Allowing sudo privileges, but not access to sites
Is it possible to make it so a user can use the sudo command in terminal, but not have access to sites other then those allowed through parental controls, without a third party system?
Solution 1:
By adjusting the sudoers file (/etc/sudoers) with sudo visudo
it should be possible to accomplish this. It is a hell of a job and you need a profound knowledge of all commands to fine-tune this while avoiding errors and loopholes though.
You have to add the user to the User privilege specification section
...
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
...
Then use a whitelist (or a blacklist) of allowed (or disallowed) commands:
Examples:
whitelist
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
user ALL=/usr/bin/nano,/usr/bin/opensnoop
blacklist
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
user ALL=!/usr/libexec/PlistBuddy,!/usr/bin/passwd,!/usr/sbin/*
You may mix whitelist and blacklist.
Please check man sudoers
how to simplify things or narrow things down by configuring User, Runas, Host and Cmnd alias specifications.
Check the accepted answer to the question How to prevent sudo users from running specific commands? for the pitfalls of configuring a simple command like rnano
in the sudoers file.
Solution 2:
The two concepts are mutually exclusive.
Adding someone to the sudoers list effectively gives them the power to bypass any restriction you wish to impose on them.