 |
 |
Screensaver/Sleep password allows ANY admin user
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Apr 2003
Status:
Offline
|
|
I've seen this behavior on two systems both running 10.4.2...
Basically, if you require a password to break through the screensaver or to wake from sleep (or to unlock the screen), my system allows ANY admin user to provide their own correct login/password to get in. Standard or Managed accounts cannot do this.
This feature is useless if there are two or more admin users on the same system. I cannot protect my account nor can any other admin user.
Please tell me this is not correct behavior on the part of the system. I thought a clean install of Tiger from 10.3.9 would have corrected this annoyance, but it did not.
Any ideas? Thanks!!
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Apr 2001
Location: Asheville, NC
Status:
Offline
|
|
This is the correct behavior. You can't stop someone with root privileges. As long as it's a process separate from the WindowServer and loginwindow, this will be how it works. You can't stop an admin from logging in remotely and killing the process. If you are worried about an admin seeing something they shouldn't, then you need to select "Login Window" from the fast user switching menu. That's your solution.
|
|
ACSA 10.4/10.3, ACTC 10.3, ACHDS 10.3
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Aug 2005
Status:
Offline
|
|
Originally Posted by ATPTourFan
I've seen this behavior on two systems both running 10.4.2...
Basically, if you require a password to break through the screensaver or to wake from sleep (or to unlock the screen), my system allows ANY admin user to provide their own correct login/password to get in. Standard or Managed accounts cannot do this.
This feature is useless if there are two or more admin users on the same system. I cannot protect my account nor can any other admin user.
Please tell me this is not correct behavior on the part of the system. I thought a clean install of Tiger from 10.3.9 would have corrected this annoyance, but it did not.
Any ideas? Thanks!!
This feature also existed in Mac OS X 10.3.9 (actually most GUI systems permit an admin to unlock a screen so that it can be cleanly exited by saving any open "documents". The history behind this is for lab environments where an admin can free up a "terminal" that was locked by a user that has been away for too long and there is a queue to use the system).
With Fast User Switching this is less of a problem. Another user can just log in over the top of an existing user.
Anyway, to disable the ability of an admin to unlock a screen you will need to do the following. As an admin look in (actually edit) /etc/authorizations....
Find the section that contains....
<key>system.login.screensaver</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>the owner as well as any admin can unlock the screensaver;modify the group key to change this.</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>
Change the "group key" aka, the rule string to be....
<string>authenticate-session-owner</string>
Save and reboot. Admins will no longer have the ability to unlock a screen.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Nov 2001
Status:
Offline
|
|
Will changing that plist not make it impossible for an admin to unlock the screen, even if they locked it?
Or is the 'owner' the person that is currently logged in?
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jun 1999
Location: Las Vegas, NV, USA
Status:
Offline
|
|
Originally Posted by ATPTourFan
This feature is useless if there are two or more admin users on the same system. I cannot protect my account nor can any other admin user.
Why would anyone interested in security have have more than one admin user?
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Apr 2003
Status:
Offline
|
|
Thanks for pointing out that behavior reasoning and the easy fix. It works now as I'd like.
Very cool. 
|
|
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: Chico, California
Status:
Offline
|
|
Originally Posted by chabig
Why would anyone interested in security have have more than one admin user?
If multiple people share a Mac and they all need to install software or make System changes.
Also,
In lab or large-scale enterprise networks like ours. We bind our Macs to Active Directory, then allow certain AD groups be admins on all the Macs. This means there are dozens of qualified people that can be admins, thus can unlock a password-protected screensaver. Even though anyone that's an admin could become root and get access to anyone's files (and if a smart hacker has physical access to your machine, you're screwed anyways), it's one additional hurdle. If anything, it prohibits admins from unknowingly getting direct access to someone else's stuff.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Nov 2003
Location: Huh?
Status:
Offline
|
|
I don't see why this matters much. If you allow multiple admins on a system they can easily access each other's files anyway...all they need to do is enter their password, change the permissions, and they can go into each other's home directories. I'd think that the ideal solution would be to figure out why you think you need multiple admin accounts and then to do away with all but one of them and make the rest Standard or Managed or something.
Anyway, a solution was found, so I suppose it doesn't matter at this point, but that solution kinda breaks the security model...
|
|
"The captured hunter hunts your mind."
Profanity is the tool of the illiterate.
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Feb 2000
Location: Burlington, VT, USA
Status:
Offline
|
|
agreed with anubis. sort of like giving 2 people keys to a car, and asking "how can i prevent person 2 from driving the car?"
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top