Is there a way to block a user on a Mac from opening or using Terminal? I'm running macOS 12.4 Monterey.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Disable Terminal in macOS
- Thread starter TitanTiger
- Start date
- Sort by reaction score
So I tried doing that. Isn't the way you move an app rather than copy is hold down the Command key and drag it to the folder you want?
It appears it won't let you move default macOS apps like Terminal that way. Only third-party ones.
Alternately, if there's a way to make it so that Terminal will prompt for admin credentials to open, that would work as well.
Set up content and privacy restrictions in Screen Time on Mac
In Screen Time on your Mac, restrict explicit content, purchases, apps, and downloads.
support.apple.com
You could restrict what apps can be run with Screen Time.
Set the user as a managed user, and remove Terminal from their list of apps.
Other strategies might be effective, too, but you'd have to describe the technical skill level of the person you're trying to block Terminal access for. For example, if they have an admin account and some AppleScript skills, then the things I'm thinking of won't deter them.
This question, like many others regarding security, depends on the answer to the question:
Who are you trying to defend against?
Other strategies might be effective, too, but you'd have to describe the technical skill level of the person you're trying to block Terminal access for. For example, if they have an admin account and some AppleScript skills, then the things I'm thinking of won't deter them.
This question, like many others regarding security, depends on the answer to the question:
Who are you trying to defend against?
Terminal has "system" as the only one with read/write permissions. Then it has "wheel" and "everyone" with read-only. Not sure what to change here and not mess something up.
Screen time doesn't give an option to disable or hide Terminal the way the old Parental Controls did. The best I can do is create and App Limit. But it won't let you set an app limit of zero - the minimum is one minute. So they could get in, run commands and get out and defeat the purpose.
So in macOS 12.4 at least, you can choose between a Standard, Admin, or Shared User. No "managed" option.
They are novices technically but could think to Google a bit for workarounds. They don't have admin access. It's my child. They have to use Google Chrome for schoolwork and they have a penchant for goofing off when they should be working. Screen Time disables private browsing in Safari but not in other browsers. I've disabled Incognito Mode but you can re-enable it if you find the right Terminal commands. So I'd like to disable Terminal from their user account.
There are a few other reasons I'd like to disable Terminal without admin access, but that's the main one right now.
Let me think about the best way to approach this.
Meanwhile, please post the output of these two Terminal commands. If nothing is output, or an error message, please post that output. You should be able to paste each line into a Terminal window, then drag-select the output text, and copy-and-paste into a reply here.
The 1st command gets the permissions and ownership of the Terminal app.
The 2nd command tells me which groups your account is a member of. This will be important for determining who a permissions change to Terminal.app will block. If it blocks you, then that would be bad.
Meanwhile, please post the output of these two Terminal commands. If nothing is output, or an error message, please post that output. You should be able to paste each line into a Terminal window, then drag-select the output text, and copy-and-paste into a reply here.
Code:
ls -ld /Applications/Utilities/Terminal.app
idThe 1st command gets the permissions and ownership of the Terminal app.
The 2nd command tells me which groups your account is a member of. This will be important for determining who a permissions change to Terminal.app will block. If it blocks you, then that would be bad.
Code:
drwxr-xr-x 3 root wheel 96 May 9 16:30 /System/Applications/Utilities/Terminal.app
uid=501(titan) gid=20(staff) groups=20(staff),501(access_bpf),12(everyone),61(localaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),100(_lpoperator),704(com.apple.sharepoint.group.3),705(com.apple.sharepoint.group.4)Set user as non admin. Then he can do in Terminal only what he can do in his user account.
if you are letting him to run as admin, well, that’s not an issue of Terminal, but your wrong security policy.
if you are letting him to run as admin, well, that’s not an issue of Terminal, but your wrong security policy.
You'd think. But surprisingly, you can do all sorts of things via Terminal to Chrome that don't require admin privileges, even if you're a standard user.
Even if you somehow find a way of disabling the Terminal app, can't they just download something like iTerm instead?
Can you give us an example of something they're doing to Chrome? Give us a Terminal command they've used.
Can you give us an example of something they're doing to Chrome? Give us a Terminal command they've used.
They don't have admin rights so they aren't able to install anything.
Without getting into specific commands, there are Terminal commands that can change/reset settings in Chrome. And they seem to work whether you're an admin or not.
Santa can block Terminal.
As Santa is managed through Terminal with santactl, the only way to reenable Terminal is to delete Santa (requires admin password) and reboot.
https://github.com/google/santa
https://santa.dev/details/rules.html
As Santa is managed through Terminal with santactl, the only way to reenable Terminal is to delete Santa (requires admin password) and reboot.
https://github.com/google/santa
https://santa.dev/details/rules.html
you can do something like
Code:
echo "exit" >> ~/.zprofile && chmod 544 ~/.zprofilethis will make it so that when a shell starts, it exits during initialization, and they cannot edit the file ~/.zprofile.
They will still be able to start a different shell, i.e. bash, and they will still be able to change the permissions of that file to re-enable editing of it.
You can `chown` the file to your user too, so that they can't change the permissions on it. This still won't prevent them from running something like `bash` though.
Basically it's nearly impossible to prevent them from logging into a shell without preventing them from logging into the OS.
macOS is built upon Unix, and the shell is a central feature of it.
Last edited:
Only if installing to /Applications. Can install most stuff under a user account (aka the simple drag to install programs). Heck, can run many programs from the installer.
OP (post #9) says that the kid is required to use Chrome for schoolwork.
Thanks.
Since I don't see a group listed like 'wheel' or 'admin', I'll next need to compare your groups with those of your child. The command for that is:
Code:
id CHILDIf you aren't sure what the short username is, it should be the same as their home dir. You can list all the home dirs with this:
Code:
ls -l /UsersOf the other replies posted so far, I sorta like the suggestion to use Santa. All I know about it is what I just read on github, but it seems like it could be useful. It's not immediately clear whether it will work on Monterey or not.
I don't think the suggestion of modifying ~/.zprofile (or any other shell's profile file) is a strong solution. For one thing, even if the file's owner is changed, that won't prevent it from being renamed. That's because renaming under POSIX permissions only needs write permission on the enclosing directory, not on the renamed file itself. Once it's renamed, the shell won't see it, so won't intepret it.
Finally, could you clarify this:
Are you saying that Terminal commands issued by a non-admin user will change global settings for Chrome when it's used by all other users? Or does it only affect that user's Chrome settings?
If it's the former, then that seems like a serious security flaw. Even if all the Mac accounts are sharing a Chrome profile, that just seems like a design flaw that's asking for trouble.
If it's the latter, i.e. only affecting the user who used the Terminal commands, then at least the problem is limited in scope. It's one thing to alter one's own sandbox, but quite another to alter the sandboxes of everyone else in the world.
It depends on what the Terminal commands are. For example, if Chrome uses the
defaults system in addition to its own files, then things get hairier.Also, it might be necessary to lock directories, not just files, for reasons outlined above. But that then leads to a regress of locking, all the way up to the home dir, and locking that dir seems unlikely to work out.
No you can’t if Chrome is put into system Applications folder. You can’t change anything there without admin account.
As I said, bad security policy…