[BostonMACOSX]

i posted this on the OSX General forums to no avail.

i'm wondering how does apple control the ability of the admin users to set Capabilities on what applications a non admin user can run and not run. i'm looking for this info to work out a small bug in launching an OSX application.

Thanks
BostonMACOSX

[Detrius]

You can set up users so that they never see the finder--all they see is a list of applications that they can run. I believe this requires OS X Server. not sure. brain fart. sorry.

[int69h]

If one of those apps is Terminal.app, can one just run "open NotAuthorizedApp.app"?

[BostonMACOSX]

Originally posted by int69h:
If one of those apps is Terminal.app, can one just run "open NotAuthorizedApp.app"?

Maybe I should be more specific.... In system Preferences there are accounts. in Accounts there is a button for non admin users where you can set what programs you want that person to run and not run. What my question is as follows. Does apple change the permissions on the applications themselves? Keep a list somewhere of what users can run what applications? etc etc etc

[Detrius]

You can always do the users and groups thing:

Each item has priveleges set for the owner, a group, and everyone else. Organize your groups such that they include the people that CAN launch a specific app. Set the last permission settings to not allow execution.

[BostonMACOSX]

Originally posted by Detrius:
You can always do the users and groups thing:

Each item has priveleges set for the owner, a group, and everyone else. Organize your groups such that they include the people that CAN launch a specific app. Set the last permission settings to not allow execution.

i know that......

but how does apple do this? I have iTunes set to be able to be launched and iMovie not but the permissions, owner and group are the same.

Ideas?

[Scarpa]

Originally posted by BostonMACOSX:
Does apple change the permissions on the applications themselves? Keep a list somewhere of what users can run what applications? etc etc etc

This sounds to me like information you'd find in NetInfo Manager.

[Evan]

Not many users know about this feature's existence, let alone how to fix it when it flakes out.
The only info I find at Apple's site is
KB-doc#107180.

At the end is a paragraph under "Troubleshooting" which says:

For advanced troubleshooting purposes, you may wish to know that the Capabilities settings are stored in the "mcx_settings" attribute of each user's record. This is visible via NetInfo Manager or NetInfo command line tools, such as nicl and niutil.

Not exactly helpful, but anyway... good luck.

[Richyfp]

As Scarpa speculated and Evan pointed you towards, the Capabilities settings are indeed stored in the NetInfo database. They are stored in the mcx_settings property of each user (note that this key is only present for users whose Capabilities have changed from the default and is NEVER present for Administrators under normal circumstances)

The mcx_settings property contains an XML file that defaines the users various capabilities. The contents of the XMl file for each user can be opened for viewing in Property List Editor using the following command:

Code:
niutil -readprop / /users/username mcx_settings > Cap.xml; open -a "Property List Editor.app" Cap.xml

Where username should be replaced with the name of the user whose capabilities you wish to view. Since this command pipes the XML into a file, make sure that you are in a directory that you have write access to when you run the command and that you don't have any other files called Cap.xml in the same directory.

I don't really know that much about NetInfo, but I think that you could change the dersired values in the mcx_settings file using Property List Editor and then assign it to a user either using the nicl command or by using NetInfo Manager to remove the old key and add a new one.

I'd be interested to know exactly what problem you're having...

Hope this helps!

[Evan]

Originally posted by Richyfp:
I'd be interested to know exactly what problem you're having...

One frequent complaint which I've read and also personally encountered is the inability of some apps to be checkmarked in (or added to) the list of "Use only these applications". In my case, the one offender I've got is Sigma Chess 6.0.3

Wait... hang on a sec. It just worked!!! (I think). Maybe this was fixed in 10.2.4 (?)

I'll be back..........



False alarm. I had less trouble than before when it came to checkmarking Sigma Chess 6.0.3 in the app list (though for some reason it insists on being displayed as "Sigma Chess 6.0").

But when I log in as the user who was supposedly permitted to use that app, it won't launch. So why doesn't it work? What to do?

Most other "app won't launch" Capabilities complaints occur in Classic. Sigma Chess is Carbon, and launches fine (in OSX) for the same user once their Capabilities are removed!



Oh well...

[Richyfp]

Originally posted by Evan:
But when I log in as the user who was supposedly permitted to use that app, it won't launch. So why doesn't it work? What to do?

I have to say that the format of the XML file is a little odd... it seems that there is an allow list that contains not only programs but also creator codes!! Fair enough I suppose, but it strikes me as a bit odd that there is this mixed method of determinignn whether an application can run (and yes, I know that each app should have its own creator code).

I don't use this feature myself so I can't really comment on its problems - send feedback is all I can suggest.

Even though the XML file exists in the NI database, I still don't fully understand how the whole system works. When a user launches an app is it checked against the XML file then or are apps added to a disabled list on Login? Which app or daemon controls this process and at what level is it implemented? (Loginwindow,Finder, Kernel... ?)

So many questions...