[Warhaven]

Hey All,

I've run into a slight problem with my lab computers. I have an account's ability to change password disabled, and the account is restricted to the applications in just the Applications folder. Unfortunately, Leopard doesn't seem to care if you run the application off your Desktop either. Or for that matter, if you copy an application from the Utilities folder to the user Desktop and run it there.

So, I have a potential problem that a clever student pointed out. Despite being unable to change password from the preference pane, a student could still change the password by copying the Terminal app from the Utilities folder to the Desktop, then running it, then using the passwd command. Apparently, Leopard doesn't prevent the passwd command, even on a managed account.

Any thoughts? Can I disable access to the passwd command, and for that matter, dscl?

Thanks,
-Rob

[turtle777]

Originally Posted by Warhaven 

Apparently, Leopard doesn't prevent the passwd command, even on a managed account.

One question: is the password for that managed account known to the user / students ?

-t

[besson3c]

You could try modifying the permissions of /usr/bin/passwd to remove the executable permissions for everyone, leaving it executable for root and those in the wheel group (i.e. admins).

[Warhaven]

Originally Posted by besson3c 

You could try modifying the permissions of /usr/bin/passwd to remove the executable permissions for everyone, leaving it executable for root and those in the wheel group (i.e. admins).

That's what my Apple support just suggested. Thanks for the replies.