Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Restrict Simple Finder users to only certain applications System
[robg notes: The following hint was submitted by an anonymous tipster, who was somewhat uncertain if I should run it or not, as it does "reveal" a "security exploit" in OS X 10.3 However, I think it's fine to run, for a couple reasons. First, the "exploit" is not really an exploit, and I believe Apple is well aware of it already (see the Note below). Also, the hint includes two easy workarounds that solve the problem. So with that explanation, here's the "exploit" and fix. The language below is mine, but the fix in the second part is thanks to the anonymous tipster...]

OS X 10.3 includes a security restriction known as "Simple Finder" (on the Limitations tab of the Accounts system preferences panel). In theory, this allows you to quickly restrict which apps a 'simplified user' can use. However, there's a very simple method through which these simplified users can open any application, including ones that aren't "allowed" under the Simplified Finder tab.

In Simple Finder mode, the user sees a dock with a few folders in it, including a "My Applications" folder, which includes the applications selected in the Simple Finder tab for the user. But running any application is amazingly simple. Just click the My Applications folder in the dock, and (as expected), the folder opens in the Finder. Now use the Finder's built-in Command-Up Arrow shortcut (Go -> Enclosing Folder), and you'll start to move up through the folders. Do this enough times, and you'll be able to open /Applications, from where you can run everything -- you still won't be able to do things that an admin could do, of course, but you can launch every application and/or utility on the system. So it's not an exploit that grants a higher user-level to a restricted user, but it does let them do things that you may think they cannot.

Note: Exploit is in quotes above because Apple's language on the "Simple Finder" tab is ambiguous. They state that 'The Simple Finder has a simplified Dock and allows the user to directly use only those applications showing in the "My Applications" folder in the Dock.' I added the emphasis, as the phrase 'directly use' implies, to me anyway, that Apple is aware there are fairly easy workarounds that allow all applications to be run. On the other hand, a KnowledgeBase article describes the feature this way: "Simple Finder makes your computer more secure because it restricts the access people have to your disks and applications." So it's ambiguous :).

If you want to truly restrict the simplified users on your machine(s), read the rest of the hint for two (relatively easy) solutions...

The wording noted above on the Simple Finder tab may lead one to believe that the chosen user will be prevented from using applications that aren't selected in the panel. However, the setting only specifies which applications appear in the "My Applications" folder, and does not place any limitations on which applications may actually be launched by a "Simplified" user. In contrast, the description under "Some Limits" explicitly states that the "user can only use (the selected) applications," and in fact, any attempt to launch a disallowed application in a "Limited" account results in an error message.

So the simplest fix is to just switch the user to Some Limits mode, and specify which programs they can use. However, when you do this, you lose the "simple finder" interface, as the Some Limits accounts get a normal OS X Finder. So what if you want the Simple Finder interface with hard restrictions on which applications the user can run?

To restrict a "Simplified" user to just a few selected applications, follow the general procedure for modifying mcx_settings (explanations can be found in this hint and in this KnowledgeBase article) and rename the key called ItemList to AccessList. It appears under com.apple.applicationaccess and Forced. I think this is easier than adding the key to a "Limited Account." As usual, be aware that making an error in NetInfo Manager can have serious consequences.

As long as you are editing the mcx_settings, there are some other interesting keys that are available for modification to ease some of the restrictions on Simple Finder users. Some of the keys can even be used without involving NetInfo at all, by changing the com.apple.xxx.plist file of the respective applications that they govern. For example, the size-immutable, contents-immutable and static-only keys can be applied to the Docks of non-Simple Finder users. In particular, the contents-immutable key can prevent accidental removal of dock items as well as the 'moving target' issue when dragging files to the trash, and can even be applied to an admin account. These keys take a boolean true or false as in:
defaults write com.apple.dock contents-immutable -bool true
If you actually like the no-desktop one-click Launcher style interface of Simple Finder, you can use:
defaults write com.apple.finder InterfaceLevel "simple"
Change the location where screen shots are saved:
defaults write com.apple.screencapture location 'Users/you/Path/to/Folder'
To see the changes, log out and back in. To reverse the changes, just use defaults delete with the appropriate key, and without a value.
    •    
  • Currently 3.60 / 5
  You rated: 3 / 5 (5 votes cast)
 
[17,283 views]  

Restrict Simple Finder users to only certain applications | 3 comments | Create New Account
Click here to return to the 'Restrict Simple Finder users to only certain applications' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Restrict Simple Finder users to only certain applications
Authored by: jbelkin on Aug 26, '04 03:21:04PM

There is a much simpler way.

Let's say you have it set up this way:
MAIN/ADMIN
RESTRICTED USER #1
RESTRICTED USER #2

To prevent user #1 & #2 from accessing apps, just move it from 'Applications' to another folder. I created a folder on the desktop calls Applications. Other than the fact Apple's idiotic updater can't find any apps not in the applications folder, it will work fine.

The other hole not mentioned is that in something like WORD, you can type www.microsoft.com, click on it and launch SAFARI/EXPLORER.

Don't forget Netscape & Outlook are in the Os9 folder.

BTW, I spent about 20 hours getting a setup working and frankly, the LIMITED/RESTRICTED Finder setup is almost pointless.

Because if you have log in set-up, you have virtually the same security and in many ways, it's actually MORE complicated for the user because SHARED is SHARED but PUBLIC is not really ... so the limited FINDER thing works if your communications is pretty much one way. If you want to leave notes for user #1 & User #2 and they will ocassionally communicate back with you - then it might work but the limited finder unlike the old mini-finder is not really set up for newbie users - a) because you can't move things around - if you click on it, the file/app opens. No double-clicks required. I've yet to figure out how users can actaully trash something and if you want everyone to see a note, you put it in SHARED - makes sense and they can save to SHARED. Now, if they wish to send a file to you, they have to naviagte in the LIST VIEW finder to PUBLIC and save it in there - one way only - once they drop it in, no one else can see it including themselves. And so on and so forth.

Basically the problem is that instead of making it easier, they made it more restrictive but not easier. Limited Finder makes sense if you have like 10 files for clients or customers to read on screen and they can't wander away elsewhere but if you have regular actual users, there are just too many weird quirks.



[ Reply to This | # ]
Restrict Simple Finder users to only certain applications
Authored by: kikjou on Aug 26, '04 04:44:48PM

I think Apple's intention with the Simple Finder was to provide an interface that makes it hard for people to accidentally mess up their account or the computer. If you want a really secure and tightly controlled user space, you will probably have to wait for Tiger (10.4) because the current Unix permissions only allow for two instances of "users" other than yourself to access a file (group and world), which is clearly not enough.
I have used the Simple Finder in a Music account where iTunes and Safari launch automatically. This account makes it easy for my guests - who often don't know Macs or are computer illiterate - to listen to music and to read their web mail.



[ Reply to This | # ]
Restrict Simple Finder users to only certain applications
Authored by: stcanard on Aug 26, '04 07:29:20PM

Actually, the group permissions gives you a suprising amount of flexibility in creating different classes of users. You should be able to get just about any level of granularity you want, you just have to spend a lot of time creating groups and setting the group ownership / files appropriately.



[ Reply to This | # ]