12 Replies Latest reply: Jul 28, 2013 9:54 AM by etresoft
Alejandro_64 Level 1 Level 1 (0 points)

Hello!

Is there any way to create a  limited access OS X account inaccessible to ANY other account on the same iMac?


iMac, OS X Mountain Lion (10.8.4), 27-inch (late 2012)
  • 1. Re: Create limited access OS X account inaccessible to admin
    Matt Clifton Level 7 Level 7 (27,790 points)

    No. The whole point of admin is that it's admin. Either you're the administrator of a computer or you're not.

     

    All users' files are inaccessible from one another by default, but admin has the ability to change someone's password and thus access their files, if they really wanted to. So if you own a computer, and you've made someone else admin, and you don't want them to have that power, they need to not be admin any more.

     

    Matt

  • 2. Re: Create limited access OS X account inaccessible to admin
    Alejandro_64 Level 1 Level 1 (0 points)

    What if I just encrypt my folders - would they be still accessible for admin? Maybe there's some way when admin can only delete user, but not access his data?

     

    One more clarification, please - are the admin accounts are accessible for each other if there are two admins @ the same machine?

     

    PS Just cuirious - which password will "sudo" accept? Both? =)

  • 3. Re: Create limited access OS X account inaccessible to admin
    Matt Clifton Level 7 Level 7 (27,790 points)

    All "admin" accounts are at the same level - and all can change anyone else's password. So, again, the files themselves are not actually accessible unless an admin changes another's password and logs in as them, or changes the permissions on the other user's home folder files to be able to see them.

     

    Sudo will accept any administrator-level password.

     

    Matt

  • 4. Re: Create limited access OS X account inaccessible to admin
    Alejandro_64 Level 1 Level 1 (0 points)

    The last clarification - do encrypted files become accessibe too if admin changes password and logs in under my account or changes permissions?

  • 5. Re: Create limited access OS X account inaccessible to admin
    etresoft Level 7 Level 7 (24,265 points)

    Alejandro_64 wrote:

     

    What if I just encrypt my folders - would they be still accessible for admin? Maybe there's some way when admin can only delete user, but not access his data?

    If you encrypt folders, they will be inaccessible to anyone who doesn't have the password, including admin users.

     

    Admin users can, however, change your password and make those folders inaccessible by you. They can also just delete the encrypted folders.

  • 6. Re: Create limited access OS X account inaccessible to admin
    Alejandro_64 Level 1 Level 1 (0 points)

    1) I make (under non-admin password-protected account A) an encrypted folder.

    2) Admin changes password of my account.

    3) Will my encrypted under PREVIOUS password folder be available to me if I login to my account under NEW password?

  • 7. Re: Create limited access OS X account inaccessible to admin
    Matt Clifton Level 7 Level 7 (27,790 points)

    Encrypted disk images (using Disk Utility) are not encrypted with your login password, they use a password that you set at the time of encryption. Its password optionally can be (but really shouldn't be) stored in your keychain. It's unaffected by a change in your login password. Either way, provided you remember the encryption password, you'll still be able to access the file after login password is changed.

     

    Matt

  • 8. Re: Create limited access OS X account inaccessible to admin
    Alejandro_64 Level 1 Level 1 (0 points)

    So if admin logs in onto my account he will have access to my keychain, if my password to encrypted contents is stored there? And if it is not stored in keychain my encrypted contents will be inaccessible?

  • 9. Re: Create limited access OS X account inaccessible to admin
    etresoft Level 7 Level 7 (24,265 points)

    Alejandro_64 wrote:

     

    So if admin logs in onto my account he will have access to my keychain, if my password to encrypted contents is stored there? And if it is not stored in keychain my encrypted contents will be inaccessible?

    Sorry, I spaced out earlier.

     

    Your keychain is also encrypted. The keychain password is synced to your login password but only through normal password reset. If your password is forcibly reset (for whatever reason), then the keychain still has the old password. It cannot be accessed without the correct password.

     

    However, I should caution you about trying to have private content on a machine when someone else is the admin. Obviously, the other party has more power than you do. If your private content is discovered, even though encrypted, they may have other means to force you to decrypt it. As admin, they can always simply delete it and/or revoke all of your account privileges, if not more.

  • 10. Re: Create limited access OS X account inaccessible to admin
    Alejandro_64 Level 1 Level 1 (0 points)

    My brain is completely destroyed with all this logics.

     

    What are "normal" and "forced" changes of passwords?

     

    So far I understood that if I have an encrypted folder password stored in keychain this keychain (and thus password to ncrypted folder) will be available to anyone who has a login password.

     

    So my only reliable option is NOT to store password for encrypted folders in keychain.

    Correct?

     

    And just out of curiosity - if admin changes my login passwrd will my keychain  be automatically available to anyone who logs in with this new password or it will require the previous one?

  • 11. Re: Create limited access OS X account inaccessible to admin
    Barney-15E Level 8 Level 8 (35,275 points)

    Alejandro_64 wrote:

     

    My brain is completely destroyed with all this logics.

     

    What are "normal" and "forced" changes of passwords?

     

    So far I understood that if I have an encrypted folder password stored in keychain this keychain (and thus password to ncrypted folder) will be available to anyone who has a login password.

    By default, the keychain unlocks with your login password because they are set to the same thing. If they have your login password it will unlock when they log in with your password. If they change your login password, the keychain will not unlock as it is no longer the same password. So, no, they cannot change your password and get access to your keychain. It will require the previous password.

     

    You can change your keychain password so that you have to unlock it using a different password instead of the login password.

     

    You can also create another keychain that holds the password to your encrypted volume. Give that a different password and it will not be unlocked at login. However, you don't have to store the password to the encrypted disk image in your keychain. Just delete the password entry from Keychain Access and it will require you to type it in when you try to mount the image. When you type it in, don't check the box to remember the password in the keychain.

  • 12. Re: Create limited access OS X account inaccessible to admin
    etresoft Level 7 Level 7 (24,265 points)

    Alejandro_64 wrote:

     

    What are "normal" and "forced" changes of passwords?

     

    Normal is when you change your password via System Preferences > Users & Groups.

     

    Forced is when a system administrator changes your password for you. Usually, the only time anyone forces a password change is when they have forgotten the password and they have to ask the company IT people to change it. For a home user without a company IT person, you can do it via the recovery boot option.

     

    After forcing a password change like this, you can use the new password to login to the account. Anything that was encrypted with the old password, such as they keychain or encrypted DMG disk image files) stays encrypted with the old password. If you have really forgotten it, that data is gone for good.

     

    So far I understood that if I have an encrypted folder password stored in keychain this keychain (and thus password to ncrypted folder) will be available to anyone who has a login password.

     

    Yes

     

    So my only reliable option is NOT to store password for encrypted folders in keychain.

    Correct?

     

    It depends on your definition of reliable. For maximum security, you should never store passwords anywhere. They should be long, memorable phrases of about 100-120 characters, misspelled, upper and lower case, with special characters, and some out-of-character obscentities thrown in for good measure. That would be a secure password, but very unreliable as you would likely never remember it.

     

    And just out of curiosity - if admin changes my login passwrd will my keychain  be automatically available to anyone who logs in with this new password or it will require the previous one?

     

    It will require the previous one. If you change your password, the system updates your keychain password to match.

     

    Again, what is your goal here? The administrator, also called "super-user" is called that for a reason. They have what is called "administrative authority" to control, or deny, your access to the system. They may combine that "administrative authority" with something called "cognitive authority" to install a keylogger. Then you might have some explaining to do. I suggest you tread carefully.