Non-admins can use Terminal as Root using Bash

HelpDeskWarrior
New Contributor II

Much to our surprise we have just recently found that non-admin users can run a Bash shell out of Terminal (standard users have access to Terminal). So effectively, anyone with the right knowledge can run SUDO commands.

Is this normal? If so, what is the best way to remove permissions from the Terminal application using Casper?

1 ACCEPTED SOLUTION

Aaron
Contributor II

I'd say SIP is probably getting in the way.

You'll firstly want to make sure non-admins don't have sudo rights. You can do this by running "visudo" as root, and making sure the "User privilege" section only lists:

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

If you want to go the extra mile, you can also set up a "Restricted Software" policy in Casper which targets "/Applications/Utilities/Terminal.app"

View solution in original post

14 REPLIES 14

jason_bracy
Contributor III

Unless they are an admin user they will not be able to run sudo.

sean
Valued Contributor

Being able to run commands in Terminal is normal for all users. However, restrictions are in place to deny the running of many commands without admin permissions. 'sudo' is a way to elevate your permissions to be allowed to run commands you can't run directly as the current active terminal user. If you aren't allowed to run sudo you will be denied that too.

This is all configured in the /etc/sudoers file (which you don't edit directly, but use visudo). You can edit it directly, but don't. If you mess the file up, you could end up not being able to fix the file and possibly banjax the machine.

For example, if root runs:

$ ls -al /System/Library/User Template/

It will list everything in that directory, whilst if a non-admin runs that:

$ ls -al /System/Library/User Template/
ls: : Permission denied

They could try sudo, but if they haven't been allowed to run that command within the sudoers file:

$ sudo ls -al /System/Library/User Template/

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
stduser is not in the sudoers file.  This incident will be reported.

If you do have standard users that can use sudo, check your sudoers file to see what they have been allowed to run.

bollman
Contributor II

optional image ALT text

HelpDeskWarrior
New Contributor II

Thanks...we found that for some strange reason our image at some time had permissions set for ALL in the sudoers file.

HelpDeskWarrior
New Contributor II

Thanks @sean but I'm still trying to lock down Terminal though, and even logged on as root, if I try to change the 'everyone' permissions I get the error 'The operation cant be completed because you don't have the necessary permission'. I've made sure the padlock is open.

Aaron
Contributor II

I'd say SIP is probably getting in the way.

You'll firstly want to make sure non-admins don't have sudo rights. You can do this by running "visudo" as root, and making sure the "User privilege" section only lists:

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

If you want to go the extra mile, you can also set up a "Restricted Software" policy in Casper which targets "/Applications/Utilities/Terminal.app"

sean
Valued Contributor

As @Aaron suggested, if you are running 10.11, SIP locks this down, notice it is 'restricted'

$ ls -lO /Applications/Utilities/ | grep "Terminal"
drwxr-xr-x@ 3 root  wheel  restricted 102  9 Dec 15:44 Terminal.app

So no, you won't be able to mess with it. There is nothing wrong with users being able to use Terminal, just ensure the sudoers file is as suggested.

mm2270
Legendary Contributor III

Yep, if on 10.11, SIP is preventing you from messing with the permissions on the application, and in all honesty, you should not be doing that anyway, even if SIP wasn't blocking you. If you really want to prevent any Terminal access to users, however unnecessary that may be, look at using Restricted Software instead as @Aaron suggested.

Kedgar
Contributor

By default, only individuals in the admins group can use sudo. Are your users local admins?

HelpDeskWarrior
New Contributor II

@sean @Aaron So are you saying that in OSX 10.11 you can't actually restrict Terminal use? My manager really wants this done. If not thats fine, its a limitation of 10.11.

Aaron
Contributor II

You can restrict use, just not by doing anything directly to the Terminal application itself (since it's protected). You will need to make a Restricted Software Policy to detect and terminate it, with the added bonus of a warning message to the user. You can also apply this to a group of users, so you can have select power users that can still use it (you don't want to kill it entirely from a support point of view, it's too valuable a utility)

sean
Valued Contributor

As per my post, you can see that Terminal is 'restricted'. This is SIP control. The only way to mess with this would be to either turn SIP off or access the OS in one of the other defined methods, e.g. from recovery mode and mess with the sip control.

First, don't turn off SIP. Second, messing with SIP can be futile, since Apple can revert anything you change from an OS update.

Really, there is no harm users being able to use Terminal, but as mentioned, you could use Casper to add Terminal to the list of Restricted Software if your manager has that level of paranoia. If users aren't admin or have some other level of privileges added via the sudoers file there really isn't anything they can do with Terminal, so denying it is a useful as a chocolate teapot.

Blocking it, however, would mean if you were at a users desk and wanted to use Terminal to look at anything, you wouldn't be able to.

Aaron
Contributor II

Also probably worth mentioning, that if the users are determined, it's going to be a game of whack-a-mole, because there's terminal application alternatives that they can download and run.

The ideal solution in your case is to remove sudo rights from non-admins.

sean
Valued Contributor

Kinda. More of a case of don't add them to sudoers in the first place. Default is root and admins only.

As for other Apps, we block the use of apps running from user space or external drives, so only Applications in the system space can run and users can't put things there.