Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 769
  • Last Modified:

Can I set up Mac with a limited Admin account

I want someone to be able to install software on the Mac but not be able to change other passwords. So ideally for software install purposes, that user could enter their own username/password for authentication. But they would not have the usual admin privileges which could cause problems.

I am not trying to get around the admin requirement for software installs, just limit that admin's privileges.

Does anyone know a hack that would allow me to create an admin account that either
1. Can install software, but be a standard user in every other way; or
2. Do everything except manage other accounts.

Preferably, #1. I know that this would have to be a hack which requires modifying files or permissions on the command line. I'm comfortable with that. And, I back up every night :-)
0
mikebernhardt
Asked:
mikebernhardt
  • 6
  • 3
1 Solution
 
Peter LoobuyckCommented:
Well, depending on the software to be installed, you can allow applicaties to be installed in the users home folder. Most software needs real admin rights though.
Can you tell what software it is?
0
 
mikebernhardtAuthor Commented:
It would be games. They don't have to be accessible to everyone anyway, only to the user installing them.
0
 
serialbandCommented:
You could possibly try to modify /etc/sudoers so that the user only has access to the programs you wish.  Don't make the new account an admin account.

When you create an admin account, the account actually goes into the group admin which is enabled in the /etc/sudoers file to have full access as the root.

In /etc/sudoers, you have root with all the permissions and the admin group right below that, also with all permissions. (NOTE: Do not change these 2 lines or you will mess things up.)
root    ALL=(ALL) ALL
%admin	ALL=(ALL) ALL

Open in new window


Just below that, you can add the account you wish to limit  Here's a short example with an account set to access printer functions, the installer command for running installer packages, the software update command, and the cp (copy) command for copying Applications into the /Applications/ folder.  There may be more that you need to enable, but this should allow the minimal access needed to handle printing and do the most basic of installs.  I did not include the /bin/rm command, so the account cannot remove applications from the /Applications/ folder that were installed by another account.  The user that installed the App may be the owner of the App, depending on how it was installed, in which case they can remove the App without a prompt for Admin privileges.

limited_user_account_name    ALL=(root) /usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cp

Open in new window


http://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikebernhardtAuthor Commented:
Thanks for the suggestion! So, what I really want to do is this: The current default, administrative, account is called "mike." I want to set up a new administrative account which would be just for, well, administrative stuff.

Then I would want to change the current "mike" account so that it is no longer a full admin account. The ideal is to give it all privileges EXCEPT being able to change passwords on other accounts. Is there an argument for ALL EXCEPT [whatever I want to limit] ?

That would eliminate the need to create a long list of things to enable, which will surely miss something.
0
 
serialbandCommented:
Now, you're really delving into the unix sudoers realm.  You would do something like the following to exclude the rm and mv commands.
mike    ALL=(root) ALL
mike    ALL=(root) !/bin/rm, !/bin/mv

Open in new window


It's easier to create a Command Alias for them if you have other accounts to manage.
Cmnd_Alias EXCEPTIONS_LIST=/bin/rm, /bin/mv
mike    ALL=(root) ALL
mike    ALL=(root) !EXCEPTIONS_LIST

Open in new window


You could make it more complex
Cmnd_Alias COMMANDS_LIST=/usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cp
Cmnd_Alias EXCEPTIONS_LIST=/bin/rm, /bin/mv
Cmnd_Alias MY_PROGS=COMMAND_LIST, !EXCEPTIONS_LIST
Cmnd_Alias NOEXEC_LIST=/usr/bin/vim, /usr/bin/less

mike    ALL=(root) MY_PROGS 
mike    ALL=(root) NOEXEC: NOEXEC_LIST

Open in new window


http://ubuntuforums.org/showthread.php?t=1132821
0
 
mikebernhardtAuthor Commented:
Excellent! So then I'd have to figure out what executables are used under the hood when using the preferences panel to change another user's password. Any ideas?
0
 
serialbandCommented:
I haven't checked, but it might just be /usr/bin/passwd.  I'm not sure what the Change Password button in User & Groups in System Preferences actually does.
0
 
mikebernhardtAuthor Commented:
OK, I will try this in the next few days and see how it works out for me.
0
 
mikebernhardtAuthor Commented:
FYI, I haven't had a chance to deal with this yet. I haven't forgotten though.
0
 
mikebernhardtAuthor Commented:
I STILL haven't had the time to mess with this, but I don't want to leave this hanging open. I'll comment back if it works or open a new question if it doesn't.

thanks for your help.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now