[Boondoggle]

I've got a managed user on my home system for whom I've turned off all internet apps except for watson and sherlock.

When she is using either of the two though, and clicks on a link, Safari just launches away without a problem and takes her to the link.

From that point she can access any web site as if she had authorization to use Safari.

If she tries to launch Safari manually it gives her the permission denied message.

This is a major flaw...



edit: applescripts will launch Safari as well.

[Phoenix1701]

Eek! That is a pretty big flaw... well, in the meantime, you could just set her Internet helper application to be an AppleScript that displays a dialog and then quits... or just TextEdit.

[Boondoggle]

n the meantime, you could just set her Internet helper application to be an AppleScript that displays a dialog and then quits... or just TextEdit

I followed your advice and it worked. Ironically I had to turn Safari priveleges back on in order to make the change because the prefs for the default browser are in Safari now...

Thanks,

bd

[theolein]

I'm not sure how you changed the permission for that user. I presume you did it using the Get Info panel. The actual executable itself is /Applications/Safari.app/Contents/MacOS/Safari which belongs to root and is executable by anybody. If you change those permissions instead, you might have more luck. In the terminal do the following:

sudo chmod 774 /Applications/Safari.app/Contents/MacOS/Safari

It will prompt you for your admin password.

Try that and see if your user (I presume you want to protect a child from the internet) can still start Safari.

Edit to add: Make sure your user is not an admin user, obviously!

[CharlesS]

Originally posted by theolein:
I'm not sure how you changed the permission for that user. I presume you did it using the Get Info panel.

I'm guessing that he probably actually used the "Limitations" tab in the Accounts preference pane.

[Boondoggle]

I'm guessing that he probably actually used the "Limitations" tab in the Accounts preference pane.

that is correct. Changing permissions is a royal pain and I don't want to do it. I would have to put this user in a different group, and that just gets complicated.

I assume
sudo chmod 774 /Applications/Safari.app/Contents/MacOS/Safari

makes the group for Safari admin or something and no access for other users.

but that isn't practical, as I've got several regular users on this system that need full access to apps but not admin access. Thier current group is "Staff". If I change the group of this user, then I've got to go in and mess with the groups on all the apps that she CAN use... which is just a royal pain, and beside it would break permissions for the Staff users.

Using the System preferences/Accounts/Limitations pane is how I want to manage this, but it isn't working properly.


Someday somebody besides me is going to realize that the one-group/user paradigm is a gapeing limitation to Unix. We should be able to assign users to multiple groups, and assign file permissions to multiple groups as well. Then we'd really have something powerful and flexible. With a system like that I could easily designate multiple groups of apps and accesses to multiple classes of users, including overlapping ones.

[Chuckit]

Originally posted by Boondoggle:
Someday somebody besides me is going to realize that the one-group/user paradigm is a gapeing limitation to Unix. We should be able to assign users to multiple groups, and assign file permissions to multiple groups as well.

Last I checked, you can assign a user to more than one group.

[lenox]

omeday somebody besides me is going to realize that the one-group/user paradigm is a gapeing limitation to Unix.

The limitation you speak of simply does not exist.

[theolein]

Originally posted by Boondoggle:
that is correct. Changing permissions is a royal pain and I don't want to do it. I would have to put this user in a different group, and that just gets complicated.

I assume
sudo chmod 774 /Applications/Safari.app/Contents/MacOS/Safari

makes the group for Safari admin or something and no access for other users.

but that isn't practical, as I've got several regular users on this system that need full access to apps but not admin access. Thier current group is "Staff". If I change the group of this user, then I've got to go in and mess with the groups on all the apps that she CAN use... which is just a royal pain, and beside it would break permissions for the Staff users.

Using the System preferences/Accounts/Limitations pane is how I want to manage this, but it isn't working properly.


Someday somebody besides me is going to realize that the one-group/user paradigm is a gapeing limitation to Unix. We should be able to assign users to multiple groups, and assign file permissions to multiple groups as well. Then we'd really have something powerful and flexible. With a system like that I could easily designate multiple groups of apps and accesses to multiple classes of users, including overlapping ones.

Hmmmm....

I normally use only one user on my system and, to be honest, didn't even know that the limitations tab existed (or just forgot about it).

So, I tried it myself. I setup a user with with the following limitations:
User can NOT administer computer.
User can NOT remove items from the Dock
User can NOT change password
User can NOT open all System Prefernces
User can burn CD's and DVD's

User can ONLY use the following applications:
Applications:
All but Safari
Utilities:
None
Applications (Mac OS9):
None
Other:
None

I then logged out and back in as that user. I started Sherlock and did a search for MacNN. I tried clicking on the URL: Failure dialog comes up that no internet application can be found. So far so good. I tried dragging a URL from Sherlock onto the desktop and then double clicking the URL: Same failure dialog as before. I don't have Watson, so I can't test that.

So it seems that it might be a problem with your system or that you've given permissions to non admin users either via their accounts checkbox or via an application that bypasses the mechanism that OSX uses to grant access to specific applications. I don't know how this is done, as there is nothing in netinfo, nor is there a group change, nor is there an application change. I presume the Finder has a desktop db file somewhere, as in classic Mac OS that it uses to open related files with applications.

Try checking on those applications that the users have access to, an try setting up a user with the permissions that I describe above.

For what it's worth: In Unix you can assign users and files to different groups, just that you'd have to do it via the commandline or via netinfo in OSX. Your default admin user is actually a member of both admin and staff groups. You could make use of netinfo to make different groups, but I'm not sure

I actually wonder why OSX, via the accounts preferences tab, actually assigns all users to the staff group (GID 20) instead of making a differentiated groups for non admin users.

[Boondoggle]

Are you sure that Safari is the default browser for that user in Safari prefs?

enable safari, make safari the default browser, disable safari and then try to open a link from Sherlock.

For me, on 2 systems this causes Safari to launch. I tested it out at work and got the same result.

lenox: "The limitation you speak of simply does not exist."

How do you allow more than one group to access a file? I've never even seen that mentioned in a book.

[Brass]

Originally posted by Boondoggle:
How do you allow more than one group to access a file? I've never even seen that mentioned in a book.

The limitation of one group per user does not exist. The limitation of one group per file does exist.

However, you should not need more than one group per file. If the existing groups don't match the set of users who should have access to that file, then the correct solution is to creat a new group with the correct set of users. This makes much more logical sense.

In classic Mac OS, you could create groups which contained groups, which was a very easy way to do this, but I don't know of any way of doing this in Mac OS X.

BTW, most unix systems these days do provide extensions to the default one-group-per-file paradign, called Access Control Lists (ACLs). Using ACLs allows a far more complex pattern of administration for file ownership and access rights.

I don't think Mac OS X uses this scheme, however.

[Boondoggle]

I see your point. My error was assuming that users could only belong to one group. (somebody here actually told me that, but I should have checked it.)

However I can envision a case where you might have some mutually exclusive groups that you would want to access a few common files. So apparently you'd have to add all those users to a new group and assign just those files to that group. I guess that feels less flexible than just assigning the files to the respective groups, even if the end result is the same.

BTW, most unix systems these days do provide extensions to the default one-group-per-file paradign, called Access Control Lists (ACLs). Using ACLs allows a far more complex pattern of administration for file ownership and access rights.

Maybe this is what Apple should be implementing for the Limitations Pane in the Accounts system prefs...

[Boondoggle]

http://macslash.com/article.pl?sid=03/11/27/1122200

[Richyfp]

Originally posted by theolein:
...I don't know how this is done, as there is nothing in netinfo....

I thought that this was exactly how the whole Limitations/Capabilities system was managed or at least it was in Jaguar. I posted about this back In February this year... http://forums.macnn.com/showthread.p...es#post1255674

I would be interested to know if they are using the same system in Panther and also to know just how similar this system is to the ACLs found on other Unices.

[brachiator]

Originally posted by Boondoggle:
Ironically I had to turn Safari priveleges back on in order to make the change because the prefs for the default browser are in Safari now...

Well, most of this thread is outside of my experience, although I'm making an effort to remember it towards when/if I set up other users.

The above point I can address, though! Panther can apparently still use the Jaguar Internet preferences panel, so you don't have to take the Bill Gates road through Safari to make your changes.

You can pull the Internet.prefpane file out of the Jag CD using Pacifist, and then just pop it in ~/Library/PreferencePanes or /Library/PreferencePanes, as you like (probably the latter for your purposes here.)