Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Disable Front Row to prevent limited account app access System 10.4
While setting up a master iMac image to deploy across a computer lab, I forgot to disable Front Row. After playing around with Front Row in a restricted, managed account, I found that I could launch iTunes, and from there Safari, even though the account did not have permissions to use these applications! You can read about how I did this in this entry in my blog.

Anyway, if you are in a situation where you do not want people launching Front Row, either delete the Keyboard Shortcut in System Preferences, or (even better) remove the application /System -> Library -> CoreServices -> Front Row.app.

[robg adds: To me, the most interesting part of this hint isn't how to disable Front Row, but rather how it was used to work around application launch restrictions for iTunes and Safari.]
    •    
  • Currently 2.00 / 5
  You rated: 1 / 5 (6 votes cast)
 
[31,098 views]  

Disable Front Row to prevent limited account app access | 5 comments | Create New Account
Click here to return to the 'Disable Front Row to prevent limited account app access' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Disable Front Row to prevent limited account app access
Authored by: critcol on Jan 30, '07 10:19:50AM

That's an amazing hack! And a couple of security flaws too. I wonder if one could use Front Row to launch terminal and take root....



[ Reply to This | # ]
Disable Front Row to prevent limited account app access
Authored by: mantrid on Jan 30, '07 10:23:28AM

Yes; and Not that I know of though I wouldn't rule it out.



[ Reply to This | # ]
Disable Front Row to prevent limited account app access
Authored by: sapridyne on Jan 30, '07 01:44:02PM

Wouldn't it be better to use Workgroup Manager to restrict FrontRow.app from launching? Don't like deleting things that could be affected by future system updates...



[ Reply to This | # ]
Disable Front Row to prevent limited account app access
Authored by: HairyPotter on Jan 31, '07 08:32:07AM

Is there any way to run FrontRow as a normal application? I mean, FrontRow is a program always running in the background, waiting for one to invoke it. But this, consumes processor resources.

Is there any way to have FrontRow there, not running, and just being able to run it when I want? (as any other application like Quicktime, Photoshop, etc.)



[ Reply to This | # ]
Disable Front Row to prevent limited account app access
Authored by: jaaronp on Jan 31, '07 09:49:42AM

This illustrates a major shortcoming of the managed account application restrictions; the restrictions are not actually "User X may not launch application Y" but rather "User X may not launch application Y using the Finder".

My favorite example was using a web browser to launch terminal by attempting to load a telnet:// url. Once in a terminal, the open command could then be used to launch any application.

Currently, I think ACLs could be used to restrict execute permissions for specific users, but there's no nice interface for it.

The MAC framework that's advertised for Leopard (which is based on SEDarwin which is based on SEBSD which is base on SELinux) should provide stronger guarantees and will hopefully be integrated with the System Preferences UI.



[ Reply to This | # ]