Solved

Can I set up Mac with a limited Admin account

Posted on 2014-01-17
10
684 Views
Last Modified: 2014-03-12
I want someone to be able to install software on the Mac but not be able to change other passwords. So ideally for software install purposes, that user could enter their own username/password for authentication. But they would not have the usual admin privileges which could cause problems.

I am not trying to get around the admin requirement for software installs, just limit that admin's privileges.

Does anyone know a hack that would allow me to create an admin account that either
1. Can install software, but be a standard user in every other way; or
2. Do everything except manage other accounts.

Preferably, #1. I know that this would have to be a hack which requires modifying files or permissions on the command line. I'm comfortable with that. And, I back up every night :-)
0
Comment
Question by:mikebernhardt
  • 6
  • 3
10 Comments
 
LVL 7

Expert Comment

by:Peter Loobuyck
ID: 39790353
Well, depending on the software to be installed, you can allow applicaties to be installed in the users home folder. Most software needs real admin rights though.
Can you tell what software it is?
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39797628
It would be games. They don't have to be accessible to everyone anyway, only to the user installing them.
0
 
LVL 27

Expert Comment

by:serialband
ID: 39798821
You could possibly try to modify /etc/sudoers so that the user only has access to the programs you wish.  Don't make the new account an admin account.

When you create an admin account, the account actually goes into the group admin which is enabled in the /etc/sudoers file to have full access as the root.

In /etc/sudoers, you have root with all the permissions and the admin group right below that, also with all permissions. (NOTE: Do not change these 2 lines or you will mess things up.)
root    ALL=(ALL) ALL
%admin	ALL=(ALL) ALL

Open in new window


Just below that, you can add the account you wish to limit  Here's a short example with an account set to access printer functions, the installer command for running installer packages, the software update command, and the cp (copy) command for copying Applications into the /Applications/ folder.  There may be more that you need to enable, but this should allow the minimal access needed to handle printing and do the most basic of installs.  I did not include the /bin/rm command, so the account cannot remove applications from the /Applications/ folder that were installed by another account.  The user that installed the App may be the owner of the App, depending on how it was installed, in which case they can remove the App without a prompt for Admin privileges.

limited_user_account_name    ALL=(root) /usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cp

Open in new window


http://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39800898
Thanks for the suggestion! So, what I really want to do is this: The current default, administrative, account is called "mike." I want to set up a new administrative account which would be just for, well, administrative stuff.

Then I would want to change the current "mike" account so that it is no longer a full admin account. The ideal is to give it all privileges EXCEPT being able to change passwords on other accounts. Is there an argument for ALL EXCEPT [whatever I want to limit] ?

That would eliminate the need to create a long list of things to enable, which will surely miss something.
0
 
LVL 27

Accepted Solution

by:
serialband earned 500 total points
ID: 39801325
Now, you're really delving into the unix sudoers realm.  You would do something like the following to exclude the rm and mv commands.
mike    ALL=(root) ALL
mike    ALL=(root) !/bin/rm, !/bin/mv

Open in new window


It's easier to create a Command Alias for them if you have other accounts to manage.
Cmnd_Alias EXCEPTIONS_LIST=/bin/rm, /bin/mv
mike    ALL=(root) ALL
mike    ALL=(root) !EXCEPTIONS_LIST

Open in new window


You could make it more complex
Cmnd_Alias COMMANDS_LIST=/usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cp
Cmnd_Alias EXCEPTIONS_LIST=/bin/rm, /bin/mv
Cmnd_Alias MY_PROGS=COMMAND_LIST, !EXCEPTIONS_LIST
Cmnd_Alias NOEXEC_LIST=/usr/bin/vim, /usr/bin/less

mike    ALL=(root) MY_PROGS 
mike    ALL=(root) NOEXEC: NOEXEC_LIST

Open in new window


http://ubuntuforums.org/showthread.php?t=1132821
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 28

Author Comment

by:mikebernhardt
ID: 39801603
Excellent! So then I'd have to figure out what executables are used under the hood when using the preferences panel to change another user's password. Any ideas?
0
 
LVL 27

Expert Comment

by:serialband
ID: 39801914
I haven't checked, but it might just be /usr/bin/passwd.  I'm not sure what the Change Password button in User & Groups in System Preferences actually does.
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39803974
OK, I will try this in the next few days and see how it works out for me.
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39857520
FYI, I haven't had a chance to deal with this yet. I haven't forgotten though.
0
 
LVL 28

Author Closing Comment

by:mikebernhardt
ID: 39924718
I STILL haven't had the time to mess with this, but I don't want to leave this hanging open. I'll comment back if it works or open a new question if it doesn't.

thanks for your help.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ClickFree hD 30 59
Enable IIS Logging via GPO 4 59
time machine 8 40
Can not remove SSL certificate on iPhone 6 - iOS10.2 12 91
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now