Jamf Nation Community

Being able to run commands in Terminal is normal for all users. However, restrictions are in place to deny the running of many commands without admin permissions. 'sudo' is a way to elevate your permissions to be allowed to run commands you can't run directly as the current active terminal user. If you aren't allowed to run sudo you will be denied that too.

This is all configured in the /etc/sudoers file (which you don't edit directly, but use visudo). You can edit it directly, but don't. If you mess the file up, you could end up not being able to fix the file and possibly banjax the machine.

For example, if root runs:

$ ls -al /System/Library/User Template/

It will list everything in that directory, whilst if a non-admin runs that:

$ ls -al /System/Library/User Template/
ls: : Permission denied

They could try sudo, but if they haven't been allowed to run that command within the sudoers file:

$ sudo ls -al /System/Library/User Template/

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
stduser is not in the sudoers file.  This incident will be reported.

If you do have standard users that can use sudo, check your sudoers file to see what they have been allowed to run.

Thanks...we found that for some strange reason our image at some time had permissions set for ALL in the sudoers file.

Thanks @sean but I'm still trying to lock down Terminal though, and even logged on as root, if I try to change the 'everyone' permissions I get the error 'The operation cant be completed because you don't have the necessary permission'. I've made sure the padlock is open.

As @Aaron suggested, if you are running 10.11, SIP locks this down, notice it is 'restricted'

$ ls -lO /Applications/Utilities/ | grep "Terminal"
drwxr-xr-x@ 3 root  wheel  restricted 102  9 Dec 15:44 Terminal.app

So no, you won't be able to mess with it. There is nothing wrong with users being able to use Terminal, just ensure the sudoers file is as suggested.

Yep, if on 10.11, SIP is preventing you from messing with the permissions on the application, and in all honesty, you should not be doing that anyway, even if SIP wasn't blocking you. If you really want to prevent any Terminal access to users, however unnecessary that may be, look at using Restricted Software instead as @Aaron suggested.

By default, only individuals in the admins group can use sudo. Are your users local admins?

@sean @Aaron So are you saying that in OSX 10.11 you can't actually restrict Terminal use? My manager really wants this done. If not thats fine, its a limitation of 10.11.

You can restrict use, just not by doing anything directly to the Terminal application itself (since it's protected). You will need to make a Restricted Software Policy to detect and terminate it, with the added bonus of a warning message to the user. You can also apply this to a group of users, so you can have select power users that can still use it (you don't want to kill it entirely from a support point of view, it's too valuable a utility)

As per my post, you can see that Terminal is 'restricted'. This is SIP control. The only way to mess with this would be to either turn SIP off or access the OS in one of the other defined methods, e.g. from recovery mode and mess with the sip control.

First, don't turn off SIP. Second, messing with SIP can be futile, since Apple can revert anything you change from an OS update.

Really, there is no harm users being able to use Terminal, but as mentioned, you could use Casper to add Terminal to the list of Restricted Software if your manager has that level of paranoia. If users aren't admin or have some other level of privileges added via the sudoers file there really isn't anything they can do with Terminal, so denying it is a useful as a chocolate teapot.

Blocking it, however, would mean if you were at a users desk and wanted to use Terminal to look at anything, you wouldn't be able to.

Also probably worth mentioning, that if the users are determined, it's going to be a game of whack-a-mole, because there's terminal application alternatives that they can download and run.

The ideal solution in your case is to remove sudo rights from non-admins.

Kinda. More of a case of don't add them to sudoers in the first place. Default is root and admins only.

As for other Apps, we block the use of apps running from user space or external drives, so only Applications in the system space can run and users can't put things there.