Stop file deletion by a local admin

HelpDeskWarrior
New Contributor II

We have a .app file on the desktop that students are deleting. They login in using an account that we create that needs to be local admin.

Is there any way to stop the file from being deleted by running a script using chmod or chown commands. I have experimented with this and got to the point of being able to lock it down but when trying to delete the file, I get asked for the user's password which they I can enter and then successfully delete because the account is admin.

5 REPLIES 5

donmontalvo
Esteemed Contributor III

Admin rights <-- all bets are off. :)

Why not enforce the app? By that I mean, EA to confirm the app is there. If it goes away, policy puts it back. They'll eventually give up.

--
https://donmontalvo.com

Aaron
Contributor II

You can lock the app using "chflags", which will prevent deletion unless you unlock it again. But if the students are able to get local admin rights, and they know what they're doing, it won't stop them. This would be more of a deterrent for those that don't know better.

sudo chflags uchg /Path/to/Application.app

tlarkin
Honored Contributor

You can try making the app immutable using chflags but really just disable that account when not in use or don't give them the admin password is probably the best answer.

This does not stop an admin account from removing the immutable flag, it simply makes them learn how to use Unix. Which I am guessing a teenager, that has a ton of free time and access to Google will probably figure out

HelpDeskWarrior
New Contributor II

The user account in question was not an admin after all. I used the following command to lock the .app, when they try to delete it they get a request for admin privileges.

sudo chmod +a "<user> deny delete,delete_child,file_inherit,directory_inherit,chown,writesecurity" /Users/user>/Desktop/ApplicationLauncher.app

donmontalvo
Esteemed Contributor III

ACLs FTW. :)

--
https://donmontalvo.com