I am trying to set up iMacs, OS X 10.11, with Xcode software for standard users to use in a lab. The software uses administrative privileges to run the Developer Tools in the software. What is the best way to setup the standard user accounts to do this without granting admin privileges to these accounts?
Asked
Active
Viewed 266 times
2
-
Granting them sudo access should be enough. You can't Ignore require simultaneously access, and not give them some way, to escalate their user's permission. This is true on any OS. – Ramhound Sep 07 '16 at 23:31
-
@Ramhound don't do that. Giving someone sudo access is tantamount to giving them full admin access. You can use sudo to give granular access but you need to be very careful about it, and there's a better way to solve this problem anyway. – Benny Mackney Sep 08 '16 at 01:02
-
@BennyMackney - On Linux you can give specific sudo permissions. Are you saying on OS X that isn't possible? – Ramhound Sep 08 '16 at 01:08
-
As I said, you can use it to give granular permissions, but you need to be careful. You would need to know exactly what sort of things Xcode does, and ensure that none of them can be used to get higher abilities. Even just allowing sudo xcode would let you use xcode to edit the sudo file and take full control. It's a dangerous game. Hence, you use the existing group that Apple configured. – Benny Mackney Sep 08 '16 at 01:10
1 Answers
2
There's a group called "_developer" that solves this cleanly.
sudo dscl . append /Groups/_developer GroupMembership <username>
Run that from an admin account, obviously.
Benny Mackney
- 121
- 2