Allowing sudo privileges, but not access to sites

Question

Is it possible to make it so a user can use the sudo command in terminal, but not have access to sites other then those allowed through parental controls, without a third party system?

Answer 1

By adjusting the sudoers file (/etc/sudoers) with sudo visudo it should be possible to accomplish this. It is a hell of a job and you need a profound knowledge of all commands to fine-tune this while avoiding errors and loopholes though.

You have to add the user to the User privilege specification section

...
# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
...

Then use a whitelist (or a blacklist) of allowed (or disallowed) commands:

Examples:

whitelist

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
user    ALL=/usr/bin/nano,/usr/bin/opensnoop

blacklist

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
user    ALL=!/usr/libexec/PlistBuddy,!/usr/bin/passwd,!/usr/sbin/*

You may mix whitelist and blacklist.

Please check man sudoers how to simplify things or narrow things down by configuring User, Runas, Host and Cmnd alias specifications.

---

Check the accepted answer to the question How to prevent sudo users from running specific commands? for the pitfalls of configuring a simple command like rnano in the sudoers file.

Answer 2

The two concepts are mutually exclusive.

Adding someone to the sudoers list effectively gives them the power to bypass any restriction you wish to impose on them.