OSX File Sharing - everybody can see everything :/

[islade]

Hi,

I've set up two shares on my nMP running Yosemite:
I've shared my 12tb external drive for just myself and I've shared a 'movies' folder for both myself and a 'sharing-only' account for my girlfriend.

When I log in on my MBP as myself, I can access both shares as I should be able to (i have permission to both).

When she logs in as her, she can also access both, even though her account only has access to the 'movies' folder and 'everyone' is denied to the 12tb share. If I add her to the share, there isn't a deny option, so I've just left her out and denied everybody.

What can I do to make sure she can access movies but not the 12tb drive?

I've tried updating all computers involved, removing and recreating share, triple checking sharing permissions on the folders in finder without success.

 

[grahamperrin]

What's above may be an incident of the following:

Apparent file sharing security vulnerability in five or more versions of Apple Mac OS X

• http://tinyurl.com/macosxsharedvolumes
• https://www.wilderssecurity.com/threads/386596/
• https://twitter.com/grahamperrin/status/743980436569862145

 

[grahamperrin]

https://gist.github.com/grahamperrin/0c05a92c685cc86123d0f67e4ab6596a/revisions –

… I received a follow-up from Apple. The following text is taken from my response:

It seems to me that the problem is, in essence, with the Sharing pane of System Preferences, which offers no hint that an operating system default may cause user-specified restrictions to be ignored. …

 

[KALLT]

This is indeed disturbing. I have compared a directory, a mounted disk image and a mounted thumb drive (HFS+) on Mavericks. Only for the latter are the permissions overridden to read & write for ‘everyone’. That is... good to know.

 

[grahamperrin]

Yeah, and –

a mounted thumb drive (HFS+)

– the problem is not limited to USB or thumb drives.

At its simplest, it's an Apple workflow problem:

1. connect a drive with an HFS Plus volume
   
2. share the volume, and set 'Everyone' to 'No Access'
3. discover that the access restriction is not enforced.

 

[KALLT]

And what was Apple’s response so far?

 

[grahamperrin]

https://www.wilderssecurity.com/threads/386302/ offers additional context but it's not intended to be a comprehensive summary of interactions between me and Apple.

From a follow-up in January 2016: "… we do not see any actual security implications. …". There is some understandable justification for that observation by Apple, and you might slap your forehead when you realise the justification, however we can not assume that all Mac users of file sharing will have that head-slapping moment.

When I next boot pre-release Sierra, I'll look to see whether the GUI has been improved to avoid future incidents.

 

[997440]

.....When I next boot pre-release Sierra, I'll look to see whether the GUI has been improved to avoid future incidents.

If you haven't booted into it yet, no worries. Just wanted to let you know that there is interest in hearing your findings.

 

[grahamperrin]

16A304a: at a glance, the GUI lacks what's required.

The ideal should be for Apple to fix things without a change to the GUI at the file server. If anyone is testing in an Active Directory (or other network account server) environment: https://gist.github.com/grahamperri...b6596a#file-apple-follow-up-631737871-txt-L55