|Home » Industry Watch » The Technological
The Strange Case of /Users
Did you miss it?
MACUNIVERSE™ (Rixstep) — /Users is the OS X repository for user account data. It's the parent directory of all user account directories, the user-specific areas where users of an OS X system store their files. It's owned by root:admin and it's marked 0755 with no access control entries, meaning only root can modify anything there. And individual users don't need to do anything there either - it's only touched when adding or removing users, a task for admins using temporarily escalated privileges.
Suddenly on the recent release of OS X point update 10.9.3 for 'Mavericks', a tiny ripple of pandemonium broke out.
/Users was being both 'hidden' and left wide open to evil forces.
Kirk McElhearn reported:
OS X 10.9.3 was released today, and with it a bit of a surprise: the /Users folder is hidden. This is the top-level folder, at the root of your hard disk, that contains each user's home folder.
It's easy to bring it back though. Run the following command in Terminal:
sudo chflags nohidden /Users
Update: apparently, for some people, the /Users folder is not hidden. It's not clear why.
The command itself is correct. chflags gets into special system and user flags, most of which can appear to be vanilla Unix, but adds a few twists of its own, such as the hidden and nohidden arguments.
Those arguments are not standard Unix. They're not even relevant to the file system. They're specific to Apple's glorious file manager. It's only Apple's Finder (what an inappropriate name) that will respond to them (knock on wood). Any other utility will have no respect for them, as you can't really hide anything on Unix (and you're not supposed to try either).
McElhearn found another issue.
It turns out that, after running the above command, and restarting your Mac, the /Users folder becomes hidden again. To ensure the visibility of the /Users folder after restarts, you can create an AppleScript applet, and set it to run when you log in to your Mac. Use the following code:
tell application "Terminal"
do shell script "chflags nohidden /Users" password "yourpassword" with administrator privileges
And that's of course exactly what you want to do, so any lurking trojans can immediately pick up your admin password and hack your box.
Then Dave Mark came along with an even better solution which even the Goober liked: make an alias!!1!
Yes, the same sort of alias that's got so many people into trouble because Apple's enlightened twist on file management substitutes aliases willy-nilly and leaves the clientele in impossible situations.
What's especially instructive (and perhaps amusing) is that Mark advises against using chflags.
sudo chflags nohidden /Users
Good tip, but personally, I'd advise waiting to give Apple a chance to resolve this in their own way before going under the hood yourself.
It's so good when people who love their Macs are able to collaborate.
It Was the iTunes
But the wacky /Users wasn't at all the fault of OS X. According to Dave Hamilton of TMO, it was the fault of an iTunes update together with 'Find My Mac'.
Turns out that hidden /Users folder has nothing to do with OS X 10.9.3.
Your /Users and /Users/Shared folders will be hidden by OS X upon every reboot of your Mac if you have updated to iTunes 11.2 and have Find My Mac enabled.
Hamilton hints that the ultimate culprit is Find My Mac.
Once it's hidden it will stay hidden, though, even if you disable Find My Mac and then reboot. However, if you disable Find My Mac and run our Terminal command in the aforementioned article, the folder will stay visible.
It Has Been Fixed
'Thanks, Apple, for the quick fix', writes Dave Hamilton 17 May.
Next time a little 'we're working on it' note during the day would have ended a lot of unnecessary concern. But hey, all's well that ends well.
Hamilton points out that even Apple support reps lost their heads, using the pat response 'expected behaviour'.
Postscript: Hiding on Purpose
Jeff Gamet thought early on that the /Users kerfuffle could be a portent of a dark future.
Apple's decision to hide the Users directory without warning anyone came as a surprise, but in retrospect, we should've seen this coming.
Gamet says users will have less and less control over data storage on their own devices, and that 'hiding the Users directory was just another part of that transition process'.
'This change may serve as a hint about what's coming in future OS X updates', warns Gamet.
But of course the sky appears to have not fallen. Not yet at any rate.
[Find My Mac needs Apple's iCloud which, if you know anything about the NSA, is something you - at least for now - avoid like the plague. Ed.]
Now to the important stuff. In no particular order.
√ Although people (Hamilton et al) have found out how this 'bug' could be contained, no one dug into how it worked. Or why. Why would anyone - or any script - muck with /Users? And if this was but an innocent 'typo' in a script somewhere, can anyone ferret it out? So far no one has.
√ There are essentially two issues here, one incomprehensibly silly and the other very very serious. Most media attention's been on the silly one; little's been written about the very very serious one.
√ It's silly to get hung up about a 'hidden folder'. The 'folder' isn't really hidden: the flag to keep it 'hidden' is something snuck into the file system miasma for use by Finder and 'save' dialog sheets - and that's it. /Users isn't really hidden - it's only Apple's less than adequate (and seriously misguided) 'file manager' (and associated functionality) that arbitrarily choose to not let you see it. There's not much you can do about the 'save' dialog sheets, as they're run by the same 'Finder' technology, but otherwise: get a better file manager. Not seeing things that are really there is but scratching the surface.
√ Opening up /Users is deadly serious. But you can (and already should have) taken precautions against such intrusion. All your files and directories located at your 'user root' (~) should be marked 'hands off' to the world.
Securing your own user area is easier than you may think, but to do it rigorously may take a bit more effort than you'd expected. But it's definitely worth it. You need to do two things.
- Stop anyone else from entering into your area (save for ~/Public).
- Make sure none of your data can be removed, inadvertently or intentionally.
Locking It Down
Simply mark all your top-level directories 0700. Use sudo if you need to temporarily escalate your privileges. Leave ~/Public alone - it should be 0755 so others can get in but not do any harm.
Use the special user flags or access control entries to lock down your top-level stuff so they can't be accidentally removed.
Finally: mark your user root ('~') with special flags 'Immutable' and 'No Unlink' so the contents (your own user stuff) can't be tampered with.
ACL: Access Control
Xfile: Free Test Drive
CLIX: Learn How to Fish
Red Hat Diaries: The Steve Gambit
Developers Workshop: Hacking C0d3 S1gN
Industry Watch: Mac Developer Program Update
Industry Watch: Mac Developer Program Update II
9to5Mac: App Store, Verification? Steve Jobs: 'Nope'
Industry Watch: Steve Jobs to App Store for Mac: 'Nope'
9to5Mac: 10.7 big changes, Rixstep warns (Steve says 'nope')