[damiensmunki]

So...I live in a dorm room, and I never know who will wind up using my computer. Is it possible to lock folders with only one user account so that others can't open them?

Also, if I create two user accounts, can one user account access the files of another? I know that in Windows, and administrator account can access all files. Does OS X work the same way? I'm wondering because I could create a second user account and keep all my private files there, but with Windows, my primary use account (the one without access to the files) would have to be restricted (i.e. not an administrator account). I don't want to use a restricted account as my primary one. I hate having to log off and back on to install programs and change settings. Are there two different types of accounts in OS X?

Sorry if this doesn't make sense, but thanks for any attempts at discerning coherence.

[Phanguye]

just require a password to deactivate the screen saver, then have a hot corner that turns on the screen saver... always do that when you leave and then no one can use your mac

[Uncle Skeleton]

if you only want to lock down certain files, not the whole machine, I think the easiest way is to create an encrypted disk image (with Disk Utility, or in <=10.2 Disk Copy), and put your sensitive data there. Just remember to unmount the image when you're done using it.

[pendragon]

Fer shore there are several ways to skin this cat. One easy approach, is to go to System Preferences/Security and check/enable: "Require password to wake this computer from sleep or screen saver." Then set your screen saver to start as you desire and/or assign a hot corner to initiate the screen saver.

[Fonzie]

Originally posted by damiensmunki:
So...I live in a dorm room, and I never know who will wind up using my computer. Is it possible to lock folders with only one user account so that others can't open them?

Also, if I create two user accounts, can one user account access the files of another? I know that in Windows, and administrator account can access all files. Does OS X work the same way? I'm wondering because I could create a second user account and keep all my private files there, but with Windows, my primary use account (the one without access to the files) would have to be restricted (i.e. not an administrator account). I don't want to use a restricted account as my primary one. I hate having to log off and back on to install programs and change settings. Are there two different types of accounts in OS X?

Sorry if this doesn't make sense, but thanks for any attempts at discerning coherence.

I found a contextual menu the other day called LockPopCM on macupdate. I have not tried it fully but try and look at it, and be very careful with it as it says in the readme. Maybe it only works if you log into another account and then see if you can unlock the folders.

[damiensmunki]

if you only want to lock down certain files, not the whole machine, I think the easiest way is to create an encrypted disk image (with Disk Utility, or in <=10.2 Disk Copy), and put your sensitive data there. Just remember to unmount the image when you're done using it.

I'm sorry if the following are stupid questions. I'll be getting my first Mac in about a month, and I haven't even used OS X, yet. What exactly is a disk image? How will I create an encrypted disk image? What does "unmount the image" mean and why would I need to do this? I would prefer to only lock files and folders and not my entire computer, so if anyone can elaborate more on this, it would be greatly appreciated. Thanks so much for your help, everyone.

[wataru]

Originally posted by damiensmunki:
I'm sorry if the following are stupid questions. I'll be getting my first Mac in about a month, and I haven't even used OS X, yet. What exactly is a disk image? How will I create an encrypted disk image? What does "unmount the image" mean and why would I need to do this? I would prefer to only lock files and folders and not my entire computer, so if anyone can elaborate more on this, it would be greatly appreciated. Thanks so much for your help, everyone.

A disk image is like an ISO file on Windows. It's a file that, when opened, acts like a disk. You can put things on this disk, unmount it (for disk images this is equivalent to ejecting them), and then do what you want with the disk image file itself. Disk images are a popular delivery mechanism for software on OS X--an author will put his app, documentation, and maybe additional support files on a disk image, which he will then make available for download. People will download the disk image, mount it, copy what they want to their hard drives, unmount it, and then either throw away the disk image file or store it for archival purposes.

More on mounting: In Mac OS dating way back, you've always had to unmount a disk before ejecting it. Unmounting tells the system that you're done using the disk and that it is safe to eject. The reverse of this is mounting, obviously, which happens whenever you insert a disk (or open a disk image). If you have a USB keychain drive, this is exactly what happens in Windows, too--you have to tell Windows that you're done with the drive before you pull it out; if you don't, Windows will tell you that you could have damaged the filesystem of the device, and will tell you to unmount it next time.

I recommend that you completely lock down your account (as in, require a password to wake from screen saver; turn off auto-login on startup) and create a guest account that anyone can use.

Oh, and you can make disk images, encrypted or otherwise, with a program that comes with OS X called "Disk Utility." It's pretty simple.

[kiazer]

You should just create another user account with limited rights, when away from your computer simply log out.... They will be unable to access your home directory ( And you should keeps all your personal documents and such in your home directory )

That way your friends can surf the web or whatever when your not around or give them permission to use your computer.

[eyadams]

To answer your questions specifically:

... if I create two user accounts, can one user account access the files of another?

Generally not. By default, a regular user can browse another user's home directory, but not the contents of any of the sub-directories (such as the "documents" directory). But this can be set.

I know that in Windows, an administrator account can access all files. Does OS X work the same way?

Yes, it does. There are basically three kinds of accounts on a OS X machine: Administrators, who can do anything they want; non-Administrators who slightly limited in what they can do (for example, non-admins can't install programs in the public "Applications" folder); and restricted accounts which can only do what an Administrator allows.

I don't want to use a restricted account as my primary one. I hate having to log off and back on to install programs and change settings.

You don't want to do it, but that's exactly what I recommend, and in practice it isn't a big deal. First of all, in most cases you won't need to actually log in as an administrator - the installer will just ask for admin account and password, and then do what needs to be done. Though in many cases you won't even need to run an installer program - you'll just get the program, and can drag-and-drop it wherever you want. If you want to put the application in a folder your account can't write you'll be prompted for an admin password. In those rare instances where you really do have to be logged in as an administrator, you can use fast user switching to switch over without logging out - your regular account applications will continue to run fine.

Another cool thing fast user switching lets you do is switch to no user at all - you can have your applications running and password protected, but have the computer displaying the login window. If someone selects a logged in account, they'll have to enter a password. I use it all the time.

In your situation, I would have three accounts: a non-administrator, password protected account for day-to-day use; an password protected administrator account; and a restricted "guest" account. The guest account would be limited to running a browser, maybe a game, and nothing else. I think (though I'm not at my computer right now and can't be sure) that you can even limit what a restricted user can browse in the file system, whether or not a user can save files, and whether they can reboot the computer. I would put a trivial password on the Guest account, and change it often.

Finally, I would just keep in mind that any time you give someone physical access to a computer, you are basically being insecure. In spite of all the precautions I and others suggest, if someone is hell bent on looking at your private files, they'll figure out a way. That's just the nature of computers.

[brachiator]

Originally posted by eyadams:
Yes, it does. There are basically three kinds of accounts on a OS X machine: Administrators, who can do anything they want; non-Administrators who slightly limited in what they can do (for example, non-admins can't install programs in the public "Applications" folder); and restricted accounts which can only do what an Administrator allows.

This does not sound quite correct to me, but I am not sure, so this is more of an open question than full-on disagreement.

Is it not the root account that can do anything it wishes, while administrator accounts are somewhat limited -- or is sudo [adminaccountname] effectively the same access as root? Isn't the default account first set up an admin account, which nevertheless cannot access subsequent users' directories (with same query as above re: sudo)?

thanks,
Mike

[wataru]

Originally posted by brachiator:
This does not sound quite correct to me, but I am not sure, so this is more of an open question than full-on disagreement.

Is it not the root account that can do anything it wishes, while administrator accounts are somewhat limited -- or is sudo [adminaccountname] effectively the same access as root? Isn't the default account first set up an admin account, which nevertheless cannot access subsequent users' directories (with same query as above re: sudo)?

thanks,
Mike

You're right, root is more powerful than regular administrator. There's really no reason to use less than the regular administrator account in OS X. root you should definitely stay away from, though.

sudo lets a sudoer (administrators are sudoers by default in OS X) temporarily assume root status. The usage is "sudo [command]" not "sudo [username]." By default, even admins can't see into other users' home folders without sudoing.

[ginoledesma]

The solution to your problem is quite simple, actually. Create two user accounts: yours (Administrator-level, most likely), and a guest account. The guest account can be further restricted if you want to, but there's no need for that.

When you step away from your computer, you can just "switch to"{ the guest account so that others can use your computer, if you want to. When you get back and want to resume what you're doing, just "switch back" to your user account (you will be asked for your password).

Whatever programs you had running will still be there. This can lead to minor issues though (like the number of iTunes programs running).

If you don't want user switching, you can just log out of your account and then be brought to the login screen. Only people who know your user password will then be able to gain access to your user account.

[Kristoff]

Any time there is physical access to the machine, anyone can access any file. period, end of story.

The only way to prevent unauthorized disclosure is to encrypt the data.
File vault coupled with the use of a guest account when you are not around will solve your problem.

If you just want to keep casual snoopers at bay, then you needn't worry about File Vault.

[damiensmunki]

Thanks so much for all your help. I guess I'll just have to play around with it, when I finally get my hands on the computer. One more question, if you don't mind. How does file vault work? I mean...when does it require a password for access? If you're logged in as a different user than whose home folder it's protecting, or anytime the home folder is accessed, despite into whose account you're logged? Thanks again for all the wonderful advice!

[Spheric Harlot]

Originally posted by damiensmunki:
Thanks so much for all your help. I guess I'll just have to play around with it, when I finally get my hands on the computer. One more question, if you don't mind. How does file vault work? I mean...when does it require a password for access? If you're logged in as a different user than whose home folder it's protecting, or anytime the home folder is accessed, despite into whose account you're logged?

http://www.apple.com/macosx/features/filevault/

Basically, it puts your entire home directory onto an encrypted disk image that is mounted when that account logs in (the password for the encryption can be stored in the user's keychain, so it will be mounted automatically).

-s*

[damiensmunki]

(the password for the encryption can be stored in the user's keychain, so it will be mounted automatically).

Thanks! Does it have to be stored in the keychain, or can you require password authentication all the time?

[lothar56]

There's a little check box you can uncheck if you don't want the password saved in your keychain.

[eyadams]

Is it not the root account that can do anything it wishes, while administrator accounts are somewhat limited -- or is sudo [adminaccountname] effectively the same access as root? Isn't the default account first set up an admin account, which nevertheless cannot access subsequent users' directories (with same query as above re: sudo)?

Strictly speaking yes - only the root account can do anything, and Administrator accounts are somewhat limited. Mainly that limitation is having to use sudo (or it's many GUI based surrogates) to do certain things, like browse other people's directories. But on Mac OS X the "root" account is disabled by default - you can't actually log in as the root user. You can only become the root user, and then only if you are an administrator.

And I know that most people just use an administrator account for their day-to-day use, but I think that is a bad habit. It's a risk thing - if you're an administrator, you can easily screw up the computer; if you're a regular user whatever stupid thing you're about to do will be interrupted by being asked for a password.

As I said, in practice it isn't a big hassle not being an administrator, especially since applications that need to temprorarily elevate to administrator level can do so by just asking for a password. N

[NeilCharter]

I would imagine having an admin account for yourself and and guest account for your friends should be sufficient.

By default, when the machine is not in use, have the machine switched to the guest account or have yourself logged out. Remember though that logging out ends all the applications on your account. Swtiching to another user means that to go back to your account you will need to provide the correct password.

Guest accounts can be modified extensively. You can limit access to preferences, applications and things like burning disks. Very useful. I would definitely stop access to the Terminal program if I were you.

The level of security is really up to you, since if you forget to log out or switch to another user anyone who has physical access to your machine can see everything. Also don't give out your password.

FileVault encrypts / decrypts your files on the fly, which prevents someone stealing your data by connecting from another machine. It is password protected but of course there are always ways to beat the system, especially if you have system disks at hand AND physical access. So make sure you hide your disks - passwords can be easily reset with them.

Although we don't care about privacy, having different accounts for each user in my house is great cos you can set up your account how you like. And being able to easily switch from one account to another is great.

Welcome to the Mac. Hope you enjoy the experience.