Why can my non-admins can Partition the OS disk?!

CCNapier
Contributor

El Capitan 10.11.6
A non admin network user launches Disk Utility.
- The main Hitachi disk is selected.
- The Partition button is pressed.
- He dials the wheel round from 1TB to 750MB
- Partitioning happens, and a new 250MB partition is successfully added.

Surely this shouldn't be possible, but it is! Is there a way to prevent non-admins from doing this? They may still require access to disk utility to format their USB drive etc.

Thanks

3 REPLIES 3

roiegat
Contributor III

So did a quick test and indeed I was able to partition the main hard drive while logged in as a user. Odd. So my suggestion is to put the disk utility app as a restricted application and have it close if launched. Then put functions like repair permissions in self service so they have no real excuse to use Disk Utility.

mm2270
Legendary Contributor III

Formatting or partitioning drives, I don't think, has ever been an admin level function. At least it hasn't been in a while now. So this is normal behavior insofar as its how Apple designed it. I agree though, it comes across as a little strange. You can lock down things as innocuous as adding a printer to only admins, but can't lock down reformatting or partitioning drives. Go figure.

You could, like @roiegat mentions, set up Disk Utility.app as a Restricted Software process and instead could create a script that would pop up a list of attached drives for formatting (but not partitioning) The script could automatically exclude the boot volume from the list so there's no way it could be used to do any damage to the internal boot volume. They could select the drive to format from the list and the script could use diskutil to do the formatting for them, which would mean they don't need to use the full Disk Utility.app to format their USB or thumb drives. Set this up either as an app they can run, or have it as something they can "launch" from Self Service.

"Disk Utility.app" and "diskutil" are two different processes to the system, even though they are closely related, so the Restricted Software process wouldn't block the latter, only the former.

CCNapier
Contributor

Well then.
At least I'm sort of happy that it's not some mis-configuration on my part.

Thanks for information. I'll see what we want to do to move forward. I'm not sure how big of a problem this actually is, but has been highlighted from site teams.