Solved

Can I set up Mac with a limited Admin account

Posted on 2014-01-17
10
736 Views
Last Modified: 2014-03-12
I want someone to be able to install software on the Mac but not be able to change other passwords. So ideally for software install purposes, that user could enter their own username/password for authentication. But they would not have the usual admin privileges which could cause problems.

I am not trying to get around the admin requirement for software installs, just limit that admin's privileges.

Does anyone know a hack that would allow me to create an admin account that either
1. Can install software, but be a standard user in every other way; or
2. Do everything except manage other accounts.

Preferably, #1. I know that this would have to be a hack which requires modifying files or permissions on the command line. I'm comfortable with that. And, I back up every night :-)
0
Comment
Question by:mikebernhardt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 7

Expert Comment

by:Peter Loobuyck
ID: 39790353
Well, depending on the software to be installed, you can allow applicaties to be installed in the users home folder. Most software needs real admin rights though.
Can you tell what software it is?
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39797628
It would be games. They don't have to be accessible to everyone anyway, only to the user installing them.
0
 
LVL 30

Expert Comment

by:serialband
ID: 39798821
You could possibly try to modify /etc/sudoers so that the user only has access to the programs you wish.  Don't make the new account an admin account.

When you create an admin account, the account actually goes into the group admin which is enabled in the /etc/sudoers file to have full access as the root.

In /etc/sudoers, you have root with all the permissions and the admin group right below that, also with all permissions. (NOTE: Do not change these 2 lines or you will mess things up.)
root    ALL=(ALL) ALL
%admin	ALL=(ALL) ALL

Open in new window


Just below that, you can add the account you wish to limit  Here's a short example with an account set to access printer functions, the installer command for running installer packages, the software update command, and the cp (copy) command for copying Applications into the /Applications/ folder.  There may be more that you need to enable, but this should allow the minimal access needed to handle printing and do the most basic of installs.  I did not include the /bin/rm command, so the account cannot remove applications from the /Applications/ folder that were installed by another account.  The user that installed the App may be the owner of the App, depending on how it was installed, in which case they can remove the App without a prompt for Admin privileges.

limited_user_account_name    ALL=(root) /usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cp

Open in new window


http://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Author Comment

by:mikebernhardt
ID: 39800898
Thanks for the suggestion! So, what I really want to do is this: The current default, administrative, account is called "mike." I want to set up a new administrative account which would be just for, well, administrative stuff.

Then I would want to change the current "mike" account so that it is no longer a full admin account. The ideal is to give it all privileges EXCEPT being able to change passwords on other accounts. Is there an argument for ALL EXCEPT [whatever I want to limit] ?

That would eliminate the need to create a long list of things to enable, which will surely miss something.
0
 
LVL 30

Accepted Solution

by:
serialband earned 500 total points
ID: 39801325
Now, you're really delving into the unix sudoers realm.  You would do something like the following to exclude the rm and mv commands.
mike    ALL=(root) ALL
mike    ALL=(root) !/bin/rm, !/bin/mv

Open in new window


It's easier to create a Command Alias for them if you have other accounts to manage.
Cmnd_Alias EXCEPTIONS_LIST=/bin/rm, /bin/mv
mike    ALL=(root) ALL
mike    ALL=(root) !EXCEPTIONS_LIST

Open in new window


You could make it more complex
Cmnd_Alias COMMANDS_LIST=/usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cp
Cmnd_Alias EXCEPTIONS_LIST=/bin/rm, /bin/mv
Cmnd_Alias MY_PROGS=COMMAND_LIST, !EXCEPTIONS_LIST
Cmnd_Alias NOEXEC_LIST=/usr/bin/vim, /usr/bin/less

mike    ALL=(root) MY_PROGS 
mike    ALL=(root) NOEXEC: NOEXEC_LIST

Open in new window


http://ubuntuforums.org/showthread.php?t=1132821
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39801603
Excellent! So then I'd have to figure out what executables are used under the hood when using the preferences panel to change another user's password. Any ideas?
0
 
LVL 30

Expert Comment

by:serialband
ID: 39801914
I haven't checked, but it might just be /usr/bin/passwd.  I'm not sure what the Change Password button in User & Groups in System Preferences actually does.
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39803974
OK, I will try this in the next few days and see how it works out for me.
0
 
LVL 28

Author Comment

by:mikebernhardt
ID: 39857520
FYI, I haven't had a chance to deal with this yet. I haven't forgotten though.
0
 
LVL 28

Author Closing Comment

by:mikebernhardt
ID: 39924718
I STILL haven't had the time to mess with this, but I don't want to leave this hanging open. I'll comment back if it works or open a new question if it doesn't.

thanks for your help.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about why it is more lucrative for an IT company to participate in government projects.
OnPage enhanced its integration with ConnectWise Manage to offer incident responders more control over the ticket and Incident Resolution Lifecycle.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question