Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How can I prevent standard users from installing software?

U

user12345678

macrumors newbie
Original poster
Jan 25, 2011
5
0
I always assumed that, by default, standard users would not be allowed to download and install software in Mac OS X. But I just realized yesterday that they can. I'm baffled - isn't this a HUGE security vulnerability?

For example, as a standard user, I am able to download and install Opera as long as I drag the app file to the user's desktop (instead of the Applications folder). How can I prevent this? I tried restricting permissions on Installer.app, but that didn't work.
 
As most Mac OS X applications are just installed via drag and drop (read and write), you can't prevent that for a standard user. And as most applications don't need to access critical system files, it is not a security risk anyway, as accessing system folders requires a password. Therefore applications like Photoshop can't be installed as standard user.
 
balamw said:
If the OP has locked down browsers with parental or other controls, being able to load an unrestricted browser seems like a security risk.

B
Click to expand...

How so? What could a browser access belonging to the system and changing it or adding something?

edited to add:

I just tried a Standard User with Parental Controls and limited application access and could not open a download browser like Opera. I even had to enter a password to open Firefox, even though it was allowed. Hmm.
 
Last edited:
As far as I know there are only really two good solutions...

1) setting up another user account, which you can separate from yours, and delete later on.

2) using a program like Deep Freeze for OS X, which creates an image with all your settings the way you want it then locks it. Then, people can freely use the computer anyway they choose depending upon your settings, and can install anything they are able to. Whenever the computer is restarted it will automatically go back to the original state [your settings].

Link
 
We do use Deep Freeze already, but thanks for the suggestion.

Using parental controls and limited application access seems like it would prevent too many authorized programs from running. I want users to be able to run anything that's already installed, but not be able to install/run anything else.

The scenario I'm trying to prevent (I'm not sure if this would technically be considered a "security vulnerability" but it's important to my business) is users installing software that allows them to capture streaming media. I have streaming media that can only be viewed on these machines, and if someone can install a program that allows them to capture it and take it with them, it defeats so many of our other security measures.
 
simsaladimbamba said:
How so? What could a browser access belonging to the system and changing it or adding something?
Click to expand...
Different kind of security risk, I was thinking more along the same lines as the OP. If I can run an unauthorized browser I can upload information I have access to locally to the cloud.

The system isn't compromised, but the information is.

B
 
user12345678 said:
I always assumed that, by default, standard users would not be allowed to download and install software in Mac OS X.
Click to expand...

Standard users are not allowed to make system-wide changes which includes installing software in /Applications. However, the default is that they are able to start apps within their home folder. If you want to lock down the system, use Parental controls and only allow running a limited set of applications. In that case, a user could download the executable but the system would not let it run. For finer grain computer management use MCX either standalone or connected to an Open Directory system. It is possible to do just about anything you imagine.

Boris Herman, ACSA
 
user12345678 said:
...
The scenario I'm trying to prevent (I'm not sure if this would technically be considered a "security vulnerability" but it's important to my business) is users installing software that allows them to capture streaming media. I have streaming media that can only be viewed on these machines, and if someone can install a program that allows them to capture it and take it with them, it defeats so many of our other security measures.
Click to expand...

Do the machines need to be attached to the internet? If there's no internet access, then user's can't access any software to install. Obviously, you'll also need to disable USB ports and the optical drive so people can't bring software in that way.
 
Last edited:
The machines are connected to the Internet, so disabling USB and other ports won't do the trick.

I didn't know about MCX, but it seems that would involve a broader restructuring of the systems. But I'll keep it in mind as a backup plan.

I'm going to play around with the Parental Controls and see if that will suffice. I'm worried that they'll prevent authorized things like plugins and java apps, but perhaps they'll work for me.

Thanks everyone for the quick responses and great ideas.
 
I just wanted to check back in with my progress. So far, so good, with the Parental Controls. I really expected them to be overly-restrictive, but I think they may just do the trick.

Thanks again.
 
I think that you can set up a guest account. Anything you do while logged on that account will be deleted upon restart/logoff. What I don't know is if you can set Parental Control on that account...
 
Okay... it *almost* works. Except, now that Parental Controls are turned on, Firefox gets "Bad Request (Invalid Verb)" errors on some pages. Google didn't turn up much that was helpful. Any ideas about this?
 
So far this is the solution I am using.

- in the users home dir verify the 'Applications' directory exists, if not create it.
- assign it the user 'root' and group 'admin' "chmod root:admin Applications".
- assign permissions of 000 to it "chmod 000 Applications"

They are then always prompted when installing an application. This is not thoroughly tested on my machine but so far it throws up the authentication prompt for that user to install something. It will not prevent them running a standalone app if they have something that can do that without being installed.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back