Comprehensive Rules for configuring, auditing, and maintaining secure SMB file-sharing permissions on macOS using both GUI and shell tooling.
Transform your macOS file sharing from a potential security liability into a bulletproof, auditable system that protects your data while maintaining seamless collaboration workflows.
Most developers and sysadmins treat macOS file sharing as "just turn it on and it works." But every shared folder is a potential attack vector, and default configurations expose far more than intended:
When a security incident happens, you'll discover you have no visibility into who accessed what, when, or from where.
These Cursor Rules give you enterprise-grade control over macOS file sharing through automated configuration, continuous auditing, and security hardening - all implemented through battle-tested shell scripts and systematic procedures.
Automated Security Configuration: Scripts that implement principle of least privilege, disable insecure protocols, and enforce strong authentication across all shares.
Continuous Monitoring: Built-in auditing that tracks all access attempts, failed logins, and permission changes with real-time alerting.
Zero-Trust Implementation: Network-level restrictions, encrypted volumes, and ACL-based permissions that eliminate the "trusted internal network" assumption.
Compliance-Ready Documentation: Automated documentation generation and audit trails that satisfy security compliance requirements.
# Create a development team share with proper isolation
./create_team_share.sh "mobile-app-dev" "/Volumes/Projects/MobileApp" \
--users "alice,bob,charlie" \
--permissions "read-write" \
--network "192.168.1.0/24" \
--encrypt
# Result: Encrypted, network-restricted share with individual user tracking
Before: Developers share files via unsecured network folders or email attachments, creating version confusion and security risks.
After: Centralized, audited collaboration with automatic backups and access logging. Team members can't accidentally expose files outside the trusted network.
# Set up temporary client upload directory
./create_dropbox_share.sh "client-uploads-q4" "/Volumes/Incoming/Q4" \
--write-only \
--auto-expire "30d" \
--notification "[email protected]"
# Automatically removes share and archives content after 30 days
Before: Email large files or use consumer cloud services, losing control over data and creating compliance issues.
After: Professional, time-limited upload capability with automatic cleanup and admin notifications for each file received.
# Audit all share access for the past week
./audit_share_access.sh --timeframe "7d" --suspicious-patterns
# Generate compliance report
./generate_compliance_report.sh --format pdf --period monthly
Before: No visibility into who accessed shared files when security questions arise.
After: Complete audit trail with behavioral analysis and automated compliance reporting.
Install the rules in your Cursor environment:
# Download and activate the macOS File Sharing rules
curl -O https://example.com/macos-sharing-rules.json
# Import into Cursor Rules
Run the security assessment:
./assess_current_sharing.sh --full-report
# Reviews existing shares and identifies security gaps
Apply baseline security:
./harden_file_sharing.sh --apply-recommended
# Disables AFP, enforces SMB3, configures firewall rules
Custom ACL Templates: Define permission patterns for different team roles:
# Create template for read-only contractors
./create_acl_template.sh "contractor-readonly" \
--permissions "read,readattr,readextattr,readsecurity"
# Apply to specific shares
./apply_acl_template.sh "contractor-readonly" "/Volumes/Shared/Documentation"
Automated Monitoring Setup:
# Configure weekly audit emails
./setup_monitoring.sh --email "[email protected]" --frequency weekly
# Set up real-time alerts for failed logins
./configure_alerts.sh --failed-auth --threshold 5 --window 1h
Network Segmentation:
# Restrict sharing to specific VLANs
./configure_network_restrictions.sh --allowed-networks "10.0.1.0/24,10.0.2.0/24"
# Test connectivity from different network segments
./test_network_access.sh --from-networks "external,guest,internal"
Your file sharing infrastructure becomes a competitive advantage rather than a security liability. Teams collaborate confidently knowing their data is protected, administrators gain complete visibility into resource usage, and security incidents become preventable rather than reactive discoveries.
Stop treating file sharing as a necessary risk. These rules transform it into a secure, auditable, and efficient collaboration platform that scales with your team's needs while maintaining enterprise-grade security standards.
Ready to implement bulletproof file sharing? These Cursor Rules provide everything you need to secure your macOS sharing infrastructure in minutes, not months.
You are an expert in macOS File Sharing, SMB, APFS encryption, and shell scripting.
Key Principles
- Follow the principle of least privilege: grant only the minimum rights (Read-Only, Write-Only, or custom ACL) required.
- Prefer SMB over AFP; disable AFP unless a legacy device absolutely requires it.
- Never expose File Sharing on untrusted or public networks; bind sharing to trusted interfaces only.
- Keep macOS fully patched; apply security updates within 48 h of release.
- Store shared data on encrypted APFS volumes (FileVault-enabled) whenever possible.
- Use strong, unique passwords for every user with sharing access; enforce minimum 12-character, mixed-case, special-character policy.
- Log, audit, and alert on all share access; review weekly.
- Maintain off-device backups of shared folders (Time Machine, rsync, or cloud snapshot).
Shell (bash / zsh)
- Start administration scripts with:
```bash
#!/usr/bin/env bash
set -euo pipefail # exit on error, unset var, or failed pipe
IFS=$'\n\t'
```
- Use explicit absolute paths for system binaries (e.g., /bin/chmod, /usr/sbin/systemsetup).
- Quote all variables ("$VAR") to avoid word-splitting and globbing issues.
- Name variables in SCREAMING_SNAKE_CASE; prefer VERB_NOUN (e.g., SHARE_PATH, NEW_PERMS).
- Use functions for logical groupings; precede with documentation block:
```bash
## set_acl <path> <user> <mode>
## Configure ACL permissions on a path for a given user.
```
- Fail early: test pre-conditions (path existence, user existence) before mutating state.
- Sample helper to add an SMB user securely:
```bash
add_smb_user() {
local USERNAME="$1"; local PASSWORD="$2"
dscl . -create "/Users/$USERNAME" && \
dscl . -passwd "/Users/$USERNAME" "$PASSWORD" && \
dscl . -append "/Groups/com.apple.access_smb" GroupMembership "$USERNAME"
}
```
Error Handling & Validation
- Wrap critical commands with validation:
```bash
if ! /bin/ls "$SHARE_PATH" >/dev/null; then
echo "[ERROR] Path $SHARE_PATH not accessible" >&2; exit 12
fi
```
- Test share visibility:
```bash
smbutil view //USER@localhost | grep -q "${SHARE_NAME}$" || {
echo "Share not published" >&2; exit 14; }
```
- Investigate failures with:
- log show --predicate 'subsystem == "com.apple.smb.server"' --last 2h
- Console ➜ /var/log/samba or Sharing Logs
- Common fixes:
- Verify folder and parent permissions (ls -leO@ /path).
- Ensure firewall allows SMB (port 445) only for selected networks: System Settings ➜ Network ➜ Firewall ➜ Options.
- Confirm Terminal has Full Disk Access when manipulating protected folders.
macOS File Sharing Framework
- Enable File Sharing via CLI:
```bash
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices -array disk
```
- Disable AFP completely:
```bash
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist || true
```
- Configure a share programmatically:
```bash
sudo sharing -a "$SHARE_PATH" -S "$SHARE_NAME" -s 001 -g 000 -o "$OWNER" -p "$GROUP"
```
- Enforce SMB3 only (no NT1):
```bash
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server SigningRequired -bool YES
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowedProtocols -array SMB3
```
Access Control Lists (ACLs)
- Use ACLs for granular permissions beyond POSIX:
```bash
sudo chmod +a "USER allow readattr,readextattr,readsecurity,file_inherit,directory_inherit" "$SHARE_PATH"
```
- Keep ACLs minimal; audit with ls -le.
- Document every custom ACL in README.md inside the share root.
Testing & Auditing
- Monthly checklist:
- [ ] Review `sharing -l` output for unknown shares.
- [ ] Run `smbutil statshares -a` to ensure signing & encryption are true.
- [ ] Parse Unified Log for failed logins:
```bash
log show --style compact --predicate 'process == "smbd" && eventMessage CONTAINS "failed"' --last 30d
```
- Continuous integration (CI) test snippet (GitHub Actions macos-latest):
```yaml
- run: |
brew install sambamba # example test tool
test "$(smbutil statshares -m /Volumes/TestShare | grep SIGNING | awk '{print $2}')" = "YES"
```
Performance
- Prefer wired Gigabit or Wi-Fi 6 networks; disable Energy Saver "Wake for network access" if not needed.
- For large multi-user shares, place data on APFS SSD; enable Spotlight indexing off (mdutil -i off) to reduce background I/O.
- Verify SMB signing doesn’t add unacceptable latency for local networks; balance with security requirements.
Security Hardening
- Enable FileVault on all Macs hosting shares.
- Require network users to authenticate; disable guest access (`sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO`).
- Configure firewall: `sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on` followed by specific allow rules for smb-daemon.
Backup & Recovery
- Add shared folders to Time Machine include list: System Settings ➜ General ➜ Time Machine ➜ Options ➜ Back Up.
- Test restore quarterly by retrieving a random file to a temp directory and diffing MD5.
Documentation & Naming
- Share names: kebab-case, no spaces (e.g., project-assets, finance-2024-q1).
- Folder permissions cheat-sheet is kept as PERMISSIONS.md in repo.
Common Pitfalls (⚠️)
- Forgetting to update parent directory permissions → inherited misconfig.
- Leaving "Everyone: Read & Write" active after testing.
- Using AFP on Ventura+ — unsupported, causes connection loops.
- Neglecting to quote paths with spaces in shell scripts → permission changes on wrong target.
Reference Commands Quick-Look
```
sharing -a <path> -S <name> [options] # add share
sharing -r <name> # remove share
smbutil view //user@host # list remote shares
ls -leO@ <file|dir> # detailed ACL & xattrs
chmod +a "user allow read,write" <path> # add ACL entry
```