Is it possible to create a user with all admin rights *except* the ability to interrupt a particular process and access a particular folder?
Solution 1:
I can’t see any way you could accomplish this without rewriting the OS and security models.
- The accessing a specific folder will be trivially handled when you encrypt the contents of a folder or file and don’t share the key to unlock the data on APFS. Since you can’t keep the root user from reading a file or folder, and admin user can become root (that’s the definition of Admin user on macOS) therefore anything one admin user can set, another can undo.
- The prevention of the ability of any admin user to send SIGKILL (or any other interesting IPC commands) to any running process will be problematic technically without modifying the OS itself.
The best you can do is try to rely on Gatekeeper and preventing sudo
from your admin user per this very excellent question:
- Block Specific Apps on macOS
I can’t see a case where you wouldn’t just make the user not an admin and carve out a way they can do whatever admin things you want them to do by granting additional access and just not granting admin status to the users you don’t trust.