If the Security System Preference panel's Require Password to Wake box is checked, the askForPassword key is written with numeric value of 1 in the com.apple.screensaver.[ID].plist preferences file, which is stored in ~/Library/Preferences/ByHost. As with other ByHost items, the [ID] is the Ethernet address of the primary ethernet port (en0); the ID is simply used as an identifier.
With this preference set, the loginwindow process now requires that the system.login.screensaver authorization right be satisfied. By default, satisfying that right requires that the rule authenticate-session-owner-or-admin be true. These rights and rules are part of the authorization system employed by Mac OS X. The system maintains a list of rights and rules in the /etc/authorization file, which defines which users or groups are authorized to perform specific tasks.
You can change the wake/exit screen saver authorization right by following these steps.
You'll need Property List Editor (part of the Developer Tools or Server Admin Tools) or a third-party plist editor, and some familiarity with the command line.
- First make a copy of the authorization file in /etc. Place the copy on your desktop (for example), and make changes to that file.
-
Change the behavior as desired:
- If you prefer that only the current user (called the session owner) be able to unlock his/her screen, make this change. Expand the rights dictionary, and look for the system.login.screensaver right. Expand that dictionary, and change the value of the rule string from authenticate-session-owner-or-admin to authenticate-session-owner.
-
If you want the current user and members of a particular group other than admin to be able to wake/unlock the screen, make these changes:
- You need to make a new group. We'll use screengroup for the short name. You can do this via dscl or the Accounts System Preferences pane. This is the group that will be the screen admins -- any member can unlock any user's screen.
-
You need to make a new rule. Pick a name for your new rule; we'll use authenticate-session-owner-or-screengroup. Expand and select the rules dictionary, and click New Child. Name the child authenticate-session-owner-or-screengroup, and change its type to Dictionary. Then expand the authenticate-session-owner-or-screengroup dictionary, highlight it, and add six new children (via New Child button). The new children should be:
- allow-root of type boolean (choose yes or no). No disables root's ability to unlock the screen.
- class of type string, and it should have a value of user.
- comment of type string -- this can be your notes.
- group of type string is the short name of the group whose members can unlock the screen. This example uses screengroup for the group name.
- session-owner of type boolean should be set to Yes.
- shared of type boolean should be set to No.
- Modify the system.login.screensaver right to use the new rule. As above, expand the rights and system.login.screensaver dictionaries. Change the value of the rule string to authenticate-session-owner-or-screengroup.
-
Save changes to the desktop copy of authorization. Then use Terminal move the existing authorization file:
sudo mv /etc/authorization /etc/authorization.apple - Copy the edited (desktop copy) of authorization to /etc. You can do this with Terminal or the Finder -- use Go to Folder to navigate to /etc, which is hidden.
-
Ensure that the POSIX owner and group for /etc/authorization are correct:
Since you made a copy of the original /etc/authorization, the POSIX permission bits are preserved - they are 0644.sudo chown root:admin /etc/authorization - Reboot.
$ sudo mv /etc/authorization /etc/authorization.mychanges
$ sudo mv /etc/authorization.apple /etc/authorization
[robg adds: I haven't tested this one -- and it does involve modifying a system file, so take care...]

