Can I set up Mac with a limited Admin account
I want someone to be able to install software on the Mac but not be able to change other passwords. So ideally for software install purposes, that user could enter their own username/password for authentication. But they would not have the usual admin privileges which could cause problems.
I am not trying to get around the admin requirement for software installs, just limit that admin's privileges.
Does anyone know a hack that would allow me to create an admin account that either
1. Can install software, but be a standard user in every other way; or
2. Do everything except manage other accounts.
Preferably, #1. I know that this would have to be a hack which requires modifying files or permissions on the command line. I'm comfortable with that. And, I back up every night :-)
I am not trying to get around the admin requirement for software installs, just limit that admin's privileges.
Does anyone know a hack that would allow me to create an admin account that either
1. Can install software, but be a standard user in every other way; or
2. Do everything except manage other accounts.
Preferably, #1. I know that this would have to be a hack which requires modifying files or permissions on the command line. I'm comfortable with that. And, I back up every night :-)
ASKER
It would be games. They don't have to be accessible to everyone anyway, only to the user installing them.
You could possibly try to modify /etc/sudoers so that the user only has access to the programs you wish. Don't make the new account an admin account.
When you create an admin account, the account actually goes into the group admin which is enabled in the /etc/sudoers file to have full access as the root.
In /etc/sudoers, you have root with all the permissions and the admin group right below that, also with all permissions. (NOTE: Do not change these 2 lines or you will mess things up.)
Just below that, you can add the account you wish to limit Here's a short example with an account set to access printer functions, the installer command for running installer packages, the software update command, and the cp (copy) command for copying Applications into the /Applications/ folder. There may be more that you need to enable, but this should allow the minimal access needed to handle printing and do the most basic of installs. I did not include the /bin/rm command, so the account cannot remove applications from the /Applications/ folder that were installed by another account. The user that installed the App may be the owner of the App, depending on how it was installed, in which case they can remove the App without a prompt for Admin privileges.
http://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
When you create an admin account, the account actually goes into the group admin which is enabled in the /etc/sudoers file to have full access as the root.
In /etc/sudoers, you have root with all the permissions and the admin group right below that, also with all permissions. (NOTE: Do not change these 2 lines or you will mess things up.)
root ALL=(ALL) ALL
%admin ALL=(ALL) ALLJust below that, you can add the account you wish to limit Here's a short example with an account set to access printer functions, the installer command for running installer packages, the software update command, and the cp (copy) command for copying Applications into the /Applications/ folder. There may be more that you need to enable, but this should allow the minimal access needed to handle printing and do the most basic of installs. I did not include the /bin/rm command, so the account cannot remove applications from the /Applications/ folder that were installed by another account. The user that installed the App may be the owner of the App, depending on how it was installed, in which case they can remove the App without a prompt for Admin privileges.
limited_user_account_name ALL=(root) /usr/sbin/lpc, /usr/sbin/lprm, /usr/sbin/installer, /usr/sbin/softwareupdate, /bin/cphttp://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
ASKER
Thanks for the suggestion! So, what I really want to do is this: The current default, administrative, account is called "mike." I want to set up a new administrative account which would be just for, well, administrative stuff.
Then I would want to change the current "mike" account so that it is no longer a full admin account. The ideal is to give it all privileges EXCEPT being able to change passwords on other accounts. Is there an argument for ALL EXCEPT [whatever I want to limit] ?
That would eliminate the need to create a long list of things to enable, which will surely miss something.
Then I would want to change the current "mike" account so that it is no longer a full admin account. The ideal is to give it all privileges EXCEPT being able to change passwords on other accounts. Is there an argument for ALL EXCEPT [whatever I want to limit] ?
That would eliminate the need to create a long list of things to enable, which will surely miss something.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent! So then I'd have to figure out what executables are used under the hood when using the preferences panel to change another user's password. Any ideas?
I haven't checked, but it might just be /usr/bin/passwd. I'm not sure what the Change Password button in User & Groups in System Preferences actually does.
ASKER
OK, I will try this in the next few days and see how it works out for me.
ASKER
FYI, I haven't had a chance to deal with this yet. I haven't forgotten though.
ASKER
I STILL haven't had the time to mess with this, but I don't want to leave this hanging open. I'll comment back if it works or open a new question if it doesn't.
thanks for your help.
thanks for your help.
Can you tell what software it is?