Allow non-admin user to sudo without access to admin account data

The Answer:

Yes, it's definitely possible. sudo is designed to implement fine-grained security policies. As an example of fine-grained, sudo can be configured to allow a user to run a particular command, but exclude certain options for the command. Don't get sudo confused with su.

And so, when you say, "sudo access would mean the highest access on the machine so everything will be accessible", that's simply not true. IMHO, sudo was made to order for the exact problem you are faced with: "How do I give a user access to resources he needs to do his job, without giving him the run of the castle?" You may also appreciate the fact that sudo performs extensive logging of all sudo usage. This provides accountability for all sudo users because, unlike su, users execute sudo from their account, not the root account.

Here are two examples to illustrate this point. These are two entries that would go in the sudoers file - the file that defines a user's privileges under sudo. In the first example, the user friend will be given "access to everything"; i.e. unlimited root privileges:

Example: sudo for Full root Privileges

friend   ALL = (ALL) ALL  

In the next example, the user friend will only be given privileges to run the software update option (-U) on the utility youtube-dl. This specification will confer root privileges to run only this one command with this one option (although in this case most of the other options do not require root privileges.):

Example: sudo for Limited root Privileges

friend   ALL = (ALL) /usr/local/bin/youtube-dl -U

A Brief Overview of sudo:

I can't explain sudo in the space of this answer. As you'll see that simply is not possible. Instead, I'll try to provide provide a "walking tour" with some references that will give you a better understanding of what sudo can (and can't) do, and how to configure sudo to implement the security policy you want.

• Todd Miller currently maintains sudo as he has since 1994. That probably makes him the godfather of sudo.

• There is a prodigious amount of documentation on sudo, including many older versions - including ver. 1.8.17p1 used in the current version of macos (Mojave, 10.14.5).

• Perhaps a good place to begin learning about sudo is in a nutshell

• Having read this nutshell overview, you now know that sudo is typically configured using the sudoers file. This is where you will create the specifications that implement your security policy; the specifications that define what resources your friend can access while using your machine.

• Again, there's a lot of documentation. You'll want to read man sudo (ver 1.8.17 online), and man sudoers (ver 1.8.17 online). OK, skim through it at least, and study the EXAMPLES :) And BTW, your friend will need to read man sudo also, as he'll be using it!

• Once you've decided what resources your friend needs, you can prepare to tackle actually editing/creating your own sudoers file. But there are some things you should know first:

  1. The sudoers file should only be edited with visudo. To access it, you'll need to be logged in as (or su to) the "admin" user on your Mac. Upon entering the command shown below, the Sample sudoers file will be opened in your admin user's default editor (I've set mine to nano).

  2. Know that editing the sudoers file carries risks. Minimze those risks by NEVER editing sudoers except through the visudo app. visudo is designed to validate the syntax of the sudoers file when it is saved. That won't save you from errors that have the correct syntax of course, but it's far less likely that you'll leave your machine in an unusable state!

Making changes to the sudoers file:

And so: To edit the sudoers file, login as (or su to) the admin user, open a terminal window, and enter:

bash-3.2$ sudo visudo
Password:                # you'll need to enter your admin user's password here

The editor specified in your environment will open, and the sudoers file will be listed. The User specifications section is near the end of the file; you can insert one of the example lines from above, taking care not to edit either of the existing lines:

root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
# insert your additions below here; e.g.:
friend ALL = (ALL) /usr/local/bin/youtube-dl -U

When you finish your edits, write the modified file, then exit the editor. visudo will automatically check the syntax of your sudoers file, and alert you if it finds a problem. You should never override these alerts; find and fix the issue, or simply comment out your changes until you do.

Using sudoedit to limit access to files

One final example: You wanted to grant sudo access, but not allow access to any data stored for your user. For purposes of this example I'll assume that you want to give your friend the ability to edit the file /etc/fstab.hd (a do-nothing file), and all files in the directory /etc/ssh.

You can use the sudoedit specification in the sudoers file to grant your friend access to files or entire directories that you specify. Here's how to accomplish that:

1. Run sudo visudo to open the sudoers file for editing.

2. As previously, enter the following sudoedit lines just below those you added previously; i.e.

root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
# insert your additions below here; e.g.:
friend ALL = (ALL) /usr/local/bin/youtube-dl -U
# insert sudoedit specs below here:
friend ALL = (root) sudoedit /etc/ssh/*
friend ALL = (root) sudoedit /etc/fstab.hd

To edit these files, your friend will enter the following command(s) in a terminal window:

MyMacBook:~ friend$ sudo -e /etc/fstab.hd  

# or...

MyMacBook:~ friend$ sudo -e /etc/ssh/ssh_config

# which will open the specified file in `friend's` specified editor

Limits of sudo

You should also keep in mind that sudo has its limits.

First and foremost, sudo is used to get root privileges for a user from the command line (Terminal). It has no role in determining privileges anywhere else in the system; e.g. to add a new user in System Preferences. Outside the shell then, the authorization database controls access privileges, and sudo has no relevance. You may need a tool like this to manipulate the authorization database. {02/29/20 Edit: authbuddy is no longer maintained; its author suggests Apple's security tool instead. See man security from the CLI, or this html version }

Secondly, sudo should NOT be considered as a tool to harden the system against malicious users. Rather, it's simply a tool for reducing risk and increasing accountability for authorized users. That's not to say it "rolls over", it's only to say that its purpose is not system hardening.

This seems like a good point to stop, and catch our breath :) Your question did not include any specific security goals or policies, so it doesn't seem to make sense to prattle on with more examples (and there are plenty of those available for the cost of a Google search). However, if you do want help with specific configurations, you can either edit your question here, or post a new question. And don't forget that as sudo is available on virtually all *nix platforms, there are other SE sites that may prove useful: SuperUser SE and Unix&Linux SE are two examples.

Other potentially useful resources related to sudo:

1. AppleGazette on editing the sudoers file
2. AP Lawrence on Using sudo
3. Using sudoedit to limit file editing to a specific directory/ies
4. More on sudoedit (aka sudo -e, aka sudo --edit)
5. What's So Great About sudoedit?
6. Good general (not Mac-specific) help from from Digital Ocean
7. The sudo command, Part 2 of a 4-part series on "Demystifying root"