommended Reading: Is there anything that Wikipedia can’t explain? I’m not sure, but for more information on this topic, take a look at their excellent file system permissions entry.