Posted on 04-26-2016 09:12 PM
Much to our surprise we have just recently found that non-admin users can run a Bash shell out of Terminal (standard users have access to Terminal). So effectively, anyone with the right knowledge can run SUDO commands.
Is this normal? If so, what is the best way to remove permissions from the Terminal application using Casper?
Solved! Go to Solution.
Posted on 04-28-2016 10:49 PM
I'd say SIP is probably getting in the way.
You'll firstly want to make sure non-admins don't have sudo rights. You can do this by running "visudo" as root, and making sure the "User privilege" section only lists:
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
If you want to go the extra mile, you can also set up a "Restricted Software" policy in Casper which targets "/Applications/Utilities/Terminal.app"
Posted on 04-26-2016 11:18 PM
Unless they are an admin user they will not be able to run sudo.
Posted on 04-27-2016 01:53 AM
Being able to run commands in Terminal is normal for all users. However, restrictions are in place to deny the running of many commands without admin permissions. 'sudo' is a way to elevate your permissions to be allowed to run commands you can't run directly as the current active terminal user. If you aren't allowed to run sudo you will be denied that too.
This is all configured in the /etc/sudoers file (which you don't edit directly, but use visudo). You can edit it directly, but don't. If you mess the file up, you could end up not being able to fix the file and possibly banjax the machine.
For example, if root runs:
$ ls -al /System/Library/User Template/
It will list everything in that directory, whilst if a non-admin runs that:
$ ls -al /System/Library/User Template/
ls: : Permission denied
They could try sudo, but if they haven't been allowed to run that command within the sudoers file:
$ sudo ls -al /System/Library/User Template/
WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.
To proceed, enter your password, or type Ctrl-C to abort.
Password:
stduser is not in the sudoers file. This incident will be reported.
If you do have standard users that can use sudo, check your sudoers file to see what they have been allowed to run.
Posted on 04-27-2016 04:15 AM
Posted on 04-28-2016 07:54 PM
Thanks...we found that for some strange reason our image at some time had permissions set for ALL in the sudoers file.
Posted on 04-28-2016 08:52 PM
Thanks @sean but I'm still trying to lock down Terminal though, and even logged on as root, if I try to change the 'everyone' permissions I get the error 'The operation cant be completed because you don't have the necessary permission'. I've made sure the padlock is open.
Posted on 04-28-2016 10:49 PM
I'd say SIP is probably getting in the way.
You'll firstly want to make sure non-admins don't have sudo rights. You can do this by running "visudo" as root, and making sure the "User privilege" section only lists:
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
If you want to go the extra mile, you can also set up a "Restricted Software" policy in Casper which targets "/Applications/Utilities/Terminal.app"
Posted on 04-29-2016 06:34 AM
As @Aaron suggested, if you are running 10.11, SIP locks this down, notice it is 'restricted'
$ ls -lO /Applications/Utilities/ | grep "Terminal"
drwxr-xr-x@ 3 root wheel restricted 102 9 Dec 15:44 Terminal.app
So no, you won't be able to mess with it. There is nothing wrong with users being able to use Terminal, just ensure the sudoers file is as suggested.
Posted on 04-29-2016 06:50 AM
Yep, if on 10.11, SIP is preventing you from messing with the permissions on the application, and in all honesty, you should not be doing that anyway, even if SIP wasn't blocking you. If you really want to prevent any Terminal access to users, however unnecessary that may be, look at using Restricted Software instead as @Aaron suggested.
Posted on 05-03-2016 08:26 AM
By default, only individuals in the admins group can use sudo. Are your users local admins?
Posted on 05-03-2016 03:43 PM
Posted on 05-03-2016 03:52 PM
You can restrict use, just not by doing anything directly to the Terminal application itself (since it's protected). You will need to make a Restricted Software Policy to detect and terminate it, with the added bonus of a warning message to the user. You can also apply this to a group of users, so you can have select power users that can still use it (you don't want to kill it entirely from a support point of view, it's too valuable a utility)
Posted on 05-03-2016 04:06 PM
As per my post, you can see that Terminal is 'restricted'. This is SIP control. The only way to mess with this would be to either turn SIP off or access the OS in one of the other defined methods, e.g. from recovery mode and mess with the sip control.
First, don't turn off SIP. Second, messing with SIP can be futile, since Apple can revert anything you change from an OS update.
Really, there is no harm users being able to use Terminal, but as mentioned, you could use Casper to add Terminal to the list of Restricted Software if your manager has that level of paranoia. If users aren't admin or have some other level of privileges added via the sudoers file there really isn't anything they can do with Terminal, so denying it is a useful as a chocolate teapot.
Blocking it, however, would mean if you were at a users desk and wanted to use Terminal to look at anything, you wouldn't be able to.
Posted on 05-03-2016 05:17 PM
Also probably worth mentioning, that if the users are determined, it's going to be a game of whack-a-mole, because there's terminal application alternatives that they can download and run.
The ideal solution in your case is to remove sudo rights from non-admins.
Posted on 05-04-2016 12:33 AM
Kinda. More of a case of don't add them to sudoers in the first place. Default is root and admins only.
As for other Apps, we block the use of apps running from user space or external drives, so only Applications in the system space can run and users can't put things there.