Safe to allow students to access Terminal.app in a shared environment?

Background: We have a lab of Macintosh computers, all running 10.10.3 currently, that are for classroom instruction. Students typically use their own login/password via Active Directory to log in to these machines, however guest(anonymous) access is also available. Traditionally we have never previously allowed students to open/use Terminal.app as the room was used primarily for art, but recently the machines are being used for science and instructors have requested CLI access. Students are not admins and would not be able to use sudo.

Is it safe to remove the restriction preventing students from opening Terminal.app and allow students full access to the bash shell? Are we being over cautious? If not, what types of risks would we be exposed to/need to address prior to allowing such access?

Solution 1:

It's important to realize that students already have other avenues of access to the bash (and other) shells. Students can download alternate terminal programs—such as iTerm—to their home directories to gain shell/CLI access. Additionally, shell scripts can be run via Automator.app.

So, especially for enterprising students, blocking the default Terminal.app hasn't bought you much from a security standpoint.

Really, whether CLI access is appropriate comes down to the intact permissions across the filesystem combined with appropriate user account settings. If the students are running as standard or managed (non-admin) accounts and filesystem permissions are intact, then that's what limits student access. Non-admin accounts shouldn't be able to run root-level tools and modify root-level configuration files.