So at work there is a "shared" server that people can run things on that take a long time. I make quite a bit of use of this machine to the point where I made my own login to separate my user files.
- The account I am using is an administrator.
- The other account that everyone else uses is also an administrator.
In my user files is some private SSH keys for things like Github and Amazon Web Services that the other users could do mean things with if they were so inclined. I don't think they would, but it would be nice to not have to think about it.
-
Is there any way I can add some protection to these files without changing the permission level of the other login?
-
Is it possible for other administrators to access the saved keychain credentials of another administrator?
-
If you were to "do it right", how would you recommend setting up this machine such that it could be reasonably shared by people who need to perform administrative tasks, but not be a security nightmare.
Best Answer
Simple answer - no. Administrative access is too powerful for multiple users on a single machine. Even if you trust every one of these users implicitly, there will always be a chance of accidental misuse and potential data loss.
The only exception is SIP - where even root can't modify some files Apple has marked as restricted.
Standard operating procedure dictates standard user accounts for all users on a multi-user Mac, with an administrator's account for maintenance, etc.
You can make an encrypted DMG to store things that you can't allow another user of the computer to see. They could copy the files and try to brute force the password - but Finder does a good job of asking for and mounting such filesystems when you reference an alias to the file.
The keychain is a specialized version of an encrypted store. You might be able to store your keys there and they would be safe from other users in a similar manner.