Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Allow non-Admin users to modify system preferences System
As the resident "OS X guy" in my company, I was recently asked by the IT department to help with a little problem. The IT department is upgrading its users to OS X. They don't want the users to have admin privileges, and yet the users should be allowed to change the date and time. This is especially necessary for those with laptops that do a bit of travelling.

OS X doesn't keep track of different time settings for different users; there is only one clock and OS X treats it as a privileged system resource. Now there are times when you would want a regular user to be able to change this preference, as when a user is travelling with a laptop, and times when you don't, as when you have some critical scheduling app running or what have you.

Unfortunately, OS X doesn't really allow you to control this. Sure you can lock and unlock preferences, but that does not persist beyond your "session"; once you logout or reboot, the preferences revert to their privileged state. I have made some progress in finding a solution; perhaps others can take it further...

In the /etc directory is a file called authorization. Apple eventually plans to add a GUI for this file, but in the meantime you must edit it manually. If you examine the file, you will find a section that looks like this:

<key>system.preferences</key>
<dict>
      <key>group</key>
      <string>admin</string>
      <key>shared</key>
      <true/>
      <key>allow-root</key>
      <true/>
</dict>
By removing the default parameters (robg adds: everything below the "key" line, I believe) and replacing them with just allow, you will allow all users to be able to change all system preferences regardless of group. You will have to logout and login for changes to take effect.

Unfortunately, I have not been able to figure out how to directly reference a particular preference, for example, the date and time. I have examined the date and time's plist and have tried things like...
system.preferences.dateandtime
but nothing seems to work. Perhaps someone else can take it from here.

[robg adds: There are obviously some security issues here, but in certain situations, this may be of use to some people...]
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[13,886 views]  

Allow non-Admin users to modify system preferences | 20 comments | Create New Account
Click here to return to the 'Allow non-Admin users to modify system preferences' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Allow non-Admin users to modify system preferences
Authored by: mc717990 on Aug 01, '03 10:22:30AM

Couldn't you use an AppleScript to execute a setuid root command line app to set the date and time?

sudo chmod +s /bin/date

The command:

date 8506131627

sets the date to ``June 13, 1985, 4:27 PM''.

So, just create an apple script which generates the information, and sends it to the date command.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 06, '03 08:11:02AM

Ideally, you would SUID root the actual DateAndTime preference pane bundle. Unfortunately, this has no effect, which sort of makes sense given that these are "extensions" and not really applications.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: JohnnyMnemonic on Aug 01, '03 11:28:18AM

We faced a similar issue where I work; however, we wanted to raise users to Admins, and give them control over all System Preferences--except Software Update (so they don't go installing a "Hard Drive Update" and lose their data, for example; this way, we get a chance to read the boards and do our own testing first.)

We created two users on the box: the lan admin user, and the user's account (as admin). Then, we moved the bundle from /System/Library/PreferencePanes/SoftwareUpdate.prefPane to the lan-admin's users /Library/PreferencePanes. (That folder may need to be created first.)

We haven't extensively tested this yet, but the control panel is in in fact removed from the System Preferences, and replaced when logged in as the lanadmin user. The local user can't see the item, because even admin user's can't see into other's Library directory. Presumably, this would work for other panels as well; relevant to the original post, I would suppose you could remove all the panes except for date and time, and place them in the lan-admin /Library.

For completeness, we also chmodded /usr/sbin/softwareupdate to 0500 so it requires a sudo to run. (Which we disabled for all but lan-admin through the sudoers file.)

I'm interested in feedback on this strategy, as well as to see what others have done. I looked at /etc/auth also, but couldn't figure it out, esp to the individual Systempreference.Pane. Any one have better instructions on this file?

[ Reply to This | # ]
Better solution (in theory)
Authored by: JohnnyMnemonic on Aug 01, '03 12:55:01PM
...but it only lives in Google's cache. Thanks again, Google!

macfora.com: [editing user capabilities]

(why it's cached and not in the original place I dunno.)

Essentially, netinfo manager will reveal a setting called "mcx_settings." In that description lives strings for what the user can and can't change; modify those strings to deny/allow access. For example, subtract "<string>com.apple.preference.screensaver</string>" from the user's mcx record, and they will no longer have the authority to change it. I would post the whole solution here, but it's a long 'un--plus I haven't tested it.

email if you want more help or the text of the original file.

[robg adds: I edited this to turn the long, wide URL into a hyperlink, for narrower article/comment display. No other content was changed.]

[ Reply to This | # ]
Better solution (in theory)
Authored by: gatorparrots on Aug 01, '03 04:41:55PM

Macfora recently converted their boards from vBulletin to Invision Powerboard, hence all links to the old board database no longer work.

Here is the new, working link:
http://www.macfora.com/forums/index.php?showtopic=10271



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: Gigacorpse on Aug 01, '03 02:07:28PM

Couldn't you also modify the sudoers list to allow changes to the date command? This would allow for time changes.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 06, '03 08:32:50AM

Typically, you don't want regular users to use the command line; you don't want them to even know about the command line.

And the system doesn't just check /bin/date to determine who can use the date and time preference pane.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: dcoyle on Aug 01, '03 09:39:11PM

This doesn't address the title problem of allowing non-Admin users to modify system settings, but it does address the specific problem of users travelling to different time zones.

I may have this wrong and hopefully someone will correct me, but I believe the system time should be the same for a Mac anywhere you are in the world. The representation of the system time will vary, however, based on your timezone setting. I would strongly recommend changing the timezone rather than the time.

In any event, you can leave the date/time preference pane unlocked in the user's account. Unless he inadvertantly clicks on the padlock icon and locks the preference, he can change the date, time, or timezone at will.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: stevenjj on Aug 03, '03 10:13:18PM

Once a user has been disallowed to change System Prefs, System Prefs is removed from the Apple Menu. Restoring a non-admin's user account to change System Prefs won't bring back the entry in the Apple menu. Neither will making them admin. Control-clicking the desktop will let you bring up Change Desktop Background, and then on to the rest, but that isn't easy for many users.

Any suggestions to bring SysPrefs back to the Apple Menu?



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 03, '03 10:34:56PM

what I did was simply to change the permissions on the individual Pref Panes that live in

/System/Library/PreferencePanes

so that only root could read write and execute particular Pref Panes. So now when a non-admin user is logged in and clicks on a non-allowed Pref Pane in System Preferences, they get a message saying they don't have privs to view that Pane or some such, forget the exact message right now. Obviously you have to be logged in as root when you change the privs. It seems to work well. Just leave the Date/Time preference pane alone and non-admin users will be able to configure it; change the permissions for all other pref panes, as appropriate.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 06, '03 08:19:38AM

This will not work; I tried it. Files of type "prefPane" are not treated like files of type "app". And, actually, they're not files at all, but rather folders (bundles). The system does not consider file-level permissions when dealing with preferences; there is some higher level security abstraction going on.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 07, '03 03:26:06AM

it worked fine for us--we've implemented the method and it's what we're doing for our cluster of 30+ OS X mac's.

bundles are not a problem--just do a chmod -R, and you're right, they're just like directories.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 07, '03 03:28:12AM

P.S. you gotta use the command line to do this.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 07, '03 08:59:48AM

I tried this and it does not work. I'm not sure why it's working for you; are you sure all your users are not privileged? For those who want to perform their own tests, it's easy enough to do.

1. Create a new unprivileged user from System Preferences.

2. Backup the original file...

sudo cp -r /System/Library/PreferencePanes/DateAndTime.prefPane /System/Library/PreferencePanes/DateAndTime.orig

3. Set the new permissions...

sudo chmod -R +s /System/Library/PreferencePanes/DateAndTime.prefPane

4. Log out and log in as the new unprivileged user. Try to modify the date and time from System Preferences. Notice it still requires an admin password.

5. Log out and log in as admin. Restore your original file...

sudo cp -r /System/Library/PreferencePanes/DateAndTime.orig /System/Library/PreferencePanes/DateAndTime.prefPane

sudo rm -r /System/Library/PreferencePanes/DateAndTime.orig

I have tried this on several machines with the same results. Once again: When it comes to System Preferences, the OS does not look at the individual file and folder permissions to determine who gets to run what; there is a higher level security abstraction going on.

[ Reply to This | # ]

Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 07, '03 10:38:05AM

Well, I guess I got lucky when I tried this, because I didn't have much trouble. I will recheck things when I get to work today, but I'm sure it's working!

Now, in your step below, you cite:

>3. Set the new permissions...

>sudo chmod -R +s /System/Library/PreferencePanesDateAndTime.prefPane

What I did differently is leave the Date and Time pref pane alone, because I wanted everyone, admin or non-admin alike, to be able to access and change it. I only changed the permissions on pref panes I DIDN'T want non-privileged users to access, which was most of them. So for instance I'd log in as root and:

chmod -R u=rwx,g=r,o=r /System/Library/EnergySaver.prefPane

'cause I didn't want people messing with the Energy Saver.

then you get something like this:

ls -l /System/Library/EnergySaver.prefPane

and you get:

-rwxr--r-- 1 root wheel 749 Dec 4 2002 EnergySaver.prefPane

So everyone and wheel can still read it, but only root can change it.

Honestly, I ain't lying, it works like a charm! When a non-privileged user logs in and calls up System Preferences, they can see all the pref panes, but when they go to click on one for which the privs have been altered it gives them an error message.

I guess the "+s" you specified above is a perm option, and I don't know how that works.






[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 07, '03 11:14:40AM

I believe this technique works for you, but only because the System Preferences you are dealing with are accessible to unprivileged users by default. If you try this trick with DateAndTime, it will not work.

chmod -R +s recursively sets the user id (SUID) on execution.

So far, modifying the /etc/authorization file seems to be the best solution. Perhaps the trick is to combine that with file permissions as well. In other words: modify the authorization file to allow everyone to modify the system prefs, then lock the users out of certain system prefs by changing the individual file and folder permissions. -S

[ Reply to This | # ]

Allow non-Admin users to modify system preferences
Authored by: jail on Aug 04, '03 07:18:30PM

giving everyone an admin account means everyone can do *anything* on the mac. this means that if you change privileges on a pref pane, or move the pref pane into ~/Library/PreferencePanes, the user can just change the privileges back, or go into the admin's user folder and copy the pref pane out. anyone with admin access also has root access, all they need to do is type in their password.

perhaps unix has a way of changing the date without privs, i don't know.
you could however ask some hacker to write an app for changing the date. the app would have admin privileges, but not the user. perhaps the app could be a deamon that' in Startup Items, and always running in the background, with admin privs, it would then be easy to provide a system preferences GUI that just asks the deamon to change the date, without needing privs itself.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 04, '03 11:40:11PM

jail, read the original post again. the guy wants non-admin users to be able to change the date. he doesn't want all users to be admins; just the opposite. the user won't be logged in as admin, so he/she can't change the privs on the Prefs Panels once they're changed by root.



[ Reply to This | # ]
Bad solution
Authored by: nyarlathotep on Sep 07, '03 09:12:22PM

This is not what non-admin users are all about. No admin users are for PEOPLE YOU DO NOT TRUST. Its only designed for machines which you physically have control over, i.e. those sitting in the office or in the university cluster/lab. If you gave the guy a laptop to cart about, you trust him and should give him admin status, period.

If you need to give the laptop to another person later fine, but your going to need to reimage the laptop anyway, so you have no reason not to give the current guy admin status. If you have specialized software fine, but any specalized software which interacts with off-site machines must be built to use an untrusted client anyway.

Jeff



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: inprat on Aug 25, '08 06:28:23PM

I'm not sure if you have solved this problem, but i figured out a way of doing what you're looking for, but in Leopard.

I was in the same situation as yours, but the only different is that i'm managing a school's network. There are older G4 macs around here, and it looks like the motherboard's battery is out of power and therefore most of them are losing the time and date settings everytime, which caused a lot of problems for students.

I'm intending to create an evironment where students can login and able to change the date and time settings themselves without admin password.

At the end, i created the student account as admin, but i took some crucial system preferences from it's folder and leave some that are safe for the students to change/play around (i.e. display, time and date, network, appearance), and install the rest on another admin account but only for that admin user, so no other users can see those on their syspref panel. For safety reason I make sure the system replaces the student's homefolder with a fresh one everytime they login.

I hope that helps. please let me know if you have any questions.

Ciao



[ Reply to This | # ]