[Donp213]

I have created a "Simple Finder" user. I have only enabled programs I wish for this user to run; "System Preferences" is not one of them. Well, you can get into "System Preferences" and adjust many things that I do not wish to be adjusted. When logged in as this restricted user all you have to do is either control click, (right click), the dock and adjust away. Another way is to press Option+F14 or Option+F15. Not only will this way get you in but it takes you straight to Display properties. Display properties is one area of "System Preferences" that is supposed to be locked down. In fact if you hover your mouse pointer over "Displays" it states as such. If you click "Show All", Displays is grayed out indicating its lock down.

Please correct me if I am wrong, but.....Please
These flaws in security are atrocious. Because of these flaws, this product is not a viable solution for insertion into a REAL production environment. I am absolutly floored by this. I can't believe they would release a product with these flaws in the security.

Panther OSX

[Moose]

man chmod
man chflags

[CatOne]

Originally posted by Donp213:
I have created a "Simple Finder" user. I have only enabled programs I wish for this user to run; "System Preferences" is not one of them. Well, you can get into "System Preferences" and adjust many things that I do not wish to be adjusted. When logged in as this restricted user all you have to do is either control click, (right click), the dock and adjust away. Another way is to press Option+F14 or Option+F15. Not only will this way get you in but it takes you straight to Display properties. Display properties is one area of "System Preferences" that is supposed to be locked down. In fact if you hover your mouse pointer over "Displays" it states as such. If you click "Show All", Displays is grayed out indicating its lock down.

Please correct me if I am wrong, but.....Please
These flaws in security are atrocious. Because of these flaws, this product is not a viable solution for insertion into a REAL production environment. I am absolutly floored by this. I can't believe they would release a product with these flaws in the security.

Panther OSX

You've set these preferences from the workstation itself? Hmmm. Is the user a regular user or an administrative user? If the latter, all bets are off.

Really, this stuff would be managed in a REAL product environment by Open Directory, which can lock this stuff down.

[SMacTech]

I just tried this scenario and you are correct in saying you can access the system preferences in a limited account, where the system preferences is deselected from allowable apps. Using the option-F14 keys, system preferences opens right up and you can then access several preference panes, of which, displays is one of them.

[Donp213]

I am curious. Can someone out there who is using Open Directory try this for me? I would greatly appreciate it.

[someone_else]

This sounds like a bug to me. Did you report this to Apple? [email protected]

[jwblase]

I would think that certain things that are user specific would still be adjustable for that user, and that user only. For instance, the Dock is not a system preference. It is more of a user preference. Does that particular user want it shown, or hidden? There are some things in the System Preferences panes that are user specific.

JB

[Phranken9]

I was able to reproduce this, and while I don't think the specific preferences you can change are a security threat, I was able to totally cut off the Simple Finder user's System Preferences.app access entirely by changing the permissions on System Preferences.app.


Here's what I did, someone correct me if it opens up any other problems or if there's an easier way.

1. "Get Info" on System Preferences.app inside of /Applications

2. Uncollapse the Ownership&Permissions section, and then the Details section. Click the little lock, enter your administrator password.

3. Change the "Others" Property to "No Access" and set "Group" to "admin," so you can still use and change. "Owner" should remain "system"

This will prevent any non-admins from opening System Preferences, and I think that anytime you run "Fix Permissions" from Disk Utility, it will reset it to the original state.

[Daniel_R]

Open Directory - I've justed tested the problems you were having against a 10.3 system authenticating off Open Directory that gets its system preferences restrictions passed down at login. I could not access any of the pref panes that I had set to be restricted (with the option+ keys etc).

If you're looking to lock down machines in a production environment, and doing so by setting access privledges to common items such as pref panes within System Preferences, it'd be worthwhile to take a look at the lock-down options you can use in OS X server 10.3 + authenticating via Open directory. it can manage these options on a group/user basis.

If you're not authenticating off an OS X server via open directory, instead using say Solaris and Open LDAP, you can always add the restriction attributes into your LDAP server (and then you will have to map these attributes within Directory Access on your OS X client macs. The relevant information on how to do this is in the OS X Server 10.3 manuals (the Open Directory one IIRC).

Setting up restrictions on each individual machine sounds labour intensive
How viable it is to set up some directory authentication system is another story depending on how many clients you are supporting... I'm assuming a number since you've mentioned "REAL production environment" If you're only talking one or two clients here, the chmod fix above will do just fine.

[SMacTech]

Originally posted by Phranken9:
I was able to reproduce this, and while I don't think the specific preferences you can change are a security threat, I was able to totally cut off the Simple Finder user's System Preferences.app access entirely by changing the permissions on System Preferences.app.

Yes, you can do that, but when an admin lists System Preferences as an application that should not be accessible to a user, it should be just that. Obviously someone overlooked the opt-F14 that could access it. It's a bug. Changing a display setting could totally screw up an intended application's function.

[Moose]

Originally posted by SMacTech:
Changing a display setting could totally screw up an intended application's function.

That's third-party developer retardation.

[mitchell_pgh]

Originally posted by Moose:
That's third-party developer retardation.

Yes/No

I've been around teenage kids... they should be beta testers because if there is a way to screw it up, they will find it.

Say you have a kiosk... and a flash piece set to 800 x 600...

and they set the res to 100000000000 x 100000000000000...

it messes everything (over exaggeration, yes, but would it happen, probably)

[Graymalkin]

I just gave this a try. While I could open System Preferences only the user specific settings were actionable. All of the system-level settings were greyed out and nothing I could do would enable them. I even used Universal Access to set the screen to reverse colors and it switched back to the default when I switch back to my normal account. While the ability to open SP isn't the safest of options the fact a restricted user can't do anything system-wide with this much less dangerous than it could be. Simple Finder isn't necessarily meant to be used in a production environment as a means to lock down a computer, if it was it wouldn't have the option to run the full Finder in the Finder menu. You could change the keymap for that user to one with the F14 and F15 keys disabled.

[Moose]

Originally posted by mitchell_pgh:
Yes/No

I've been around teenage kids... they should be beta testers because if there is a way to screw it up, they will find it.

Say you have a kiosk... and a flash piece set to 800 x 600...

and they set the res to 100000000000 x 100000000000000...

it messes everything (over exaggeration, yes, but would it happen, probably)

Once again, that's a third-party defect, not an OS defect.

[SMacTech]

Originally posted by Moose:
That's third-party developer retardation.

I guess that would be me then. I have an application I develop that must run in 1024x768, simply because it needs the screen real estate, and developing for 800x600 in this day and age is, well, silly, given the size of screens today. So if a user can switch to 640x480, it breaks the layout of the program and hence its usability. Exactly how is it retarded to have a minimum spec for a program such as display resolution? So I should have my app realign its user interface to the smaller screen and still retain all the functionality? That's like saying Final Cut Pro should be perfectly functional at 640x480.

[Moose]

Originally posted by SMacTech:
I guess that would be me then. I have an application I develop that must run in 1024x768, simply because it needs the screen real estate, and developing for 800x600 in this day and age is, well, silly, given the size of screens today. So if a user can switch to 640x480, it breaks the layout of the program and hence its usability. Exactly how is it retarded to have a minimum spec for a program such as display resolution? So I should have my app realign its user interface to the smaller screen and still retain all the functionality? That's like saying Final Cut Pro should be perfectly functional at 640x480.

It's not retarded to have a minimum. It's retarded not to handle unexpected situations gracefully.

(Hint: If a user can change screen resolution, so can you.)

[arekkusu]

What Moose means is that there are notifications 3rd party apps receive from the OS when the display changes. They could pop up an alert if the new display is too small, or force it back to something appropriate. If they choose to ignore them, too bad.