It was brought to my attention recently the user's home folders on our server have group read permissions.
The subfolders within them - Documents, Movies, Pictures, etc. do not have group permissions, but any files and directories created at the top level in the home folder itself have group read permissions.
(If these were local accounts on a client machine, then each user would be in their own group, thus naturally restricting group access.)
What's the best way to fix current home folders now and to remove group read permissions for all future accounts that are created? I noticed each home folder currently has an ACL "group:everybody deny delete", could I add another ACL as a quick fix?
In WM, all users are by default put in the 'staff' group.
Cheers.
PS. I realise of course the exception to this is Public and Sites should be a+rx
PPS. I'm running OS X Server 10.5 Leopard (10.5.8)
To remove the permission for existing users:
cd /Users for user in *; do chmod g-r ${user}; done
To remove it from the template user folder, which will affect any newly-created users:
chmod g-r /System/Library/User\ Template/*