How to remove public home folder share points in OS X

Public folders in OS X are shared by default, and can sometimes be a potential security problem, but can easily be disabled or better secured if needed.

When you create a user account in OS X, the system will create default share points for the account, so if you enable file sharing you can access your data with little additional effort, if any. Most of these shared locations, such as the home folder, are specific for the user itself; however, in addition to these the system will make the user's Public folder and its enclosed "Drop Box" folder more openly available to other users on the system.

While access to these folders is limited to the users on the system by default, if you have enabled the Guest account for any reason, then you might unintentionally give strangers access to your system. This is especially true if you are on a work or public network (such as an open Wi-Fi hotspot at a cafe), where there might be many random people connected to the same network.

Insecure public folder on a Wi-Fi hotspot
At public Wi-Fi hot spots, its quite easy to browse other systems. In this case, an individual's MacBook Air had the Guest account enabled, allowing anyone to copy files into the user's Public folder (click for larger view). Screenshot by Topher Kessler/CNET

Some networks offer additional security against this by blocking file sharing activity, but most do not. Therefore, you have four options available to you for securing file sharing on your system:

  1. Disable the Guest account
    Since the Guest account is the means by which you allow non-account-holders access to your system, disabling it in the Users & Groups system preferences should prevent anyone from simply logging on to your system when it's available on the network. Unless you need to provide public access for any reason, then it's a good idea to keep this account disabled.
  2. Disable file sharing
    Of course if you do not use file sharing, you might want to consider disabling the service altogether. This can be done in the Sharing system preferences, where you can simply uncheck the box next to File Sharing to disable it.

    This option has the benefit of keeping your current File Sharing and user setup configurations intact, so you can prevent access when in a public area, but then enable it when needed, to allow access when on a known and trusted network (such as that at your home).
  3. File sharing configuration options in OS X
    Options for securing publicly accessible folders are to disable File Sharing, remove the public share point, or set its permissions so the Everyone group has "No Access" (currently shown with Read Only access here). Screenshot by Topher Kessler/CNET
  4. Remove unneeded share points
    The next option is to simply remove the Public folder share points. Often these are not needed since the only ones logging into your system are the local users. By disabling the Public shared folders, you can keep Guest access enabled but prevent it from having file sharing access.

    To remove these share points, go to the Sharing system preferences and select the File Sharing section. In here, you will see the shared folder list, which will by default only include the Public folders for each account on the system. To remove them, simply select them and click the minus button, followed by confirming the changes.

    In addition, you can perform this step using the OS X command line, which can be done by running the following command in the OS X Terminal application:

    sudo dscl . -delete "/SharePoints/FULL USER NAME's Public Folder"


    In this command, replace the "FULL USER NAME" part with the full name of the account in question, so for instance if my account's name is "Topher Kessler" with my login as "tkessler," then I would use the following command:

    sudo dscl . -delete "/SharePoints/Topher Kessler's Public Folder"


    Note that the name of the share point in this command should reflect the "Shared Folders" names listed in the File Sharing system preferences, so you can use that as a means for confirming the proper SharePoint folder name to use in the command. You can also do this by running the following command to list all share points on the system:

    dscl . -list /SharePoints


    While the use of the command line might seem redundant to the System Preferences, it can be beneficial if you are configuring a system remotely using an SSH connection.
  5. Secure share points
    While removing the share points is one option, securing them is another. Most automatic share points in OS X will be secured, but to do so for the Public folders, you simply need to deny access to the "Everyone" group. To do this, select one of the Public folder listings in the File Sharing system preferences, and in the list of users you should see an Everyone group. Set this group from its default "Read Only" status to "No Access," and when done for all folders you should be good to go.


Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Tags:
Computers
About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Is your phone battery always at 4 percent?

    These battery packs will give your device the extra juice to power through all of those texts and phone calls.