How can I prevent standard users from installing software?

Discussion in 'macOS' started by user12345678, Jan 25, 2011.

  1. user12345678 macrumors newbie

    Joined:
    Jan 25, 2011
    #1
    I always assumed that, by default, standard users would not be allowed to download and install software in Mac OS X. But I just realized yesterday that they can. I'm baffled - isn't this a HUGE security vulnerability?

    For example, as a standard user, I am able to download and install Opera as long as I drag the app file to the user's desktop (instead of the Applications folder). How can I prevent this? I tried restricting permissions on Installer.app, but that didn't work.
     
  2. simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #2
    As most Mac OS X applications are just installed via drag and drop (read and write), you can't prevent that for a standard user. And as most applications don't need to access critical system files, it is not a security risk anyway, as accessing system folders requires a password. Therefore applications like Photoshop can't be installed as standard user.
     
  3. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #3
    If the OP has locked down browsers with parental or other controls, being able to load an unrestricted browser seems like a security risk.

    B
     
  4. simsaladimbamba, Jan 25, 2011
    Last edited: Jan 25, 2011

    simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #4
    How so? What could a browser access belonging to the system and changing it or adding something?

    edited to add:

    I just tried a Standard User with Parental Controls and limited application access and could not open a download browser like Opera. I even had to enter a password to open Firefox, even though it was allowed. Hmm.
     
  5. Sweetfeld28 macrumors 65816

    Sweetfeld28

    Joined:
    Feb 10, 2003
    Location:
    Buckeye Country, O-H
    #5
    As far as I know there are only really two good solutions...

    1) setting up another user account, which you can separate from yours, and delete later on.

    2) using a program like Deep Freeze for OS X, which creates an image with all your settings the way you want it then locks it. Then, people can freely use the computer anyway they choose depending upon your settings, and can install anything they are able to. Whenever the computer is restarted it will automatically go back to the original state [your settings].

    Link
     
  6. user12345678 thread starter macrumors newbie

    Joined:
    Jan 25, 2011
    #6
    We do use Deep Freeze already, but thanks for the suggestion.

    Using parental controls and limited application access seems like it would prevent too many authorized programs from running. I want users to be able to run anything that's already installed, but not be able to install/run anything else.

    The scenario I'm trying to prevent (I'm not sure if this would technically be considered a "security vulnerability" but it's important to my business) is users installing software that allows them to capture streaming media. I have streaming media that can only be viewed on these machines, and if someone can install a program that allows them to capture it and take it with them, it defeats so many of our other security measures.
     
  7. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #7
    Different kind of security risk, I was thinking more along the same lines as the OP. If I can run an unauthorized browser I can upload information I have access to locally to the cloud.

    The system isn't compromised, but the information is.

    B
     
  8. boris42 macrumors newbie

    Joined:
    Oct 17, 2007
    #8
    Standard users are not allowed to make system-wide changes which includes installing software in /Applications. However, the default is that they are able to start apps within their home folder. If you want to lock down the system, use Parental controls and only allow running a limited set of applications. In that case, a user could download the executable but the system would not let it run. For finer grain computer management use MCX either standalone or connected to an Open Directory system. It is possible to do just about anything you imagine.

    Boris Herman, ACSA
     
  9. snberk103, Jan 25, 2011
    Last edited: Jan 25, 2011

    snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #9
    Do the machines need to be attached to the internet? If there's no internet access, then user's can't access any software to install. Obviously, you'll also need to disable USB ports and the optical drive so people can't bring software in that way.
     
  10. user12345678 thread starter macrumors newbie

    Joined:
    Jan 25, 2011
    #10
    The machines are connected to the Internet, so disabling USB and other ports won't do the trick.

    I didn't know about MCX, but it seems that would involve a broader restructuring of the systems. But I'll keep it in mind as a backup plan.

    I'm going to play around with the Parental Controls and see if that will suffice. I'm worried that they'll prevent authorized things like plugins and java apps, but perhaps they'll work for me.

    Thanks everyone for the quick responses and great ideas.
     
  11. user12345678 thread starter macrumors newbie

    Joined:
    Jan 25, 2011
    #11
    I just wanted to check back in with my progress. So far, so good, with the Parental Controls. I really expected them to be overly-restrictive, but I think they may just do the trick.

    Thanks again.
     
  12. dhd macrumors member

    dhd

    Joined:
    Dec 12, 2007
    Location:
    Hamster-Dam
    #12
    I think that you can set up a guest account. Anything you do while logged on that account will be deleted upon restart/logoff. What I don't know is if you can set Parental Control on that account...
     
  13. user12345678 thread starter macrumors newbie

    Joined:
    Jan 25, 2011
    #13
    Okay... it *almost* works. Except, now that Parental Controls are turned on, Firefox gets "Bad Request (Invalid Verb)" errors on some pages. Google didn't turn up much that was helpful. Any ideas about this?
     
  14. openjaf, Apr 19, 2014
    Last edited: Apr 19, 2014

    openjaf macrumors newbie

    Joined:
    Apr 19, 2014
    #14
    So far this is the solution I am using.

    - in the users home dir verify the 'Applications' directory exists, if not create it.
    - assign it the user 'root' and group 'admin' "chmod root:admin Applications".
    - assign permissions of 000 to it "chmod 000 Applications"

    They are then always prompted when installing an application. This is not thoroughly tested on my machine but so far it throws up the authentication prompt for that user to install something. It will not prevent them running a standalone app if they have something that can do that without being installed.
     

Share This Page