Is it possible to create a user with all admin rights *except* the ability to interrupt a particular process and access a particular folder?

root sudo permission

Solution 1:

I can’t see any way you could accomplish this without rewriting the OS and security models.

  • The accessing a specific folder will be trivially handled when you encrypt the contents of a folder or file and don’t share the key to unlock the data on APFS. Since you can’t keep the root user from reading a file or folder, and admin user can become root (that’s the definition of Admin user on macOS) therefore anything one admin user can set, another can undo.
  • The prevention of the ability of any admin user to send SIGKILL (or any other interesting IPC commands) to any running process will be problematic technically without modifying the OS itself.

The best you can do is try to rely on Gatekeeper and preventing sudo from your admin user per this very excellent question:

  • Block Specific Apps on macOS

I can’t see a case where you wouldn’t just make the user not an admin and carve out a way they can do whatever admin things you want them to do by granting additional access and just not granting admin status to the users you don’t trust.

Related

Apple Script: Can’t get date of "2018-12-12 10:00 AM"
iTunes Match - No More Backups Needed?
Can Late 2012 Mac Mini support two QHD Monitors?
Why can't I see subscript "s" (Unicode Character “ₛ” (U+209B)) even though I can see lots of other unicode characters?
Where does Chrome store login credentials in macOS?
Controlling iOS apps via command line
Moving photos from one Photos library into another
Finder preview: See file size and date in column view
CPU cores have a temperature near 80 °C and then the fan starts to work. Is it too late?
Batch download URLs from a .txt file
Use all F1, F2, etc. keys as standard function keys not working
Imessage security