Any way to block the MAC terminal program

Discussion in 'Mac Basics and Help' started by markinmiami, Feb 20, 2013.

  1. macrumors newbie

    Joined:
    Feb 20, 2013
    #1
    Hello,
    My son is a home schooler who uses the computer to access his online curriculum.
    When I got this mac mini computer, I set up an admin user (for myself) and two other users for him: one that only had access to his online curriculum and other course/ work material, and a second that gave him full access to games, the Net, etc..

    This worked very well for a while as he only knew the password for his 'work account'; the 'games/ net' user required me entering a password that he didn't know. In this way, I could leave for work confident that he would only have access to his home work etc.. At the end of the day than, if all was done, I'd give him access to the main site.

    Recently though I discovered (actually he told me) that he had learned how to create a new admin user account, and to basically get around my controls in order to use the net and games etc.. It had something to do with coding the Mac terminal program.

    Although a good fellow, my son now can't resist playing games etc. while I'm away.

    What I wanted to know is if there's some way, assuming I start from scratch, to block his access to the Terminal program? That is, assuming a pristine new mac mini, can i do something from my Admin account that would prevent him from reaching the Terminal programs from his sub accounts?

    ANY HELP WOULD BE MUCH APPRECIATED! A boy's education is suffering, and a father's frustration growing!
    Mark
     
  2. macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
  3. macrumors G3

    Apple fanboy

    Joined:
    Feb 21, 2012
    Location:
    Behind the lens, UK
    #3
    Fair play to your son for finding a work around. Why not make it a bit harder for him and see how he gets on with that.
     
  4. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #4
    I agree. He might just have a mind for tinkering with OS's. That could be a good sign of his aptitude for computer programming.
     
  5. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #5
    Make sure you setup a firmware password on that machine as well. That will block a main point of entry. Just make sure you do not forget that password. If you do, you'll have to take the Mini to an Apple Store to have it reset.
     
  6. thread starter macrumors newbie

    Joined:
    Feb 20, 2013
    #6
    Thanks everyone for the help! I didn't realize I could do this from the parental controls. Found it right now in the Utilities folder.

    How do you create a firmware password?

    I'm with you all on not squelching what's a powerful interest and what seems to be a real aptitude for computers. The problem though is that all balance goes out the window and he'll just sit there at the terminal day & night if we don't limit it somehow.

    ----------

    Just found out how to set a firmware password. Here:
    http://support.apple.com/kb/HT1352?viewlocale=en_US&locale=en_US

    ----------

    Just realized that I will first have to find and delete his hidden users. How would I go about doing that??
     
  7. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #7
    System Preferences>Accounts. The best way would be to reinstall Mac OS X to a fresh blank state then lock it down once down installing.
     
  8. macrumors 6502a

    xShane

    Joined:
    Nov 2, 2012
    Location:
    United States
    #8
    I believe you can allow only certain applications in Parental Controls (obviously only allowing ones required for school).

    I do know there are other ways to circumvent/replace an admin password without even logging into an account, though.
     
  9. macrumors 603

    Joined:
    Aug 9, 2009
    #9
    Like by booting into Recovery Disk and using the password reset tool.

    There are quite a few pathways one can take when one has physical access to the machine. Google search terms:
    os x reset password
    os x reset admin password


    There is also a Master Password that can be set independent of account passwords, and this can be used to gain entry as an admin. It's set using the gear icon at the bottom of the list in the Users & Groups pane of System Preferences. It's tied to the hard disk, so if you boot from a different disk, it changes.


    In addition to whatever technical means the OP takes, I recommend setting a policy ("code of conduct") as well, and having the son agree to it ("contract"), possibly even negotiate some of the terms with the kid. Contracts and negotiations are useful skills, even when done in simple forms.
     
  10. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #10
    Do note that a firmware password will disallow access to other startup disks, including the recovery partition and single user mode. A great way to block a number of entry points.
     
  11. thread starter macrumors newbie

    Joined:
    Feb 20, 2013
    #11
    Thank you all again for helping out. Really appreciate it.
     
  12. macrumors 68040

    Joined:
    Jul 11, 2009
    #12
    It is possible to make hidden admin users that don't show up in the Users & Groups/Accounts preference without much effort, so I agree, it may make sense to reinstall the OS.
     
  13. macrumors member

    Joined:
    Dec 16, 2012
    Location:
    Vancouver British Columbia
    #13
    Here is an excellent knowledge base article by Apple on How to Hide a User Account in Mac OS X. I would really love to know how he was able to excavate his user to admin rights. Sounds like it could be a OS X vulnerability.
     
  14. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #14
    Single User Mode. Standard on all Mac OS X machines and easily blockable with a firmware password. Not a vulnerability, a design feature.
     
  15. macrumors member

    Joined:
    Feb 11, 2012
    #15
    It really doesn't sound like he's using single user mode. That wouldn't involve Terminal.app. Assuming the system is fully patched he shouldn't be able to just open a terminal and gain admin privileges. That is, unless he's already using an admin account.

    It sounds more to me like he's just using a terminal to bypass whatever software is being used to block network access. A fix would depend on what they're using for parental controls.

    My advice would be to use a filtering router and block his access when you want to from another computer (so he can't use a key logger).
     
  16. macrumors member

    Joined:
    Dec 16, 2012
    Location:
    Vancouver British Columbia
    #16
    I didn't think he used Single User Mode.
     

Share This Page