Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

markinmiami

macrumors newbie
Original poster
Feb 20, 2013
3
0
Hello,
My son is a home schooler who uses the computer to access his online curriculum.
When I got this mac mini computer, I set up an admin user (for myself) and two other users for him: one that only had access to his online curriculum and other course/ work material, and a second that gave him full access to games, the Net, etc..

This worked very well for a while as he only knew the password for his 'work account'; the 'games/ net' user required me entering a password that he didn't know. In this way, I could leave for work confident that he would only have access to his home work etc.. At the end of the day than, if all was done, I'd give him access to the main site.

Recently though I discovered (actually he told me) that he had learned how to create a new admin user account, and to basically get around my controls in order to use the net and games etc.. It had something to do with coding the Mac terminal program.

Although a good fellow, my son now can't resist playing games etc. while I'm away.

What I wanted to know is if there's some way, assuming I start from scratch, to block his access to the Terminal program? That is, assuming a pristine new mac mini, can i do something from my Admin account that would prevent him from reaching the Terminal programs from his sub accounts?

ANY HELP WOULD BE MUCH APPRECIATED! A boy's education is suffering, and a father's frustration growing!
Mark
 

Intell

macrumors P6
Jan 24, 2010
18,955
509
Inside
Make sure you setup a firmware password on that machine as well. That will block a main point of entry. Just make sure you do not forget that password. If you do, you'll have to take the Mini to an Apple Store to have it reset.
 

markinmiami

macrumors newbie
Original poster
Feb 20, 2013
3
0
Thanks everyone for the help! I didn't realize I could do this from the parental controls. Found it right now in the Utilities folder.

How do you create a firmware password?

I'm with you all on not squelching what's a powerful interest and what seems to be a real aptitude for computers. The problem though is that all balance goes out the window and he'll just sit there at the terminal day & night if we don't limit it somehow.

----------

Just found out how to set a firmware password. Here:
http://support.apple.com/kb/HT1352?viewlocale=en_US&locale=en_US

----------

Just realized that I will first have to find and delete his hidden users. How would I go about doing that??
 

Intell

macrumors P6
Jan 24, 2010
18,955
509
Inside
Just realized that I will first have to find and delete his hidden users. How would I go about doing that??

System Preferences>Accounts. The best way would be to reinstall Mac OS X to a fresh blank state then lock it down once down installing.
 

xShane

macrumors 6502a
Nov 2, 2012
814
37
United States
I believe you can allow only certain applications in Parental Controls (obviously only allowing ones required for school).

I do know there are other ways to circumvent/replace an admin password without even logging into an account, though.
 

chown33

Moderator
Staff member
Aug 9, 2009
10,706
8,346
A sea of green
I do know there are other ways to circumvent/replace an admin password without even logging into an account, though.

Like by booting into Recovery Disk and using the password reset tool.

There are quite a few pathways one can take when one has physical access to the machine. Google search terms:
os x reset password
os x reset admin password


There is also a Master Password that can be set independent of account passwords, and this can be used to gain entry as an admin. It's set using the gear icon at the bottom of the list in the Users & Groups pane of System Preferences. It's tied to the hard disk, so if you boot from a different disk, it changes.


In addition to whatever technical means the OP takes, I recommend setting a policy ("code of conduct") as well, and having the son agree to it ("contract"), possibly even negotiate some of the terms with the kid. Contracts and negotiations are useful skills, even when done in simple forms.
 

Intell

macrumors P6
Jan 24, 2010
18,955
509
Inside
Do note that a firmware password will disallow access to other startup disks, including the recovery partition and single user mode. A great way to block a number of entry points.
 

chrfr

macrumors G5
Jul 11, 2009
13,492
6,981
System Preferences>Accounts. The best way would be to reinstall Mac OS X to a fresh blank state then lock it down once down installing.

It is possible to make hidden admin users that don't show up in the Users & Groups/Accounts preference without much effort, so I agree, it may make sense to reinstall the OS.
 

ratfink

macrumors member
Feb 11, 2012
49
0
Single User Mode. Standard on all Mac OS X machines and easily blockable with a firmware password. Not a vulnerability, a design feature.

It really doesn't sound like he's using single user mode. That wouldn't involve Terminal.app. Assuming the system is fully patched he shouldn't be able to just open a terminal and gain admin privileges. That is, unless he's already using an admin account.

It sounds more to me like he's just using a terminal to bypass whatever software is being used to block network access. A fix would depend on what they're using for parental controls.

My advice would be to use a filtering router and block his access when you want to from another computer (so he can't use a key logger).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.