I'd like to prevent the use of the osascript terminal command by anyone without administrator access. I used to accomplish this by changing the permissions on the executable using sudo chmod 744 /usr/bin/osascript.
The problem now (from what I understand) is that Big Sur does not allow changes to be made to the read-only system volume. I'd therefore like to find a workaround that retains this functionality ie. I don't want it to be possible to run this binary without the use of sudo.
This has been a huge thorn in my side, and I don't want to have to resort to disabling SSV authentication in order to edit the system volume. If there's any way to just elevate the permissions needed then that would be perfect.
Best Answer
Changing the permissions on the binary is not going to be an effective way of blocking such commands. The user can simply download or copy the
osascriptbinary from a web site or another computer onto your Mac and run it - withoutsudo.There's probably some resource that you do not want your users to access - and they have been doing that through the
osascriptcommand. But instead of blockingosascript, look at changing the permissions for that resource. That would in turn make it so thatosascriptcannot access it withoutsudo.