[oddjob42]

Is there any way to make an application user-specific, so you can only access it if you're on one user account, and not the others?

[Big Mac]

Put the app in the person's Home folder.

[oddjob42]

Ah, yes. Thanks!

[Big Mac]

You're welcome.

[TETENAL]

If you want them to work properly (like Services support), you need to create an"Applications" folder in your home folder and put them there.

[zro]

And set permissions that deny access to everyone but you.

[besson3c]

Originally Posted by zro 

And set permissions that deny access to everyone but you.

In a properly configured machine, /Users/<username> will not have readable permissions for anybody but the owner (chmod 700)

[TETENAL]

Originally Posted by besson3c 

In a properly configured machine, /Users/<username> will not have readable permissions for anybody but the owner (chmod 700)

How would you reach the Public and Web-Site folders then?

[Big Mac]

Those folders are. Others are not.

[TETENAL]

Originally Posted by Big Mac 

Those folders are. Others are not.

If the home folder wasn't readable, you couldn't even reach those folders.

[Big Mac]

Good point. That's why private apps should be put in ~/Applications/

[besson3c]

You would make your Sites folder readable by Apache (user "apache" in OS X, I believe)... When connecting over AFP, you connect as that user, so their permissions apply to all folders including Shared.

Look at the permissions for your home directory on your hosting provider, if you have one. Chances are they are chmod 705 (I was wrong, not 700). Each user on that system is assigned to a group (say, "users"), and home directories are set to be owned by this group. Because you haven't given this group any permissions, this will deny access, and will always take precedent over the "world" chmod setting.

Basically, for a user named "pat", their home directory should look like this:

Code:
drwx---r-x   12 pat            users     1024 May 27 13:01 pat

This allows pat in, the web server in, but no person on that system that is a member of "users".

I have seen OS X home directories configured correctly and not configured correctly, and I'm not sure what causes these permissions to be altered, but this is a gaping problem - whatever the cause. You never want to provide other users on that system readable access to your home directory, that is just dumb.

[Chuckit]

You can enter a folder whose parent is unreadable; you just have to know its full path already. But yes, home folders are normally readable in OS X. Most of the subfolders aren't, but the home folder itself is.

[besson3c]

Originally Posted by Chuckit 

You can enter a folder whose parent is unreadable; you just have to know its full path already. But yes, home folders are normally readable in OS X. Most of the subfolders aren't, but the home folder itself is.

I'm looking at my home directory on my work machine and I can see that you are right. However, personal files that I have created and put in my home directory have 755 permissions. This is not a good thing at all, Apple ought to correct this by doing what I've described.

[besson3c]

I guess another way around making your home directory contents readable is using ACLs, although I don't know much about them yet....

[TETENAL]

Originally Posted by besson3c 

Apple ought to correct this by doing what I've described.

No, they shouldn't, because then others couldn't navigate to the Public folder and the Drop Box folder. It's bad enough that those don't work with FileVault on.

[besson3c]

Originally Posted by TETENAL 

No, they shouldn't, because then others couldn't navigate to the Public folder and the Drop Box folder. It's bad enough that those don't work with FileVault on.

Ahhh... I forgot about those!

I still strongly question Apple's decision with this implementation. Why not make a separate collection of Public and Drop Box folders served from a separate directory (say, /Users/Public /Users/Drop Boxes), have these folders contain folders owned by each user on the system containing this data, and have AFP offer this collection as a mount option? If needed, there could be a symlink/alias to these folders inside /Users/homedirectory too. In fact, if memory serves me, this is exactly what we did in a previous department I worked for...

One of the problems may relate to limitations in the volumes that can be mounted over AFP, but if you'd ask me I'd ditch crappy old AFP anyway. I guess the only reason why it sticks around is to support writing additional metadata, but now that we have xattr in Tiger I see no reason for it to continue to exist, accept for legacy reasons. Apple could have easily offered a replacement (say, sshfs with xattr support if it doesn't have it already), and called this the new "Personal File Sharing", while leaving "Appletalk over TCP/IP" a separate option for machines that need to grant access to older machines.