How to secure files from other users on external disks
While OS X makes external drives available to all users on the system, you can change this to ensure your files are only accessible by you.
If you use an external disk drive with OS X, you may notice that when
it is mounted, it becomes available for all users on the system.
Therefore, if you have files you have saved to a USB drive and you
attach it to your system and you switch user accounts, those files will
be viewable within the second account.In addition, if you have network file sharing enabled, the files on this drive will be accessible to any user who logs in via the network.
This behavior may seem a bit concerning, especially for those who have set up encryption on secondary drives in hopes of preventing others from viewing their files, but this is normal behavior in OS X, and essentially means two things:
 |
| An attached and mounted drive and even private contents on it will be viewable in all user accounts. |
- Encryption by itself is only meant to secure a drive's contents from
access if the drive has been locked (ie, removed from the system, or
the system shut down). It is not meant to protect one users' files from
another user on the same system. While unlocking the drive is limited to
those who have the password, once unlocked then all users will have
access just like any other USB or Firewire drive.
On a related note, there has been past concern about encrypted drives being easily remounted if you tell it to eject but do not detach them from the system; however, this is ultimately not a security threat. Simply do not use encryption to protect data from another account on the system, as this purpose is not its intent. Instead, only use it to prevent a thief or other third-party who you have not given access to your computer, from accessing your files. - External hard drives are open to all users by default. Even though all hard drives are capable of containing permissions restrictions like any other folder on the system, for external drives OS X turns this feature off. This is primarily because permissions settings are specific to one operating system installation, so those set by one system may either not be observed by another, or be interpreted to mean something entirely different and resulting in improper access to the files.
To do this, first enable encryption on the drive by right-clicking it in the Finder and choosing the Encrypt Drive option. Supply the password to use when prompted, and then wait for the drive to remount as an encrypted volume.
 |
Uncheck this box to enable observation of access
permissions on the external drive. Then set specific
access privileges in the list of users and groups.
|
With this setting in place, the system will now observe permissions restrictions on the drive, which you can set to permit or deny access to specific users (note that this will only work to manage access for nonadministrator accounts -- admin accounts will always be able to grant themselves access to files and folders).
By default, the drive will be owned by the account that formatted it, so you should see your username listed as the first item in the Sharing & Permissions list. Next the drive should have a group association of "staff" (underneath your username) which is the default group for all local accounts on the system. This allows you to set global permissions for accounts other than yours.
Finally, there should be an "everyone" group that encompasses all other users on the system, such as a guest user account that is not a member of the "staff" group.
At this point, you have two possible approaches for the drive. The first is to set its permissions so only you have access to it, and the second is to set it up with a subdirectory or two that is only restricted to your account, so other accounts can do the same and have their sequestered and private folders.
 |
| To only allow your account access, remove all groups and users except for you r account, and set "everyone" to "no access." |
Single-user access
To set the drive so only you have access, in the Sharing & Permissions section of the information window, choose "no access" for the "staff" group (or simply select and remove this group altogether). Then set the "everyone" group to likewise have "no access."When finished, click the small gear menu and select the option to apply these settings to all enclosed items (this step is not needed on an empty drive).
At this point the entire drive will be a private, detachable folder for your account. Even though it will show up as a device in other accounts on the system, if they try to access it then they will be given a "permission denied" error.
Multiuser access
 |
| To allow multiple users to read the drive, set the "staff" permissions accordingly. If you set it to "Read Only" (so the top level of the drive cannot be modified) then be sure to put a folder on the drive, and set its permissions so each user can read it. Additionally, be sure to set "everyone" to have no access. |
From here, your account will be able to view the files in this folder, but other accounts will not.
As an additional security measure, you can set up a similar folder for each account on the system, and when finished get information on the drive itself and set the "staff" group to "read only" permissions (do not use the gear menu's option to apply permissions to enclosed items). With this setup, when another user opens the drive, they will only be able to drag items to their specific folder, and neither to another user's folder nor to the top level of the drive.
Regardless of the approach you use, at this point you will have a drive that has secured resources from other users, and one that is also encrypted and thereby protected from someone attempting to override the permissions settings by attaching it to another computer.
0 komentari:
Speak up your mind
Tell us what you're thinking... !