IS there a way to password protect one app from running on OS X ?
October 5, 2008 12:04 AM   Subscribe

Is there a way to password protect one application from running on Mac OS X? Ideally, I would like to keep Adium from ever running without an admin authentication being provided immediately prior to it running.

Specifically, I would like to prevent either Firefox or Adium from running, even when I am logged in, assuming I have quit both applications before walking away from the computer. Please do not tell me to setup seperate user accounts, I know how to do that. I am asking how to lock firefox and adium out from running without admin privleges.
posted by anonymous to Computers & Internet (19 answers total)
It sounds like there's a higher-level goal you aren't explaining. What's the motivation behind this?

Please do not tell me to setup seperate user accounts, I know how to do that. I am asking how to lock firefox and adium out from running without admin privleges.

Also, I would strongly recommend against telling us how not to answer your question, especially when the answer may involve what you don't want to hear.
posted by Mikey-San at 12:20 AM on October 5, 2008 [2 favorites]

Install the adium and firefox applications in an encrypted volume that you only mount before running them and unmount when finished. Weave some applescript around it to make it more transparent.
posted by iamabot at 12:42 AM on October 5, 2008

Why not use `chown` and `chmod`? They are UNIX tools that allows you to set permissions on files.

These pages explain how it all works:

Specific to OS X:

What you would want to do is make sure that the program's executable file is owned by the the administrative user (root):
`chown root:root execfile`# change the file execfile's owner, group to root, root
Then you want to make sure that only the administrative user (root) has the ability to execute (run) that executable file:
`chmod go-x execfile` # group, other: take away eXecutable permission

Then, as long as you have root permissions (are logged in as the root user or have some sort of `sudo` functionality,) you can run those files. Otherwise, you will get a permission error.

If this were Linux, you could then change the shortcuts on the application launcher from
`sudo execfile` # works from the console
`gksudo execfile` # works on Gnome
`kdesudo execfile` # works on KDE
(the latter popping up a graphical window asking for permission to run the programme.)

I don't remember if `sudo execfile` on Mac OS X pops up the authentication dialogue or not - you'll have to check this yourself.

This said, Mikey-San is right: you should explain your problem in greater depth, because there is almost certainly a better way to do it than the above (which is probably the simplest way to do it as you have asked.)
posted by Sangermaine at 12:51 AM on October 5, 2008

Sangermaine: for various security reasons, in both Linux and OS X, running your browser as root is a very unwise idea. You've just given the most susceptible piece of software in the system permission to do as it pleases. Might as well be running Windows!

I think the encrypted volume is probably the best idea. However, if the goal is to protect browser caches, preference files, chat logs, etc then this doesn't help. Those files aren't stored with the app, but in the ~/Library folder. Any user could simply download a copy of Firefox or Adium to the desktop and be back in business.
posted by sbutler at 1:00 AM on October 5, 2008

Also, for Adium, passwords are stored in the Keychain. Any person with the login password can read those whether Adium is on the system or not. Just launch the Keychain app and start browsing away. OS X allows you to create private keychains, but I don't know of a way to get Adium to use anything other than the login one.
posted by sbutler at 1:02 AM on October 5, 2008

One more comment and I'm done :)

On 10.5 there is a system preference panel for Parental Controls. One of the things you can do is restrict which applications are allowed to run. This might work for you, depending on your goal.
posted by sbutler at 1:08 AM on October 5, 2008


This is a very good point and is exactly why the poster should clarify their question, because there is almost certainly a better way to accomplish this than encrypted drives and system permissions.

I think a lot of this also hinges on exactly what the poster meant by
Ideally, I would like to keep Adium from ever running without an admin authentication being provided immediately prior to it running.
As an addendum to my suggestion above, it is not strictly necessary for `sudo` to actually use the root user. You can just as easy replace root in the above with any user you please - as per sbutler's comment, ideally a less privileged user. This will work, because `sudo` has a -u option that allows you to specify which user to run the programme as.

Also, your comment about protecting the user's privacy is spot-on. These solutions will only prevent other users from running these programmes but will not appreciably stop even the least determined user. If privacy is the aim, then the solution is much simpler: just run Adium and Firefox off of a portable USB drive and uninstall the softwares from the computer itself.

You can find portable versions of both at:

Using this method, anyone not in possession of the USB drive or the administrative rights to install new software cannot run either programme on the computer and the user's privacy is more nearly secure (or, at least, level of dedication required for someone to violate the user's privacy is significantly increased.)
posted by Sangermaine at 1:13 AM on October 5, 2008


I didn't know about the parental controls feature - that is probably closest to what the poster was asking for - good thought.

It's my understanding, though, that we're probably not going to get any karma for this. :(
posted by Sangermaine at 1:26 AM on October 5, 2008

As an addendum to my suggestion above, it is not strictly necessary for `sudo` to actually use the root user.

Actually, it is in OS X if you want to run a graphical app (pretty much anything that links to AppKit or one of the other daemon unsafe frameworks). Only root and the console user have permission to connect to the Window Server.
posted by sbutler at 1:26 AM on October 5, 2008

Other than (possibly) the Parental Controls setup, none of these approaches will keep someone from just downloading a new copy of Adium (or plugging in a usb drive, etc) and running that copy, or running another app with similar functionality. The OP really, really needs to be clearer about what they actually want here; I'm guessing the solution will need them to take another step back and think about what problem they're trying to solve by restricting adium and firefox.
posted by hattifattener at 1:47 AM on October 5, 2008

Parental Controls are very weak. Without giving too much away, it only really puts restrictions on the Finder, and then some quite weak ones.

I would not rely on it to prevent anyone older than 5 from doing what you don't want them to.

It's fine as a limited extra bit of control on top of something like supervised computer use, but that's about it.
posted by edd at 3:14 AM on October 5, 2008

Do you want to stop all use of Adium without a password, or do you just not want people to sign in as you when you're away from the computer? Because the really simple answer to the latter is to just sign out of Adium whenever you're not using it, and make sure it doesn't remember your password.

(Pathetic and obvious solution, but I thought I'd throw it out there...)
posted by badmoonrising at 3:37 AM on October 5, 2008

In Mac OS X Server, there is a function for limiting which Applications can be launched. It's very useful for computer lab setups. In fact, there are many other preferences that can be set for a user, but the one we will focus on here is limiting Application launching. Typically, these preferences are grouped together and distributed by a server running Mac OS X Server. They are collectively called MCX. They are managed using a tool called Workgroup Manager. Fortunately, someone has figured out a way to manage MCX settings on a local machine without the need for a Mac OS X Server. Here's how:

1) Download the Mac OS X Server Admin tools and install on your computer. This will include the Workgroup Manager program mentioned previously. They will be in a "Server" folder in /Applications.

2) Launch Workgroup Manager and enter "" in the Server address field. This tells WGM to point to your local computer's loopback address. Put in your Administrator's username and password. You'll get a message about working in a local directory and it not being visible. Ignore this message (remember, these tools are typically used to administer a server's directory store, not a local workstation's.)

3 You should see a list of the accounts on your computer. "admin" is the root account. Select the user you want to manage and then click on "Preferences" in the toolbar at the top. This will take you to another section where you can administer which preferences are allowed for that user. One of the preferences is "Applications" which will allow you to limit which applications can be launched.

4) Click on Applications. Click on the Always button at the top right. Cilck on the plus sign and it'll show you a list of applications installed on your computer. Select everything *except* Adium and then click Apply.

5) Quit WGM, log out and then back in again. Try to launch Adium. It should be blocked now.

These MCX settings are stored in /Library/Managed Preferences.

While these directions are for Mac OS X 10.5.5, the same things works for Mac OS X 10.4.11. You'd just have to download and install the Mac OS X Server Admin tools for 10.4.11.
posted by at 6:13 AM on October 5, 2008 [1 favorite]

Could you run OSX inside of VMware with only these 2 applications installed, and then password-protect the virtual machine?
posted by jozxyqk at 6:48 AM on October 5, 2008's answer is spot on, although you would probably have to block all applications except for the ones allowed, instead of just blocking adium and firefox, given the ability to download applications, as mentioned by hattifattener,

Also, you'll have to set up a bios password so they can't boot from a cd/into single user mode and run the programs that way.

Doing the above will stop children, and computer neophytes. But frankly, you have a hopeless task. The first rule of computer security: CONTROL PHYSICAL ACCESS. Without physical control of the box, you have no security. A determined individual will remove the hard drive from your computer, and edit permissions/settings on another computer. A determined individual will install a hardware key logger on your keyboard and get your password. A determined individual will look over your shoulder and read the password off your typing.

If you are letting a person use your computer whom you do not trust enough to use while not there, then bar access to the computer when you are not there. A cabinet with a lock will provide more security than hours of twitling with security settings.
posted by zabuni at 8:09 AM on October 5, 2008

Seems like you're better off password locking the machine. Couldn't someone just fire up Safari (and if they're really determined to browse or chat on your machine?
posted by O9scar at 8:53 AM on October 5, 2008

At this point the best solution I can think of is the encryption solution, mainly because your problem is not defined very well. The biggest omission is that you don't specify whether the user account you are logged into is an administrator account or a standard account.

(BTW, I'm sure Mikey-San had good intentions with his initial response. He does know a thing or two about this stuff, mmmkay?)
posted by joshrholloway at 1:05 PM on October 5, 2008

[took the derail out, please take that issue to MeTa and/or email and answer the question being asked or feel free to ask the OP further questions, thanks]
posted by jessamyn (staff) at 2:53 PM on October 5, 2008

While iamabot's suggestion is clean and easy to implement, it is very easy to circumvent. If you're logged in and have not locked your screen, anybody can run Firefox and Adium from a USB key, and those apps will (by default) look into your user library for their settings.

If you're concerned about people using those apps with your own user's settings, lock the screen when you're not at the computer -- set the screen saver to lock it after a short idle time, too -- and make sure your computer is not set to automatically log you in.
posted by pmbuko at 7:38 AM on October 7, 2008

« Older long distance car buying -- slightly paranoid...   |   Get New York to stop honking? Newer »
This thread is closed to new comments.