User with nearly all admin permissions but not allowed stop a single app or to delete its relevant files

Question

How can I create a user on macos who has nearly all permissions of admin user, but is not able to stop a binary whitelisting/blacklisting system (https://github.com/google/santa) from execution nor is able to delete its relevant files? So on the bottom line it's an admin who can't stop the application controll app itself.

Should this user be able to user permissions? Yes

Should this user be able to edit their own permissions? No

Should this user be able to create new users? No

Should this user be able to create new, unrestricted admin users? No

Should this user be able to create setuid 0 binaries? No

Should this user be able to edit the whitelist? No

Should this user be able to user permissions? Should this user be able to edit their own permissions? Should this user be able to create new users? Should this user be able to create new, unrestricted admin users? Should this user be able to create setuid 0 binaries? Should this user be able to edit the whitelist? TL;DR: you need to think about your requirements a lot more. — Philip Kendall, Apr 27 '19 at 14:34
Thank you for your detailed comment! I edited my question according to it. — Madamadam, Apr 27 '19 at 14:56
Unfortunately, they are just the most obvious ways I could think of to subvert this scheme. There are many, many more. — Philip Kendall, Apr 27 '19 at 15:35
unfortunately I am not savvy enough to oversee the possibilities of subversion — Madamadam, Apr 27 '19 at 15:43
Related: Can I create a *super* super-user so that I can actually have a user that can deny permission to root? — G-Man Says 'Reinstate Monica', Apr 28 '19 at 04:32

User with nearly all admin permissions but not allowed stop a single app or to delete its relevant files

0 Answers0