ACL - how to (easily) deny access to everthing but home directory

Similar Messages

• How can I change the name of my home directory?

  When I first set up my Macbook Pro a year ago, I put my first and last name. I didn't like this and later changed the login name to just my first name, but the "home" directory is still listed as my full name on the side panel in Finder windows. How can I change this, it won't let me rename that.

  Barney-15E wrote:
  You should have experienced that same effect when you managed to change you login name. How did you change your login name?
  I imagine that has something to do with why everything 'disappeared' when you changed the directory name.
  It's actually pretty simple to change the login name, and it doesn't affect files at all.
  All I did was change the field labeled "user name".
  Niel wrote:
  Move all of your files to the other home folder in the Users folder and then change the name.
  (38519)
  I'll try that, thanks.

• Eventually denied permission to write in home directory

  Hello,
  My wife is using a Mid-2007, 2.4GHz Intel Core 2 Duo iMac (iMac7,1) with 6GB RAM and more than 1TB of free available HD space.  She is running Mountain Lion (10.8.3) and has administrator privileges.
  After she has been using the computer for a while (hours or days; it varies), the system eventually denies her writing privileges to folders in her own Home directory. 
  I'll give two common examples:
  She'll download a file in Safari (or iTunes), and everything appears to proceed normally until the download "finishes" at which point she receives an error message that says she doesn't have permission to write to the save location.  The download remains in her browser's download list, but the file itself "disappears".  Changing target directories (e.g. from Downloads to Desktop) makes no difference.
  TextEdit will automatically reopen upon log in, and display one or more SavedState "Untitled" documents with text in them (she uses it as a scratch pad). When she attempts to add text to one of these documents, e.g. "Untitled 8," an error appears that says she does not have permission to make changes to the document and is prompted to make a Duplicate, so she does so.  She can successfully enter text in "Untitled 8 (copy)" but when it comes time to save the file, another error is returned that claims she does not have permission to write to [whatever location].
  Only two things seem to correct this situation, neither of which are permanent. That is, it eventually happens again.
  1. She logs out and logs back in. Things will behave normally for a while.  This is a pain, of course, because she typically discovers the problem when she is in the middle on working on one or more things, and the login process is fairly slow (as are most things on this iMac since upgrading to Mountain Lion -- though better since restricting the activity of Sophos Antivirus).
  2. Repair the permissions in her Home directory:  Get Info, click the lock & enter her password, change the Privilege of Me from Read & Write to Read Only, then back to Read & Write, and finally click the gear so as to Apply to enclosed items.  Once this is finished, access is restored... until it happens again.  Funny thing about this particular procedure is that her permissions appear to be set normally at the outset, ie., Read & Write.
  Another odd thing about the download problem is that the system does not seem to have a problem writing to whatever temporary directory it uses during the downloading process. The error only comes once the file is complete.
  There does not seem to be any precipitating event that leads to this change in her permissions/access privileges.
  Repairing permissions using Disk Utility does not resolve the problem.
  Running other kinds of repairs (repair disk when booted in Recovery Mode, running Drive Genius 3 from a separate partition or from the optical media, TechTool Pro, etc.) do not resolve the problem.
  When I log in to this same computer using my account (also with admin privileges), I have yet to encounter this eventual-permission-denial problem.
  Any thoughts or recommendations are welcome, obviously.  This is driving us batty!

  Hmmm, sounded like a RAM problem until you mentioned your account doesn't do it.
  One way to test is to Safe Boot from the HD, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, Test for problem in Safe Mode...
  PS. Safe boot may stay on the gray radian for a long time, let it go, it's trying to repair the Hard Drive
  Reboot, test again.
  If it only does it in Regular Boot, then it could be some hardware problem like Video card, (Quartz is turned off in Safe Mode), or Airport, or some USB or Firewire device, or 3rd party add-on, Check System Preferences>Accounts (Users & Groups in later OSX versions)>Login Items window to see if it or something relevant is listed.
  Check the System Preferences>Other Row, for 3rd party Pref Panes.
  Also look in these if they exist, some are invisible...
  /private/var/run/StartupItems
  /Library/StartupItems
  /System/Library/StartupItems
  /System/Library/LaunchDaemons
  /Library/LaunchDaemons

• How do i deny access to an External Hard Drive while using user switching

  Hello,
  I have a QuickSilver running Tiger (Leopard upgrade coming when RAM arrives) and have 4 users ( fast user switching enabled). I would like to deny all access to the external hard drives except for the my account on the box.
  I have already have gone into the info Sharing & Permissions and only allowed myself to have access, others have "no access" however when I switch user (using fast user switching) they assume ownership of the drives and have access.
  Just so you understand the overall direction I would like to go. I'm a photographer and my images are loaded on various external hard drives which is plugged in to the desktop. Family uses the desktop and do not want them to access my work on the external hard drive, however I do need to connect via my laptop to edit images via ethernet which I would obviously enter the admin username and password for the desktop when challenged.
  Any ideas???
  dsh
  P.S. I also changed the permissions via unix to 700 but guess what it doesn't matter! It still assumed the other users ownership upon switch. Does anyone have a proven solution?

  D. Fraser wrote:
  When you Get Info on the Drives, who is the owner of the Drives? What exactly are the permissions? Do all of the other users use an admin account? You might have to chmod the root user of the drive to your admin account, change the user to no-access, and everyone to no-access.
  how does one "chmod the root user of the drive to your admin account"?
  can that be done with terminal inside an administrator account, or does root need to be enabled and logged into?
  -db

• How to share internet access from iPhone with home LAN

  Hello,
  Sorry if this has been asked before, but I just bought an iPhone and am trying to use it to provide internet access to a LAN at my cottage where only dial-up is possible with my ISP. Although this is easily accomplished by enabling internet sharing on my iMac and plugging it into my router's WAN port, I do not have any access to my IP printer or to my SONOS music system. Any pointers?
  Thanks,
  Martin Girard

  Well, getting internet access for my iMac is straightforward using USB tethering (I live in Canada, no AT&T crap). Then, I can share this connection with other computers (via ethernet in my case) by enabling internet sharing (in the Sharing control panel). My problem is that once I plug my iMac in the WAN port of my router, I can't access my LAN anymore. Any ideas???

• How do I limit access to certain (but not all) applications on my laptop?

  Hello,
  Is it possible to reduce access to certain applications (eg Email) while allowing other applications to remain "open" to all users?
  I only have one account on my powerbook, and would like to simply prevent access to certain applications.
  Any help will be greatly appreciated,
  thank you,
  nihal

  Korelice
  you would need , in following Matt's advice to ensure that the restricted users were not created as admin users. That is, on creation do not click the 'allow this user to administer computer' box. If you tried parental controls on them, you would be told by the OS that you can't restrict an admin.
  The better advice would be to restrict the actual use of the single user you have now, who is presumably an admin, to just admin (installations, re configs, set up new users etc) tasks. Change his password so those real people you don't trust (?) couldn't get to him. You could have a 'restricted' user who is not restricted in respect of apps (email, browser etc) but can't admin. Use him yourself for browsing etc and general use. Add another restricted user for(the kids, irresponsible friends and such) who are not admins and can only use certain apps. I am aware that is not precisely what you asked.

• AD authentication but home directory on OD Server - how to do this?

  I would like my users to authenticate to our current AD, but host portable home directories on an AD/OD integrated Mac OS X Leopard server. Any help on how to do this? Thanks.

  ps. If anyone knows that this is impossible, please let me know. I'm wondering if this setup is not correct.

• How do I change the name of my home directory?

  Is it possible to change the name of my home directory once it has been set up?

  Your user name and your home directory name are one and the same. I'm not sure whether it is technically impossible for them to be different, but I definitely would not advise that if it isn't. Note that any solution to the problem of changing your username is going to be either hairy and dangerous or incomplete. I would never advise anyone to try it.
  Instead, just create a new user with the desired name, migrate your data over to the new user's home folder and delete the old user.
  The following link will help with the process of moving your data:
  Transferring files from one User Account to another

• ISA550 Deny access to management login on some vlans/ports

  Hi,
  I tried to create a firewall ACL rule that would deny access to http/https on the router for some vlans/ports, but it seems like the rule is just ignored.
  Also; I can ping all interfaces on the router even between to vlans that are using a same level zone. Even connect to the management login from a different access vlan port.
  The main issue is that I don't really like to expose a webserver on a securitydevice to everyone on the LAN side. And I would also like to isolate all vlans and create exceptions if I need to.
  Anyone know if this is possible?

  Hi Prithvi Manduva,
  Thank you for replying!
  I have tried to set up two simple rules to illustrate my problem. My configuration is this:
  VLAN 1: DEFAULT  in zone OFFICE
  VLAN 2: CONFIG in zine CONFIG
  With Vlan 1 and 2 assigned to port 2 and port 3 in access mode-
  DHCP is enabled on both vlans with subnets of 192.168.5.0/24 for OFFICE and 192.168.10.0/24 for CONFIG
  CONFIG_IP is 192.168.10.1
  DEFAULT_IP is 192.168.5.1
  Using these two rules:
  #     FromZone     ToZone     Service     SourceIP     DestinationIP     Action
  1     CONFIG     Any     HTTP     Any     CONFIG_IP     Permit  
  2     Any     Any     HTTP     Any     DEFAULT_IP     Deny  
  I would think that this would allow the CONFIG zone to access port 80 on config IP, and also deny all other zones to access port 80 on the default gateway for Office (DEFAULT_IP)
  I also tried to create a simple Deny ICMP Echo Request to the DEFAULT_IP, but it looks like it's just ignored.
  In short, it looks like I can't deny anything to any of the IP addresses of the interfaces on the router.

• Deny access to Folders

  How can I deny access to folders?
  i.e. On double-clicking on the folder, I should get a message which will say "Acess Denied."

  Apps like PhotoBooth, iChat, Mail and Chess can be deleted or moved to a folder the user does not have access to. If for some reason you want to keep them, you can change permission to deny the user read/execute on the app.

• How can I change my "Home directory" folder name?

  Hello, everyone.
  I was given a pre-owned MacBook Pro that's running OS 10.6.8.  How can I change the name on the Home directory folder?  I was able to change the Administrator Account settings, but the Home directory still shows the previous owner's name.  It bothers me a bit, though, to see the previous owner's name still come up on the Home folder.
  I came across the instruction listed below, but I can't get past step 4.  It instructs me "rename it just like I would rename any folder."  I can't seem to rename it, though.  The cursor doesn't come up when I click on the folder name.
  For Mac OS X v10.5 or later
  Enable the root user.
  Log in as root.
  Navigate to the /Users folder.
  Select the Home folder with the short name you want to change, and rename it just like you would rename any folder. Keep in mind that the shortname must be all lowercase, with no spaces, and only contain letters.
  Use the Users & Groups pane (Accounts pane in Mac OS X v10.6.8 or earlier) in System Preferences to create a new user with the Account name or Short Name that you used in the previous step.
  Click OK when "A folder in the Users folder already has the name 'account name'. Would you like to use that folder as the Home folder for this user account?" appears. Note: This will correct the ownership of all files in the Home folder, and avoid permissions issues with the contents.
  Choose Log Out from the Apple menu.
  Log in as the newly created user. You should be able to access all of your original files (on the desktop, in Documents, and in the other folders of this Home).
  After verifying that your data is as expected, you can delete the original user account via the Users & Groups pane (Accounts pane in Mac OS X v10.6.8 or earlier).
  Disable the root user.
  Any help would be much appreciated.

  Hi everyone,
  I followed this https://discussions.apple.com/docs/DOC-3872
  and got to the stage of having renamed my Home folder with the new name but the Home folder is STILL designated to the old name?
  When I try and create a new user with the new name, I don't get asked if I'd like to use the existing name as Home folder, I get told I can't use the newname because it exists already - thats the end of it - no further options.
  So to clarify - I now have oldname folder STILL assigned as Home folder. A newname folder with all my stuff in - apps, desktop, etc etc but this is just another user folder.
  Interestingly at login stage, the oldname folder isn't an option. I think I've confused the system somewhere by titling things differently at some stage in an attempt to rename Home folder.
  I'm running Mountain Lion (as of yesterday) and because I've kinda lost the use of my User folder as the Home folder, can't get to my Time Machine. I'm in trouble but I'm trying not to panic. Would appreciate any help!
  Laurie

• How to change the "short name (account name?)" and home directory name?

  Hi,
  I recently purchased a new iMac and migrated account info from my MacBook Pro.  I happened to use random account name during migration without knowing it will not be easy to change the short name (account name?) and home directory name.  As a result, I am now having extremely confusing short name and home directory name on my new iMac.
  I did online search to find out how to change the two names, but I could only found somethig like "enabiling root user and....."  I have no idea what it was talking about and I don't want to take risk altering such advance set up manually.
  Please advice how I can change the short name and home directory name safely without much PC knowledge.
  Thank you very much in advance.

  There are a few ways of doing this. The easiest method is logging into the first account and copying everything to an external drive (or flash drive or whatever), which changes the permissions so that others can see the files.
  Then, login with the new account and copy the files over. Once they are copied, the correct permissions will be applied again (so other people on your computer can't access them).
  If you can't do this method for one reason or other, you can do some terminal commands to change the ownership of the files. Login to the new account. If it is an admin account, open terminal and type the following command:
  sudo chown -R -v yourusername:admin /Users/originalaccountnamehere
  That should change the ownership of the files from your old account to the new one. At that point, you can simply drag the files into place.

• How can i use the ACL file to control the access from the other website?

  Hello all~
  My Sun one is 6.1 sp3 on Windows 2003 SE, and I am try to use the ACL file to control the access.
  My ACL file is below:
  version 3.0;
  acl "path=my_path_on_HD";
  deny absolute (all)
  (user = "anyone") and
  (dns = "*.my_site.com");
  deny absolute (all)
  (user = "anyone") and
  (dns = "*.other_site.net");
  Once I add the "deny", anyone include my site is decline for vist the path specify in the ACL file. But if remove the "deny", everyone include other one's website can access the file.
  Can anybody tell me how to make it work?

  I think you've misunderstood what the dns attribute is for. The dns attribute returns the hostname of the client accessing your website, not the hostname of the website that linked to your website.
  For example, when someone using the Comcast ISP goes to a malicious website at example.com that loads images from your website at www.amigoo.net, the dns attribute will be something like "c-1-2-3-4.ca.comcast.net", not "example.com". ACLs are used for authentication and authorization of clients (not the websites those clients chose to visit), and they don't provide the functionality you're looking for.
  If I understand correctly, you want to prevent websites other than amigoo.net from linking to files in your d:/webserver/imat/pics_upload directory. You can achieve this adding the following lines to your obj.conf configuration file:
  <Object ppath="d:/webserver/imat/pics_upload/*">
  <Client referer="*~*amigoo.net">
  PathCheck fn="deny-existence"
  </Client>
  </Object>

• When I download itunes, it says that Ipod Service failed to start. I checked the services under task manager and when I try to start it, it says access denied. How to I get access and for the ipod service to start and run?

  Please help. My ipod classic could not be recognised by itunes when I connect my ipod to PC. Previously it has been recognised before I updated. This was a while ago now and so I removed all apple files and re installed the latest itunes but am having the same problem.
  When I download itunes, it says that Ipod Service failed to start. I checked the services under task manager and when I try to start it, it says access denied. How to I get access and for the ipod service to start and run?

  Some anti-virus programs (e.g., McAfee) have this rule that can be invoked under the "maximum protection" settings: PREVENT PROGRAMS REGISTERING AS A SERVICE. If that rule is set to BLOCK, then any attempt to install or upgrade iTunes will fail with an "iPod service failed to start" message.
  If you are getting this problem with iTunes, check to see if your anti-virus has this setting and unset it, at least for as long as the iTunes install requires. Exactly how to find the rule and turn it on and off will vary, depending upon your anti-malware software. However, if your anti-virus or anti-malware software produces a log of its activities, examining the log may help you find the problem.
  For example, here's the log entry for McAfee:
  9/23/2009 3:18:45 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\iPod Service Common Maximum Protection:Prevent programs registering as a service Action blocked : Create
  Note that the log says "Common Maximum Protection: Prevent programs registering as a service". The "Common Maximum Protection" is the location of the rule, "Prevent programs registering as a service" is the rule. I used that information to track down the location in the McAfee VirusScan Console where I could turn the rule off.
  After I made the change, iTunes installed without complaint.

• How can I deny write access to datalog files for all but one process in LV8?

  In LabVIEW 7.1, wiring the deny mode terminal of Open File.vi with a Deny Write Only enum constant was an effective means for ensuring that only one process could write to a datalog file at a time.  In LabVIEW 8.0, Open File.vi is no longer available and the new Open/Create/Replace Datalog vi does not provide a deny mode terminal.  Also, the new Deny Access vi does not support datalog files.  Furthermore, the Set Permissions vi is an unsatisfactory solution because under the Windows operating system, it simply sets the Read Only file attribute.  This is inadequate because I have demonstrated that it is still possible for two processes to open a datalog file with read/write access before either one has had a chance to set the Read Only file attribute in order to lock out the file.  If a process sets the Read Only file attribute first, then it can't open the file with read/write access for itself.
  Does anyone understand the file mechanism by which deny mode used to work with the old Open File.vi?  I wish to restore the functionality I had in LV 7.1 in my LV 8 programs.
  Thanks!
  Larry

  Larry Stanos wrote:
  I appreciate the
  empathy from Rolf, but I'm hoping that someone may have written one or
  more vi's containing CINs that call Windows 2000/XP file access control
  library routines.  At least I'm assuming that is how the deny mode
  input to Open File.vi used to work in LV7.1.  The Microsoft
  Developers Network on-line documentation on Access Control http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_control.as... is
  daunting to put it mildly.  But even if a set of CINs has not
  already been coded, perhaps someone could point me to the specific set
  of calls I need to make to absolutely guarantee that no two
  clients can simultaneously open the same file with write privileges.   Unfortunately
  the elimination of deny mode functionality for datalog files in
  LV8 has sabotaged my commitment to a March 1 release date because it
  would also be impractical to convert everything back to LV7.1 at
  this point.   Sincere thanks to anyone who can help me out here!
  Unfortunately
  the functionality you mention does not work in the way the deny mode in
  the LabVIEW nodes works. Basically that deny mode is converted to an
  according FILE_SHARE_READ/FILE_SHARE_WRITE value and passed to the
  Win32 API CreateFile function. This is more or less the only place
  where you can define a global share (or deny) access to a file. That is
  also why the Deny Access node online help is talking about that the
  file is reopened.
  But I just retried what you had tried to do, and low and behold it
  works with wiring a datalog refnum to Deny Access. What is important
  here however is that you do need to wire a datatype to the record type
  input of the Open/Create/Replace Datalog node. Otherwise you can't
  connect the resulting datalog refnum to any other file function, since
  it is an incomplete datatype.
  Rolf Kalbermatter
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions