[Tennberg]

Hi everyone,

Sorry for the first blank response. Here's the full text:

Using a reference from a web post, I created a set of instructions for our IT people that would allow regular users under OS X to be able to edit certain system preferences such as Date & Time, Network (to create new locations when they travel), and so on. Below are the instructions:

1. Log into the computer as root.

2. Using pico, open the file called authorization in the directory /etc:

pico /etc/authorization

3. Change the following portion of the file (and ONLY this portion of the file):

Old

<key>system.preferences</key>
<dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
<key>allow-root</key>
<true/>
</dict>

New

<key>system.preferences</key>
<dict>
<key>group</key>
<string>staff</string>
<key>shared</key>
<true/>
<key>allow-root</key>
<true/>
</dict>

4. Save the file by using a write out (Control-O), hit enter to save the file to /etc/authorization, and exit pico.

5. Open a terminal window.

6. Type in the following for each preference pane you DON'T want users to access (The ones I don't want them to access are the following):

chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/Accounts.prefPane
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/Sharing.prefPane
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/StartupDisk.prefPane

7. Close the terminal window, log out as root, and log back in as the normal user.

8. You should now be able to modify date, time, and energy settings. However, if you try to click on Accounts, a window will pop up saying you cannot access it.

How do I do the same action under 10.3.x? I looked at the same file in 10.3.4, and it is VERY different. According to the old file in 10.2.x, this would be replaced by a system tool in the future. Has that been done in Panther? If not, how do I achieve the same results?

Thanks!

[piracy]

First of all, why in the hell are you telling people to *log in* as root to edit a text file?

Have them use sudo:

sudo pico /etc/authorization

Any admin user can do it. No enabling and logging in as root. Simple.

Second, /etc/authorization in 10.3.4 most certainly still has that same stanza:

<key>system.preferences</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is checked by the Admin framework when making changes to the system preferences.
Credentials remain valid forever.
An acquired credential is shared amongst all clients.
If the proccess that created the AuthorizationRef has uid = 0 this right will automatically be granted.</string>
<key>group</key>
<string>admin</string>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
</array>
<key>shared</key>
<true/>
</dict>

What's the problem?

[Tennberg]

Hello piracy,

Although I appreciate the response, the manner in which you wrote it comes off as somewhat rude. As you can see in my previous post, these were a set of instructions I created for IT employees, *not* regular users. I don't see a problem with IT people logging in as root to make a change like this. Sure, you could use sudo as admin, but this is just the way I prefer to do it. I don't log in as root to do many things, but I do occassionally do it for a thing or two.

I also was expecting the context of the file in 10.3.4 to look *exactly* like it did in 10.2.x, so I apologize if I came to this forum to ask for advice before proceeding with this.

I'll be sure my next post doesn't make me seem like an idiot.