Change permissions so users can't open the folder

tegus232
Contributor

Hi,

 

Does anyone know a command that will log the folder to the point where an end user including an admin can't open it. But it still lets jamf make the changes in the background?

 

Thank you

2 REPLIES 2

damienbarrett
Valued Contributor

Almost everything performed by the Jamf binary is done as the root user. You could write a script that changes ownership of a folder (and its contents) to owned by root, but not the admin group or everyone group. So only the root user (system) could access it. Take a look at the Downloads folder in /Library/Application Support/JAMF/Downloads as an example.

chown -R root:admin [directory/file path]

chmod -R 700 [directory/file path]

AJPinto
Honored Contributor II

Unfortunately giving admin access is kinda giving away the keys to the castle. Any terminal commands you use to change permissions to stop a user from accessing a folder, the user can use to undo the changes. Admin access comes with sudo (or root) level access.

 

  • You could adjust the sudoers file to change who has sudo access, but be extremely careful with sudoers
  • You could try to set permissions, and then flag the folder as immutable. This will only be useful for very specific cases as immutable files are just that, immutable and this includes for you.
  • You could try to simply hide the folder. It does not prevent a user from opening the folder, but a user does need to go out of their way to find the folder.

I suppose why you are wanting to do this would help narrow down possible options on what should be done.