Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > Mac Basics and Help

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 20, 2013, 02:05 PM   #1
markinmiami
macrumors newbie
 
Join Date: Feb 2013
Any way to block the MAC terminal program

Hello,
My son is a home schooler who uses the computer to access his online curriculum.
When I got this mac mini computer, I set up an admin user (for myself) and two other users for him: one that only had access to his online curriculum and other course/ work material, and a second that gave him full access to games, the Net, etc..

This worked very well for a while as he only knew the password for his 'work account'; the 'games/ net' user required me entering a password that he didn't know. In this way, I could leave for work confident that he would only have access to his home work etc.. At the end of the day than, if all was done, I'd give him access to the main site.

Recently though I discovered (actually he told me) that he had learned how to create a new admin user account, and to basically get around my controls in order to use the net and games etc.. It had something to do with coding the Mac terminal program.

Although a good fellow, my son now can't resist playing games etc. while I'm away.

What I wanted to know is if there's some way, assuming I start from scratch, to block his access to the Terminal program? That is, assuming a pristine new mac mini, can i do something from my Admin account that would prevent him from reaching the Terminal programs from his sub accounts?

ANY HELP WOULD BE MUCH APPRECIATED! A boy's education is suffering, and a father's frustration growing!
Mark
markinmiami is offline   0 Reply With Quote
Old Feb 20, 2013, 02:07 PM   #2
GGJstudios
macrumors Westmere
 
Join Date: May 2008
You can restrict access to apps via Parental Controls.
GGJstudios is offline   0 Reply With Quote
Old Feb 20, 2013, 04:58 PM   #3
Apple fanboy
macrumors 68040
 
Apple fanboy's Avatar
 
Join Date: Feb 2012
Location: United Kingdom
Fair play to your son for finding a work around. Why not make it a bit harder for him and see how he gets on with that.
__________________
Late 2012 21" iMac 2.9GHz i5, ITB FD, 16G RAM, 2 TB TimeCapsule, iPhone 5 32GB, iPad Air 32G, iPad 4 32G, iPad 2 16G, ATV2, iPod touch 4th gen 8G, Xbox 360. Nikon D7100,18-55mm, 70-300mm VR lenses
Apple fanboy is offline   0 Reply With Quote
Old Feb 20, 2013, 05:00 PM   #4
Peace
macrumors P6
 
Peace's Avatar
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
Quote:
Originally Posted by Apple fanboy View Post
Fair play to your son for finding a work around. Why not make it a bit harder for him and see how he gets on with that.
I agree. He might just have a mind for tinkering with OS's. That could be a good sign of his aptitude for computer programming.
Peace is offline   0 Reply With Quote
Old Feb 20, 2013, 05:11 PM   #5
Intell
macrumors G5
 
Intell's Avatar
 
Join Date: Jan 2010
Location: Inside
Make sure you setup a firmware password on that machine as well. That will block a main point of entry. Just make sure you do not forget that password. If you do, you'll have to take the Mini to an Apple Store to have it reset.
__________________
Last edited by Intell; Yesterday at 10:24 AM.
Intell is offline   0 Reply With Quote
Old Feb 21, 2013, 03:45 PM   #6
markinmiami
Thread Starter
macrumors newbie
 
Join Date: Feb 2013
Thanks everyone for the help! I didn't realize I could do this from the parental controls. Found it right now in the Utilities folder.

How do you create a firmware password?

I'm with you all on not squelching what's a powerful interest and what seems to be a real aptitude for computers. The problem though is that all balance goes out the window and he'll just sit there at the terminal day & night if we don't limit it somehow.

----------

Just found out how to set a firmware password. Here:
http://support.apple.com/kb/HT1352?v...S&locale=en_US

----------

Just realized that I will first have to find and delete his hidden users. How would I go about doing that??
markinmiami is offline   0 Reply With Quote
Old Feb 21, 2013, 06:32 PM   #7
Intell
macrumors G5
 
Intell's Avatar
 
Join Date: Jan 2010
Location: Inside
Quote:
Originally Posted by markinmiami View Post
Just realized that I will first have to find and delete his hidden users. How would I go about doing that??
System Preferences>Accounts. The best way would be to reinstall Mac OS X to a fresh blank state then lock it down once down installing.
__________________
Last edited by Intell; Yesterday at 10:24 AM.
Intell is offline   0 Reply With Quote
Old Feb 21, 2013, 08:07 PM   #8
xShane
macrumors 6502a
 
xShane's Avatar
 
Join Date: Nov 2012
Location: United States
I believe you can allow only certain applications in Parental Controls (obviously only allowing ones required for school).

I do know there are other ways to circumvent/replace an admin password without even logging into an account, though.
__________________
Macbook Pro 15" 2.6, 8GB, 750GB, 1GB VRAM
"Everything for the people, nothing by the people."

"Be the change that you wish to see in the world."
xShane is online now   0 Reply With Quote
Old Feb 22, 2013, 12:03 AM   #9
chown33
macrumors 603
 
Join Date: Aug 2009
Quote:
Originally Posted by xShane View Post
I do know there are other ways to circumvent/replace an admin password without even logging into an account, though.
Like by booting into Recovery Disk and using the password reset tool.

There are quite a few pathways one can take when one has physical access to the machine. Google search terms:
os x reset password
os x reset admin password


There is also a Master Password that can be set independent of account passwords, and this can be used to gain entry as an admin. It's set using the gear icon at the bottom of the list in the Users & Groups pane of System Preferences. It's tied to the hard disk, so if you boot from a different disk, it changes.


In addition to whatever technical means the OP takes, I recommend setting a policy ("code of conduct") as well, and having the son agree to it ("contract"), possibly even negotiate some of the terms with the kid. Contracts and negotiations are useful skills, even when done in simple forms.
chown33 is offline   0 Reply With Quote
Old Feb 22, 2013, 08:40 AM   #10
Intell
macrumors G5
 
Intell's Avatar
 
Join Date: Jan 2010
Location: Inside
Do note that a firmware password will disallow access to other startup disks, including the recovery partition and single user mode. A great way to block a number of entry points.
__________________
Last edited by Intell; Yesterday at 10:24 AM.
Intell is offline   0 Reply With Quote
Old Feb 22, 2013, 02:27 PM   #11
markinmiami
Thread Starter
macrumors newbie
 
Join Date: Feb 2013
Thank you all again for helping out. Really appreciate it.
markinmiami is offline   0 Reply With Quote
Old Feb 22, 2013, 03:26 PM   #12
chrfr
macrumors 68000
 
Join Date: Jul 2009
Quote:
Originally Posted by Intell View Post
System Preferences>Accounts. The best way would be to reinstall Mac OS X to a fresh blank state then lock it down once down installing.
It is possible to make hidden admin users that don't show up in the Users & Groups/Accounts preference without much effort, so I agree, it may make sense to reinstall the OS.
chrfr is offline   0 Reply With Quote
Old Feb 24, 2013, 09:16 PM   #13
Mac Write
macrumors member
 
Join Date: Dec 2012
Location: Vancouver British Columbia
Here is an excellent knowledge base article by Apple on How to Hide a User Account in Mac OS X. I would really love to know how he was able to excavate his user to admin rights. Sounds like it could be a OS X vulnerability.
Mac Write is offline   0 Reply With Quote
Old Feb 24, 2013, 09:20 PM   #14
Intell
macrumors G5
 
Intell's Avatar
 
Join Date: Jan 2010
Location: Inside
Quote:
Originally Posted by Mac Write View Post
Here is an excellent knowledge base article by Apple on How to Hide a User Account in Mac OS X. I would really love to know how he was able to excavate his user to admin rights. Sounds like it could be a OS X vulnerability.
Single User Mode. Standard on all Mac OS X machines and easily blockable with a firmware password. Not a vulnerability, a design feature.
__________________
Last edited by Intell; Yesterday at 10:24 AM.
Intell is offline   0 Reply With Quote
Old Feb 24, 2013, 10:37 PM   #15
ratfink
macrumors member
 
Join Date: Feb 2012
Quote:
Originally Posted by Intell View Post
Single User Mode. Standard on all Mac OS X machines and easily blockable with a firmware password. Not a vulnerability, a design feature.
It really doesn't sound like he's using single user mode. That wouldn't involve Terminal.app. Assuming the system is fully patched he shouldn't be able to just open a terminal and gain admin privileges. That is, unless he's already using an admin account.

It sounds more to me like he's just using a terminal to bypass whatever software is being used to block network access. A fix would depend on what they're using for parental controls.

My advice would be to use a filtering router and block his access when you want to from another computer (so he can't use a key logger).
ratfink is offline   0 Reply With Quote
Old Feb 25, 2013, 01:16 AM   #16
Mac Write
macrumors member
 
Join Date: Dec 2012
Location: Vancouver British Columbia
I didn't think he used Single User Mode.
Mac Write is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > Mac Basics and Help

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:42 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC