Mac OS Security Stuff

Project tangentially related to a class, maybe it will be useful for others.

Was bored in class, messing around on my mac, ended up finding the restricted user account settings on my macbook & messing about with them. They’re actually very competent; they make Fortres look like a wimp. So, I got thinking, it’d be nice to have my laptop automatically switch into this passwordless, highly-restricted account and then give me the option to log back in to my main account. They can dismiss the dialog, but all they can do is internet, ms office, music, and chess. No control over system settings aside from wifi network.

The account is set to auto-login and to hide my account if it isn’t logged in, this combined with an EFI password renders my macbook into a kiosk for anyone who isn’t me. They can do basic stuff, but nothing that will harm the system or compromise my data.

See the entire readme after the break.

Not responsible if you maim yourself or your system.

This set up is meant to replace the mac os mechanism to lock 
the computer after x amount of time in standby and require a password.

Instead, it switches to a highly restricted user account and
then prompts you to enter your password if you wish to switch
back to your user account (that was open when the machine went into standby).

The switch back dialog can be dismissed, and whoever is at the computer
can only use the restricted account.

===== Creating a restricted account =====

Make a new account, without admin privleges.

Enable parental controls for that account.

Web: Enable web filtering.
Apps: Tick "Limit Applications"
Apps: Enable Simple Finder
Other: Tick "Disable changing the password"

Restrict applications as you see fit. I allowed:

Word, Excel, and Powerpoint
DVD Player

Do not give them access to system preferences.

Log into your restricted account. If you are given access denied 
messages, set them to always allow if justified. I know MS office
requires a database daemon to be given said privleges for some features.

Try launching apps, deal with restricted messages as you see fit. 
Log out and back in a few times to make sure new restricted messages 
do not show up.

===== Installation =====


Modify standbylock-daemon.cpp to have the UID of the idiot user account and your desired timeout
Run ./

Copy standbylock-daemon and loginprompt-daemon to /usr/bin. You will need to use sudo.

Copy com.zzj.standbylock.agent.plist to your main account's ~/Library/LaunchAgents. Verify that your user owns the file.
Run launchctl load ~/Library/LaunchAgents/com.zzj.standbylock.agent.plist. Should be no errors.
Run launchctl start com.zzj.standbylock

-- The standbylock daemon should now be running for you. Check using ps aux | grep standbylock
-- If you kill standbylock, launchd should restart it automatically, immediately.

Now, you need to do some things as the idiot user. 

First: run sudo su 
This will get you a shell under the restricted account.

Type: cd [enter] to get back to the idiot's home directory

Copy com.zzj.loginprompt.agent.plist to ~/Library/LaunchAgents. Verify that the idiot's account owns the file
Run launchctl load ~/Library/LaunchAgents/com.zzj.loginprompt.agent.plist - Should be no errors.
Run launchctl start com.zzj.loginprompt

-- loginprompt daemon should now be running. Check using ps aux | grep loginprompt

The daemons will be started automatically at system boot.

To test the login prompt, use ""
Expected behavior: Swap to other account, and a login prompt is shown for the previous user.

To test the standby timeout, put the machine into standby and wait for the timeout duration.
Expected behavior: Swap to other account, login prompt for previous user

===== Other stuff =====

I enabled auto-login as the idiot user, and added my user account to the hidden list. Unless
my account is logged in, it will not show up in the login dialog or fast user switching.
The restricted user should not be able to gain access via SSH - check this.

Oh, and install prey, it's free.

Enable filevault on your home directory, too.

You'd be well advised to set an EFI password - do this via a utility on the mac
os install CD. It requires a password for everything that is not booting the
computer into the default OS. Can't boot a cd, or into windows, etc.

Net result: Anyone who isn't you can only use the very restricted set of programs
and connect to wifi networks. They can not affect the system in any meaningful way.

Leave a Reply

Your email address will not be published. Required fields are marked *