Forbid APPS in home directory

macvillage.net

Registered
I want to prevent users from downloading Applications from the web and running them.... Most installers in OS X require an admin password (which is good) but many still don't use installers and are just .sit files.


Can I CHMOD a users home directory so that the user can't run applications from within the directory?

I want the apps to be run from only the Applications Folder.

I don't like the idea of a user just keeping applications on their desktop.
 
if you go ahead and chmod -x, you will find some applications failing in
interesting ways. That's because the filesystem sees the eXecute bit
on a directory as permission to search it.

you can probably however set the sticky bit on directory which, as
I recall, prevents new files from being added to but all files that are there
are OK.
 
No, there's no way to do that one.

But you could search for anything ending in .app

(find /(user_dir -name "*.app" in the terminal - better than Sherlock!)

And, as root, you can sumarily delete them. Ah, the powers of root. ;)

'Course, that doesn't stop them from downloading them again, but if you keep doing it they might get the idea.

You could also write a little shell script that searches for any file ending in .app in a users directory, and automatically deletes it. If you set the shell script up as a cron job (the system cron, not a user cron), then the script would be executed as root, which means it would have the privileges needed to search users directories and delete files out of them. Also, you wouldn't have to worry about searching on your own - the cron job would take care of it.

This little example would work for all users, including your own user:

#!/bin/sh

cd /Users && {
find . -name "*.app" -exec rm -f {} \; ; }




A very simple shell script, but devastating! It will delete EVERY file it finds that ends in .app, no matter what kind of file it is - a directory, a text file, an actual app, an alias, whatever.

I wouldn't recommend actually using that, but it's there if you wish to...
 
Of course, theoretically at least, users can't do any harm to anyone but themselves running applications they downloaded, even if they do download a virus, or something along the lines of Bomb.app. The point of the Unix permissions you are trying to use to protect your computer, is that you shouldn't have to - the worst any unprivileged user should be able to do is shoot him/herself in the foot.

Of course Classic goes and mucks all that up, since any user, privileged or not, can install anything on a Classic drive they feel like. To protect your computer, possibly the best thing you can do is just not install Classic

Oh, yeah - even if you did stop them installing apps, they could just keep around .dmg files with the apps in them, and mount them whenever they want to run a program. They would be mounted in a dynamically created directory somewhere in /Volumes anyway, so you couldn't to much to stop them.

Incidentally, Darkshadow - your script would not delete directories, (which is what .app applications are) unless you made that "rm -rf"
 
I am really just looking to disable the obvious.

I just don't want garbage being downloaded and run.

Apple should have created an option or something like CHDMOD to disable Applications in a directory.



Don't forget. Apps that due anything networking related could also be trouble.
 
I agree that using chmod would not be possible. I think , at the moment anyhow, that your best bet would be as was previously mentioned not to install classic as this definitely is a huge security risk. Other things you could do would be to make your user permissions more strict. With 10.1 there is perhaps, I'm not sure yet, the ability to attach Applescripts to directories. I'm not sure how these directory actions could be triggered i.e. made to be activated if say anything new is added to the directory. If that is possible you could write a script to delete any apps within the users home directory.

However I am pretty sure that there will be ways around that as well, sadly.
 
I"m curious, what, *exactly* would you not want people to run? Not only could they not delete/mess with system files or the files of other users, but I think that Mac OS X will not even let them use certain ports over tcp/ip (Where as most win NT distros will let any user corrupt the winsockets dll and screw up the system until its rebooted).

At my old HS, they put these restrctions on the computers so you could only run certain applications (eg, windows.exe, pbrush.exe, etc). Everything not on the list was disallowed. Prob was, all you had to do was rename an application to one of the allowed app's name, and it would run. Besides, you could allways put the application on a disk or server, and it would never be detected. Not to mention that creating a stupid macro in word would let you bypass almost every restriction.

I guess I"m just saying that Mac OS X isn't windows, and you shouldn't have to worry about much. What could they do, anyway?
 
I am curious why your users must be restricted so... what kind of environment do you administer? I mean, even if it is a school I don't see a reason to restrict people. I have always found it annoying that high schools and colleges tend to cripple their computers labs. Before I could sort of understand, because programs people download could mess up the system, but using OS X with separate users, nothing can really happen to the system... so why restrict users' freedom?
 
Well, this is more for my own knowledge than anything else....


But if you admin a building, do you want people downloading hacking programs? or anything else that would allow them to do something illegal?
 
Ah yes, I see what you mean. Now you've got me interested... it is always good to know what options are available.
 
I am going to put a little article on MacVillage.net News to see what I can learn. I will post any ideas that I get here if you want.
 
Depending whether your users should be able to create executables (i.e. have access to compiler) you may have some options.

If they are not supposed to create their own executables (i.e. must use only software supplied by admin), you can mount their home directories noexec. You should do the same with /tmp and /var/tmp, and every other area which is world writable. At least, you can do this on most unices; whether this is possible under OS X, I do not know as yet; I would have to investigate that on another system which does have more than one partition :)
 
Back
Top