4 Replies Latest reply: May 8, 2013 8:46 AM by Simon Slavin
Xeryx Level 1 Level 1 (0 points)

Here is my system

Mac mini i5 2.3

OSX server ML


I have 3 network account user and 2 local user. The local users have local home folder, app and setup on the mac mini hosting the server. I want to restric one the local user to access certains folders and apps. This user will only need to run a Java app and nothing else, today the app is in Desktop folder of the user so the user will only need access to the desktop folder. My goal is to restrict the system in case the Java app get hacked, this to prevent hackers to control and use any other apps liked in a standart user account with sandart apps. I want remove acces to Library, Programs, Documents, local disks ect..


any proposal setup?

I suspect profile manger is the tool but dont realy how to use it.

OS X Server
  • 1. Re: Restrict app and system access for specific user
    MrHoffman Level 6 Level 6 (12,455 points)

    FWIW, if the Java app is entirely local to the folder and is not downloaded, security attacks against it are unlikely.  AFAIK. all security attacks against Java on OS X have launched via the web start plugin or the safe downloads stuff and a downloaded app, which then breached the sandbox.  There's very little exposure to an account running a Java app locally, particularly if — as is typical practice — the web start plugin is disabled, and the "safe downloads" aren't automatically opened.


    If the Java app is downloaded, then you may (do?) have the potential for security problems, and the most recent Java packages can whitelist certain sites as a means to reduce this.  (I'm not yet ready to trust these most recent Java changes, though.)


    Ownerships, protections and ACLs are the usual means of blocking access to system resources.  Not profiles.  Probably the safest approach is to add denials into the access control lists, but non-administrative users don't have wide write access to OS X systems; such users are already denied write access to sensitive items.  If you have shared stuff, you could add an access control list entry that specifically denies access.


    Tested and verified backups — in depth, and preferably offline or offsite — are also obviously important, as they're a path to recovery after a breach.

  • 2. Re: Restrict app and system access for specific user
    Xeryx Level 1 Level 1 (0 points)

    No download of Java App, in fact I run a mincraft server (spigot dev #844) on the mac mini.

    I've considered the solution proposed, but wonder if profile manager offer a more "cleaner" solution ie strip access to all apps execpt java

  • 3. Re: Restrict app and system access for specific user
    MrHoffman Level 6 Level 6 (12,455 points)

    If the folks are drilling out of the Java sandbox for fun or profit, they're probably not going to be launching other Mac apps, and will be probably be headed more directly toward the Unix layer or other lower-level giblets.  They'll likely also be installing stuff, if they can manage that.  FWIW.  (Which is also why the user running the Minecraft server daemon shouldn't be an administrator.)


    You can further restrict access to the Minecraft server by restricting access to VPN'd users.


    Another mechanism to partition Java is to configure it as a guest in a virtual machine.  That way, there's nothing else installed in the guest, and the attacker is faced with exploiting a clean install and/or drilling out of the guest, too.

  • 4. Re: Restrict app and system access for specific user
    Simon Slavin Level 4 Level 4 (1,395 points)

    Ignore anything to do with server.  Just set that account to have Parental Controls.  It allows you to limit use to just selected apps.