MacOS - restricting use of an app to certain users
February 4, 2024 7:32 AM Subscribe
Can I reliably restrict the use of an application to certain users on a Macintosh, and prevent other, non-admin users, from using the app? And will this work for Minecraft launcher? Details below the fold.
I am trying to figure out whether I can configure a new Macintosh laptop with Minecraft relegated to a separate account. I am considering this because Apple Screen Time controls don't work for Minecraft and Microsoft's Xbox Live controls don't work on the Macintosh. sigh.
The idea is that I would set up the laptop with two non-admin accounts. There would be an Everyday account that could be used for homework, web browsing, youtube, etc, but would have Screen Time controls to limit leisure time activities.
The second account -- call it Sandbox -- would have Minecraft installed on it. The Minecraft Launcher app would be put into Sandbox/Applications/ rather than into the /HD/ Applications folder. I would change the permissions on the application file so it is only visible to Sandbox and Admin, with no visibility for other users.
Java would be installed system-wide, but the Minecraft Launcher would only be accessible to the Sandbox user.
I would use Screen Time controls to prevent the installation of new applications, and set up security controls to prevent running apps downloaded from the internet (rather than from the App Store).
The user would have the password for logging into the Everyday, but they would not have the password for logging into the Sandbox account. They'd need to ask a parent to log them into that account.
The goal is to have one computer, with Everyday use that doesn't allow Minecraft, but special permission use that does allow it.
Will this work? Is there some backdoor or workaround I'm not thinking of?
I realize that self-control and maturity are the best forms of Screen Time control, and that these will need to be developed eventually. But at the current time, we need some way to impose physical limits.
This would be a new Macintosh with the latest OS.
I am trying to figure out whether I can configure a new Macintosh laptop with Minecraft relegated to a separate account. I am considering this because Apple Screen Time controls don't work for Minecraft and Microsoft's Xbox Live controls don't work on the Macintosh. sigh.
The idea is that I would set up the laptop with two non-admin accounts. There would be an Everyday account that could be used for homework, web browsing, youtube, etc, but would have Screen Time controls to limit leisure time activities.
The second account -- call it Sandbox -- would have Minecraft installed on it. The Minecraft Launcher app would be put into Sandbox/Applications/ rather than into the /HD/ Applications folder. I would change the permissions on the application file so it is only visible to Sandbox and Admin, with no visibility for other users.
Java would be installed system-wide, but the Minecraft Launcher would only be accessible to the Sandbox user.
I would use Screen Time controls to prevent the installation of new applications, and set up security controls to prevent running apps downloaded from the internet (rather than from the App Store).
The user would have the password for logging into the Everyday, but they would not have the password for logging into the Sandbox account. They'd need to ask a parent to log them into that account.
The goal is to have one computer, with Everyday use that doesn't allow Minecraft, but special permission use that does allow it.
Will this work? Is there some backdoor or workaround I'm not thinking of?
I realize that self-control and maturity are the best forms of Screen Time control, and that these will need to be developed eventually. But at the current time, we need some way to impose physical limits.
This would be a new Macintosh with the latest OS.
Response by poster: Duh, well that's a simplification, jonathanhughes. So that increases my confidence that it would work, at least that part.
I'm still interested in any possible security holes in this arrangement, especially given that Minecraft runs in the JVM, and the launcher just sort of gets it going.
posted by Winnie the Proust at 8:39 AM on February 4
I'm still interested in any possible security holes in this arrangement, especially given that Minecraft runs in the JVM, and the launcher just sort of gets it going.
posted by Winnie the Proust at 8:39 AM on February 4
I *think* there's a hole in your proposal. I don't really remember how MacOS handles application files, but at the shell level I think somebody could do something like
[Sandbox] mkdir /tmp/Minecraft; chmod 666 /tmp/Minecraft
[Sandbox] cp -R ~/Applications/Minecraft /tmp/Minecraft
[Everyday] cp -R /tmp/Minecraft ~/Applications
There might have to a similar step with ~/Library or other related files, but the basic idea is that the Sandbox user can make a copy of Minecraft and put it someplace where Everyday can get access to it.
I think the better approach is to put Sandbox in a user group and make Minecraft executable only by that group. Which is probably what "Install for just this user" does, but I don't know.
posted by bac at 7:16 PM on February 4
[Sandbox] mkdir /tmp/Minecraft; chmod 666 /tmp/Minecraft
[Sandbox] cp -R ~/Applications/Minecraft /tmp/Minecraft
[Everyday] cp -R /tmp/Minecraft ~/Applications
There might have to a similar step with ~/Library or other related files, but the basic idea is that the Sandbox user can make a copy of Minecraft and put it someplace where Everyday can get access to it.
I think the better approach is to put Sandbox in a user group and make Minecraft executable only by that group. Which is probably what "Install for just this user" does, but I don't know.
posted by bac at 7:16 PM on February 4
Which is probably what "Install for just this user" does, but I don't know.
To help you know: Installing an application for "just this user" puts it in that user's home directory. By default, it would not be readable or traversable by other users, since $HOME/Applications is 0700.
What that means is: not only is the application, which is the launcher, going to be inaccessible to other users, but the jar of the actual game (which, if I recall, is put into ~/Library/ somewhere) will also be inaccessible for direct launch with java -jar minecraft-something-something.jar
TL;DR: no, that's not totally applicable, and installing an application in a user's home directory isolates it from other users. Copying it out could be a thing, but that's literally always going to be a thing if a user has access to both accounts. For that matter, the user could just install the application to the other account — which is what they'd be doing in this case anyway.
posted by majick at 6:38 AM on February 5
To help you know: Installing an application for "just this user" puts it in that user's home directory. By default, it would not be readable or traversable by other users, since $HOME/Applications is 0700.
What that means is: not only is the application, which is the launcher, going to be inaccessible to other users, but the jar of the actual game (which, if I recall, is put into ~/Library/ somewhere) will also be inaccessible for direct launch with java -jar minecraft-something-something.jar
TL;DR: no, that's not totally applicable, and installing an application in a user's home directory isolates it from other users. Copying it out could be a thing, but that's literally always going to be a thing if a user has access to both accounts. For that matter, the user could just install the application to the other account — which is what they'd be doing in this case anyway.
posted by majick at 6:38 AM on February 5
« Older What are the best new music playlists on Spotify? | Sexual response to nonsexual stimuli Newer »
You are not logged in, either login or create an account to post comments
posted by jonathanhughes at 8:28 AM on February 4 [1 favorite]