[The Wolf]

Am I missing something? I tried the parental control feature, but it doesn't seem to block internet access completely for a single user. Can anyone help? Thanks.

[rickey939]

How did you attempt to block the internet access?

[The Wolf]

I've attempted to deny access to certain apps by using the simple finder (browsers, mail, chat, etc.). Is there a way to turn off the port (is it 80?) for only a single user? - Or is there something else that's better?

[rickey939]

Originally Posted by The Wolf

I've attempted to deny access to certain apps by using the simple finder (browsers, mail, chat, etc.). Is there a way to turn off the port (is it 80?) for only a single user? - Or is there something else that's better?

And by doing that, how is the user able to get to the Internet with such applications blocked?

[The Wolf]

Launch an allowed App > About App > [some apps have links to their website] despite me NOT allowing the user to access Safari, it still launches and provides unrestricted internet access.

[fisherKing]

are you trying (for example), to keep your kid from web surfing?
what about creating a network setting (pref pane) that, say, uses bluetooth only (ie it wont work with your cablemodem or whatever), and locking that pref so only the admin (you) can change it?

just an idea off the top of my head (hey, it's sunday)...

[rickey939]

Originally Posted by The Wolf

Launch an allowed App > About App > [some apps have links to their website] despite me NOT allowing the user to access Safari, it still launches and provides unrestricted internet access.

Which "About" application has this link to the site so I can test this a little bit further? If this can be replicated by others as well, a bug report needs to be sent off to Apple immediately.

[The Wolf]

Many Apps have this. I just happened to click on one called CD Spin Doctor.

fwiw, I just found that I actually have to:
(1) Turn Family Controls on in Safari;
(2) Log into the limited user's account;
(3) Activate the 'bug' (because otherwise I can't get access to Safari)
(4) Remove ALL the pre-programmed sites from the Bookmark Bar.

Cool, I think I found a bug in OS X and (1) I'm not a techie and (2) I don't have any kids of my own (yet). I'm actually trying to help a troglodyte friend protect his!

[chabig]

Originally Posted by fisherKing

are you trying (for example), to keep your kid from web surfing?
what about creating a network setting (pref pane) that, say, uses bluetooth only (ie it wont work with your cablemodem or whatever), and locking that pref so only the admin (you) can change it?

just an idea off the top of my head (hey, it's sunday)...

That's probably the best idea. Just create a network location that has no internet access at all and switch to it when you leave the machine. Of course, this does put the onus on you to remember to switch it.

Chris

[rickey939]

Originally Posted by The Wolf

I've attempted to deny access to certain apps by using the simple finder (browsers, mail, chat, etc.). Is there a way to turn off the port (is it 80?) for only a single user? - Or is there something else that's better?

Okay, sure enough, I can duplicate this bug when I choose to manage the user by activating the "Simple Finder"; however, when I choose "Some Items" and allow access only to certain applications (obviously not any browsers in this case) it works as advertised. I tested this with CD Spin Doctor as well.

The Wolf, can you see if choosing "Some Items" instead of the "Simple Finder" does what you want? If so, I'll report the "Simple Finder" issue to Apple right away.

Thanks!

[The Wolf]

Sorry, I had to run and get some dinner. Anyway, it does appear that when selecting "Some Items" I CANNOT access the web like I could with "Simple Finder." I'm so completely stoked! You guys have been such a huge help to me over the years, glad I could finally give back.

[rickey939]

Originally Posted by The Wolf

Sorry, I had to run and get some dinner. Anyway, it does appear that when selecting "Some Items" I CANNOT access the web like I could with "Simple Finder." I'm so completely stoked! You guys have been such a huge help to me over the years, glad I could finally give back.

Excellent, thanks for checking. I'll get a bug report filed with Apple right away.

[rickey939]

Bug #4312615 filed successfully...

23-Oct-2005 08:09 PM rickey939:

Summary:
When applying the "Simple Finder" to a user from the Accounts > Parental Control preference pane (in v10.4.2), and you specifically specify that the user cannot open Safari (or any browser), the user can indeed get Safari open when accessing any applications "About" menu, where the developer has included a link to their site. Safari will immediately open and then the user has complete control to reach any site they want. This was tested with "CD Spin Doctor" from the Roxio Toast Titanum 7 software.

Steps to Reproduce:
1.) Launch System Preferences from an admin account
2.) Navigate to Accounts > Select a User > Parental Control
3.) Within "Parental Control", select the "Simple Finder" option
4.) Enable an application that has a link to the developers site through the "About" menu of the application. In my case, I used "CD Spin Doctor" from the Roxio Toast Titanium 7 software. DO NOT ENABLE ANYTHING ELSE.
5.) Login as the user you just managed
6.) Launch the application you enabled up in Step #4 above
7.) Open the "About" menu on the application and click on the link provided

Expected Results:
I expect nothing to happen at this point, because no browsers are enabled to open up.

Actual Results:
Safari opens immediately and navigates to the developers page and/or company site of the product.

Regression:
This is reproducible on any hardware and for sure on v10.4.2 Client OS X. Ironically, when choosing to be managed by "Some Items" (not "Simple Finder"), this exploit is not possible and behaves as expected.

Notes:
The only workaround is not to choose "Simple Finder" as the way to be managed, and instead choose the "Some Items" option if you don't want any browsers to be launched and accessible.

[chabig]

So if you're using Simple Finder, make sure the Terminal is unavailable to the user too, because if you can launch terminal you can launch anything.

Chris

[The Wolf]

That's excellent thank you. The only thing I'm not 100% sure about is the following:

Safari will immediately open and then the user has complete control to reach any site they want.

IIRC you can only (initially) access the handful of default sites in Safari's Bookmark Bar. (i.e., you can't just type an address like http://www.pRon.com in the Address Bar). However, since yahoo is one of the handful of sites, you can ultimately get there with a few clicks.

[nuggetman]

the reason for this bug lies in the way simple finder is set up

it's not nessecarily DISABLING the app, but it isn't creating a shortcut to the app in the "allowed applications" folder

i guess they figured since you can't get outside of that folder and those shortcuts, theres no problem

not defending them, just saying this may take a larger fix than it seems because of how SF works

[The Wolf]

From the description, it sounds to me like it is a disabling app and in IMHO would most likely be the option a less computer savy parent would chose to accomplish what I was trying to accomplish based on:

(1) the umm... "simplicity" of setting it up and in using it; and
(2) the following specific statement found in the setup:

Simple Finder:
Simple Finder is easier to use and limits access to applications.
Users can't change the Dock and can open only the applications in the My Applications folder.

(emphasis added)

[plastiqueusa]

Something like Little Snitch may also help; you should be able to set up a rule blocking all traffic on Port 80, but I'm not sure if it can be set with different rules for various accounts...

Edit--Here's more information from the documentation:

Here is an example rule set for denying any internet connection for a particular application:

* TheApplication Deny any network connection.
(deny general any network communication expect connections which are local on your machine)
* TheApplication Allow any connection to local network.
This additional rule is necessary if TheApplication needs to reach another machine within your local network. (allows connections within your local networks)

There's also a setting for 'all applications' to follow any rule you want to set, such as the ones above; the trial version is fully functional but has a trial limit for 3 hours. It may be worth trying out rather than going through all the trouble with the OS.

[Randman]

Create a controlled user, disable the ability to install software and block all Internet browsers. Of course, for that much trouble, just turn the Internet access off.

[JKT]

If you are using Tiger, I thought that the Parental Controls allowed you to whitelist sites that people can access. Why not just set up a whitelist with no sites in it, or doesn't that work?

[nuggetman]

Originally Posted by The Wolf

From the description, it sounds to me like it is a disabling app and in IMHO would most likely be the option a less computer savy parent would chose to accomplish what I was trying to accomplish based on:

(1) the umm... "simplicity" of setting it up and in using it; and
(2) the following specific statement found in the setup:


(emphasis added)

Exactly, it limits it

Double click an icon in the My Applications folder. Notice how when the icon does the zoom out to show it's launching, there's a shortcut arrow? Launch the full finder and open My Applications and the shortcut arrow is also there.

I say go with the empty whitelist option in Safari.

[rickey939]

Originally Posted by The Wolf

That's excellent thank you. The only thing I'm not 100% sure about is the following:



IIRC you can only (initially) access the handful of default sites in Safari's Bookmark Bar. (i.e., you can't just type an address like http://www.pRon.com in the Address Bar). However, since yahoo is one of the handful of sites, you can ultimately get there with a few clicks.

Okay, I'll change the wording on the bug report. Thanks for the explanation.