 |
 |
Editing /etc/authorization in 10.3 to allow non-admin users to modify prefs - How?
|
|
|
|
|
Junior Member
Join Date: Apr 2001
Status:
Offline
|
|
When I migrated our company's Mac users from 9 to 10.2, I was able to find a hack online that allowed standard users to modify things like date, time, and network locations. This was handy if they were traveling to a new office and needed to create a new location for that office's particular settings. Here is what I did:
I modifed the following section of the file /etc/authorization using pico:
<key>system.preferences</key>
<dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
<key>allow-root</key>
<true/>
</dict>
I changed "admin" to "staff" and saved the file. I then performed the following terminal commands:
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/Accounts.prefPane
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/Sharing.prefPane
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/StartupDisk.prefPane
This allowed standard users to modify date/time and network settings, but to be locked out of modifying accounts, sharing, or the startup disk.
*THANKS TO THE ORIGINAL POSTER ON MACOSXHINTS.COM*
------------------
Now, in 10.3, the file /etc/authorization has changed. I found a similar section below:
<key>system.preferences</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is checked by the Admin framework when making changes to the system preferences.
Credentials remain valid forever.
An acquired credential is shared amongst all clients.
If the proccess that created the AuthorizationRef has uid = 0 this right will automatically be granted.</string>
<key>group</key>
<string>admin</string>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
</array>
<key>shared</key>
<true/>
</dict>
I changed "admin" to "staff", and saved the file. I then logged in as a regular user I created and tried to unlock date/time (in 10.2, after the hack, it was already unlocked). When it asked me to authenticate for a user in group "staff", I entered the standard user's name and password, but was denied access.
Do you know what I might have done wrong? Is there an easier way to do this? The control panels I want regular users to access are mainly date/time and network, and want them to be locked out of things like accounts, startup disk, sharing, etc.
Thanks for any suggestions.
|
|
|
| |
|
|
|
|
|
|
|
Moderator  Join Date: May 2001
Location: Hilbert space
Status:
Online
|
|
Every user can change the network location. If you want to enable some prefs to the user, then you can do so in the Users-Prefs when you are logged in as an admin user.
Other than this, you don't want people to change the time and stuff like this as it is a security risk.
So your hack is pretty useless as far as I see it. The time is automatically set periodically if you choose so in the prefs, every user (unless specifically switched off) can change the network location, so what do you need the hack for?
You can even determine which Pref Panes a sprecific user may touch. If you want a user to do more than this, activate the admin priviledges.
|
|
I don't suffer from insanity, I enjoy every minute of it.
|
| |
|
|
|
|
|
|
|
Moderator Join Date: May 2001
Location: Hilbert space
Status:
Online
|
|
One last remark: such hacks are extremely dangerous, because if you don't know what you are doing, you could damage your MacOS X installation. In particular, Unix doesn't like it, if you alter the rights of a file (such as ownership, etc.).
|
|
I don't suffer from insanity, I enjoy every minute of it.
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Oct 2000
Status:
Offline
|
|
Originally posted by OreoCookie:
The time is automatically set periodically if you choose so in the prefs, every user (unless specifically switched off) can change the network location, so what do you need the hack for?
i'm guessing that that he might mean changing the *timezone* rather than the time, per-se.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Join Date: May 2001
Location: Hilbert space
Status:
Online
|
|
Originally posted by rkt:
i'm guessing that that he might mean changing the *timezone* rather than the time, per-se.
Why would I want to change my timezone frequently?
|
|
I don't suffer from insanity, I enjoy every minute of it.
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Oct 2000
Status:
Offline
|
|
Originally posted by OreoCookie:
Why would I want to change my timezone frequently?
well, i'm pretty sure i'm not the only person works for a multi-national company or, for some other reasons, travels frequently; for me, "travelling to a new office" almost certainly means shifting to a different timezone. sadly the automagic ntpd only keeps the clock correct to utc - it won't adjust the clock to the correct timezone.
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Apr 2001
Status:
Offline
|
|
Thanks for the replies everyone.
For the date/time modifications, a lot of our users travel to Europe and Asia quite frequently, so it would be awesome for them to change their time zone. In addition, there have been a couple instances where someone's computer crashed and the time/date were reset to some day in 1970. With our e-mail program, Lotus Notes, it will not let the user authenticate if their date/time differ significantly from that of the server's date/time. So, changing date/time would be great.
As for network locations, I know that standard users can *change* network locations. What I would like for them to be able to do is *add* new network locations. A lot of times, our users will find themselves in places that require specific network settings and with the way the network prefs are set up, a standard user cannot create a new location with specific settings. He/she can only use what I put in there in the first place.
Thanks for any further suggestions you all may have.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Join Date: May 2001
Location: Hilbert space
Status:
Online
|
|
As I live in Japan (one month to go  ), I understand.
Still, meddling with permissions (and those files) is a very tricky game.
|
|
I don't suffer from insanity, I enjoy every minute of it.
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Sep 2001
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Apr 2001
Status:
Offline
|
|
Hi everyone,
Thanks for the suggestions and effort you all gave.
I had a talk with our company's global IT director about this, and we decided that we're going to do the following:
1. Leave users as standard users (just as in 10.2) with no modifications to any Unix files.
2. Create a network location for around 20 of our offices and several default locations for things like a location with DHCP/ethernet and no proxy, a location with DHCP and Airport, etc.
3. Leave date/time as it is, and let the IT people in each location change it if the person arrives in their office and wants it changed.
It was nice to have this in 10.2, but there were instances where users would delete network locations, create their own with incorrect settings, etc.
Nevertheless, thanks for all the help.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top