Limited Admin Privileges/Specific Elevation of User Accounts

Question

Limited Admin Privileges/Specific Elevation of User Accounts

I'm hoping to create an account on my laptop for my roommate. I don't want him to have a full admin account, but he knows enough about computers that he could troubleshoot networking, and I want to enable him to install programs on the system. I'm not sure what the best way to go about creating an account which can elevate itself for specific tasks; I've never modified my sudoers file before, and I don't know how to do so to grant him access to the privileges he should have. I don't want to force him to use Terminal; I'd rather have him be able to enter a username/password for Admin privileges when prompted, whether that's his standard user account or a limited Admin account, but I want to make sure that account DOESN'T have access to modify anything in Users & Groups, can't create accounts with dscl, can't modify the keychain or hard drive partitions, etc.

Am I right in thinking the sudoers file is the best way to approach this? How do I find out what processes to allow access to? Does Network Preferences, for example, have any dependencies he will also need to be able to run? Also, is there a good starting point/article on modifying the sudoers file for this type of thing anywhere? <<clearly googling the wrong thing because my searches just tell me how to add someone to the sudoers file>>

OS X Mountain Lion (10.8.2)

Posted on Apr 18, 2013 6:09 PM

Reply

Answer 1

Apr 18, 2013 6:41 PM in response to Do Not Authorize

If you trust him enough to give him limited (whatever that means) Admin access you trust hi enough to just give him an Admin account.

If you don;t trust him with an Admin account any user who knows enough will be able to take whatever privileges you grant and turn that into full access.

Besides if he has physical access to the machine all bets are off.

Reply

Answer 2

Apr 19, 2013 12:27 PM in response to Frank Caggiano

Security is a matter of risk management, because it's impossible to completely secure anything. I'm not assuming he's malicious, I just want to make elevating privileges himself too much of an annoyance to bother with for things I'd rather he ask me about anyway (like repartitioning the hard drive).

I don't want to make it convenient for him to make sweeping system changes. However, I trust him enough to install/modify/remove applications and to modify network settings (i.e. connect to a VPN using Network Preferences). I'm looking for a way to make that happen, not to "completely protect" my system against him.

Reply

Answer 3

Apr 19, 2013 1:06 PM in response to Do Not Authorize

To modify network settings he needs to be able to unlock the preference pane. If you can unlock one pane you can unlock them all including Users & Groups.

While it is more feasible allow him some latitude in the application installing scenario it's going to be a pain. The non-server version of OS X is just not setup for this. Either a user has admin privileges or he doesn't there is no part way.

Again if you trust him then you should also trust him not to do what you don't want him to do. If you tell him he can do x but please don't do y and you think he won't abide by your rules then giving him any access is potential trouble.

And again if he can get to the machine when you are not around he can do what he likes, privileges or no privileges.

good luck,

regards

Reply

Answer 4

Apr 19, 2013 1:36 PM in response to Frank Caggiano

I see. Out of curiousity, how does one gain permissions to unlock the preference pane? Is it with membership in a certain group, i.e. admin? Does the System Preferences app just perform a check on the the user who is supplied at the prompt? Mildly annoying lack of granularity there; however, since OS X server is only $20, perhaps that's worth checking out. Thanks!

Reply

Answer 5

Király

Level 6

10,017 points

Apr 20, 2013 10:56 AM in response to Do Not Authorize

If you want to limit a user's access to something, no matter how big or small, you must not give that user an admin account, or tell him an admin account's password. An admin user owns the machine and can undo any limits another admin user may place.

You might want to give the guy a non-admin account and then look in to modifying the /etc/authorization file. This file configures what tasks can be done only by admins and what can be done with only user privileges. Modify the file to suit.

Reply