2
I want to create an administrator account on my laptop that does not have access to other administrator accounts.
In the sudo visudo file
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
#%admin ALL = (ALL) ALL
my-user ALL = (ALL) ALL
What I am trying to do here is to allow only sudo from my account and not the other administrator. This is what I have done so far, but I am not sure if it is enough (or will even work to begin with to be honest).
Jonathan Winger-Lang
Posted 2018-09-19T15:14:10.710
Reputation: 23
2Fundamentally, any user in the sudoers file will be able to give themselves access to programs and files. You can do things like restrict file permissions to block casual browsing of restricted files, but if a user is present in sudoers, then they can just run "sudo su" to have full access. What's your goal : to prevent access to specific files/folder ? To prevent running specific applications? – Christopher Hostage – 2018-09-19T15:34:29.533
The user in my example is not present. I have a third account named "PseudoAdmin". I have only whitelisted root and my-user in the sudo file.
The goal is essentially creating an account that looks like an administrator, but does not have the ability of looking at my personal files. – Jonathan Winger-Lang – 2018-09-22T14:34:20.757
It would help if OP explained the circumstances. Is this Mac public property, shared with someone, or OP's alone? If it's OP's alone, is it in a lockable room? If it's shared, is PsuedoAdmin for a friend to physically access the Mac, Remote Desktop, File Sharing, or SSH? What does "looks like an administrator" mean to you? Pretend you're an attacker - what tests would you do to determine admin status? If OP is hoping an attacker will have a brief look, not see Important Files, and give up, I suggest Googling "security by obscurity." – Christopher Hostage – 2018-09-24T02:21:57.307
1Fair enough, sorry. Basically this is a shared laptop where person A has requested me to create an admin account, strictly for policy reasons. I, person B, want to follow the policy while restricting this account from possibly reaching into my own private portion of the laptop.
It might be worth noting that no one would be using the new account, it is strictly for policy reasons. The initial intention with the account was to create a separate account that would be backed up (again, this is all policy) while leaving our personal accounts in peace. – Jonathan Winger-Lang – 2018-09-25T15:56:07.523
Good. The answer provided by music2myear is correct. Any administrator will be able to view all files on the machine, so you will have to trust all the people who have that password. If you want a little privacy, you will need to have a machine that you own that you alone control. There's many other security considerations, but that's the start. – Christopher Hostage – 2018-09-25T18:30:37.897
Go ahead and post a new question with your newly clarified question. We've answered this one, but it seems your "real" question was lying underneath it all and we've just now found it out. It deserves its own place. – music2myear – 2018-09-28T02:17:38.333