Security/Preference panes and /etc/authorization
Phillip Burk
philburk at mac.com
Sat Apr 5 19:17:54 PDT 2008
On Apr 4, 2008, at 11:12 AM, LuKreme wrote:
> On 31-Mar-2008, at 11:38, Phillip Burk wrote:
>
>> I am just beginning my 10.5 rollout where I work and I have found
>> an oddity that I did not expect. In the Security pane of System
>> Preferences the "Require password to unlock each System Preferences
>> pane" is unchecked yet all regular users (not admin) have all of
>> the preference panes locked that have a lock.
>
> Er.. yes. Non-admin users ALWAYS have certain prefs locked. That's
> part of being non-admin. The preference you are looking at is for
> ADMIN users.
Not under 10.4 they didn't. Certainly not all of them. The Network
pane wasn't, neither was the Sharing pane.
>> I believe I can kludge my way through this by altering the /etc/
>> authorization file.
>
> Why would you want to allow non-admin users to, for example, access
> the account pane?
Set up printers. As it is right now, in 10.5 for non-admin users the
Print & Fax pane is locked. In fact, ALL of the panes with a lock are
locked. The complete list: Security, Energy Saver, Print & Fax,
Network, Sharing, Accounts, Date & Time, Parental Controls, Software
Update, Startup Disk, and Time Machine. They all are affected by /etc/
authorization and from what I've seen it's an all-or-nothing affair.
I changed the system.preferences key from: <key>group</key>
<string>admin</string>
to one of our Active Directory groups. Of course by doing so I have
completely disabled the local administrator account from being able to
authenticate System Preferences using the local account username &
password. A network user/pass is required... it's only a stopgap
solution.
Anyhow, I verified this behavior on four separate machines: my
personal Mac Book Pro which is a stock 10.5.2 install and not bound to
our corporate AD, my boss' personal Mac Book Pro (same as mine) and
two corporate clients both built from my 10.5 image - one is
Radminded, the other wasn't. They all behave like this.
More information about the MacOSX-admin
mailing list