Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

allows a user to change the home directory access permissions, but they will never be more 

permissive than 750, which would allow group read access for selected files. 

The user will own that user's home directory and the group owner will be the user's primary 

group. 

(OSX1026GEN0165: CAT IV) The SA will ensure that all home directories are defined in the 

user entry of NetInfo Manager under the home property.   

(OSX1026SVR0016:  CAT IV) The SA will ensure all home directories of the Mac OS X 

server, defined in NetInfo Manager exist or are justified and documented with the IAO.  

(OSX1026GEN0166: CAT II) The SA will ensure that user home directories have initial 

access permissions of 700, and never more permissive than 750 unless fully justified and 

documented with the IAO. 

(OSX1026GEN0054:  CAT II) The SA will ensure the uid of a home directory is that of the 

account under which the directory is defined or is justified and documented with the IAO.    

(OSX1026GEN0055:  CAT II) The SA will ensure the gid of an account home directory is the 

primary gid of the account (i.e., the one assigned in NetInfo Manager), except in the case of 

application directories for which the SA will furnish the IAO with documentation.   

3.4.1.2  Startup Files 

3.4.1.2.1  User Startup Files 

User startup files (i.e., files in a user s home directory with a name that begins with  . ) are files 

that are normally read by the kernel (or utility programs) and used to customize the user s 

environment.  These files include .login, .profile, .cshrc, and other files used by a system's shell 

or other utilities to set the initial working environment whenever users log on or execute an 

application or system utility User startup files will be owned by the user or root and will be no 

more permissive than 740.  If a user startup file, such as .profile, sets the PATH variable, it will 

not contain a  .  or  ::  except in the last position.  The PATH variable defines the search 

sequence the shell uses to find executable programs.  A PATH variable may be observed by 

typing the env or set command, or by typing echo $PATH.  The PATH is normally placed in the 

/etc/.profile or /etc/.login (for global settings), or in each user s .profile, .cshrc, or .login file 

(depending on the user s shell).  The PATH is constructed in the following format (for sh or ksh): 

PATH=/bin:/usr/bin:/oracle/bin:/usr/local/bin 

This indicates that when a user types a command name the shell will search /bin for it first, and, 

if the command is not found there, the shell will search for the command in /usr/bin, and so on.  

A  .  (or  :: ) represents the current directory.  If a PATH variable is written as follows: 

PATH=/bin:.:/usr/bin:/oracle/bin:/usr/local/bin 

Then the shell would search the current directory for the command immediately after it searched 

22

UNCLASSIFIED