Create limited access OS X account inaccessible to admin

No. The whole point of admin is that it's admin. Either you're the administrator of a computer or you're not.

All users' files are inaccessible from one another by default, but admin has the ability to change someone's password and thus access their files, if they really wanted to. So if you own a computer, and you've made someone else admin, and you don't want them to have that power, they need to not be admin any more.

Matt

All "admin" accounts are at the same level - and all can change anyone else's password. So, again, the files themselves are not actually accessible unless an admin changes another's password and logs in as them, or changes the permissions on the other user's home folder files to be able to see them.

Sudo will accept any administrator-level password.

Matt

Alejandro_64 wrote:

What if I just encrypt my folders - would they be still accessible for admin? Maybe there's some way when admin can only delete user, but not access his data?

If you encrypt folders, they will be inaccessible to anyone who doesn't have the password, including admin users.

Admin users can, however, change your password and make those folders inaccessible by you. They can also just delete the encrypted folders.

Encrypted disk images (using Disk Utility) are not encrypted with your login password, they use a password that you set at the time of encryption. Its password optionally can be (but really shouldn't be) stored in your keychain. It's unaffected by a change in your login password. Either way, provided you remember the encryption password, you'll still be able to access the file after login password is changed.

Matt

Alejandro_64 wrote:

So if admin logs in onto my account he will have access to my keychain, if my password to encrypted contents is stored there? And if it is not stored in keychain my encrypted contents will be inaccessible?

Sorry, I spaced out earlier.

Your keychain is also encrypted. The keychain password is synced to your login password but only through normal password reset. If your password is forcibly reset (for whatever reason), then the keychain still has the old password. It cannot be accessed without the correct password.

However, I should caution you about trying to have private content on a machine when someone else is the admin. Obviously, the other party has more power than you do. If your private content is discovered, even though encrypted, they may have other means to force you to decrypt it. As admin, they can always simply delete it and/or revoke all of your account privileges, if not more.

Alejandro_64 wrote:

My brain is completely destroyed with all this logics. 🙂

What are "normal" and "forced" changes of passwords? 🙂

So far I understood that if I have an encrypted folder password stored in keychain this keychain (and thus password to ncrypted folder) will be available to anyone who has a login password.

By default, the keychain unlocks with your login password because they are set to the same thing. If they have your login password it will unlock when they log in with your password. If they change your login password, the keychain will not unlock as it is no longer the same password. So, no, they cannot change your password and get access to your keychain. It will require the previous password.

You can change your keychain password so that you have to unlock it using a different password instead of the login password.

You can also create another keychain that holds the password to your encrypted volume. Give that a different password and it will not be unlocked at login. However, you don't have to store the password to the encrypted disk image in your keychain. Just delete the password entry from Keychain Access and it will require you to type it in when you try to mount the image. When you type it in, don't check the box to remember the password in the keychain.

Alejandro_64 wrote:

What are "normal" and "forced" changes of passwords? 🙂

Normal is when you change your password via System Preferences > Users & Groups.

Forced is when a system administrator changes your password for you. Usually, the only time anyone forces a password change is when they have forgotten the password and they have to ask the company IT people to change it. For a home user without a company IT person, you can do it via the recovery boot option.

After forcing a password change like this, you can use the new password to login to the account. Anything that was encrypted with the old password, such as they keychain or encrypted DMG disk image files) stays encrypted with the old password. If you have really forgotten it, that data is gone for good.

So far I understood that if I have an encrypted folder password stored in keychain this keychain (and thus password to ncrypted folder) will be available to anyone who has a login password.

Yes

So my only reliable option is NOT to store password for encrypted folders in keychain.

Correct?

It depends on your definition of reliable. For maximum security, you should never store passwords anywhere. They should be long, memorable phrases of about 100-120 characters, misspelled, upper and lower case, with special characters, and some out-of-character obscentities thrown in for good measure. That would be a secure password, but very unreliable as you would likely never remember it.

And just out of curiosity - if admin changes my login passwrd will my keychain be automatically available to anyone who logs in with this new password or it will require the previous one?

It will require the previous one. If you change your password, the system updates your keychain password to match.

Again, what is your goal here? The administrator, also called "super-user" is called that for a reason. They have what is called "administrative authority" to control, or deny, your access to the system. They may combine that "administrative authority" with something called "cognitive authority" to install a keylogger. Then you might have some explaining to do. I suggest you tread carefully.