Change the default screen unlock behavior

Jan 02, '08 07:30:06AM

Contributed by: gerritdewitt

As noted in this earlier hint, requiring authentication to unlock the computer from screen saver, or to wake it from sleep, can be done by the currently logged-in user or any user who is a member of the local admin group (any local administrator). It is possible to change this behavior to suit your needs. First, here's how Mac OS X determines if it should ask for authentication when waking or exiting screen saver and which users it authorizes to do so.

If the Security System Preference panel's Require Password to Wake box is checked, the askForPassword key is written with numeric value of 1 in the com.apple.screensaver.[ID].plist preferences file, which is stored in ~/Library/Preferences/ByHost. As with other ByHost items, the [ID] is the Ethernet address of the primary ethernet port (en0); the ID is simply used as an identifier.

With this preference set, the loginwindow process now requires that the system.login.screensaver authorization right be satisfied. By default, satisfying that right requires that the rule authenticate-session-owner-or-admin be true. These rights and rules are part of the authorization system employed by Mac OS X. The system maintains a list of rights and rules in the /etc/authorization file, which defines which users or groups are authorized to perform specific tasks.

You can change the wake/exit screen saver authorization right by following these steps.

You'll need Property List Editor (part of the Developer Tools or Server Admin Tools) or a third-party plist editor, and some familiarity with the command line.

  1. First make a copy of the authorization file in /etc. Place the copy on your desktop (for example), and make changes to that file.
  2. Change the behavior as desired:
  3. Save changes to the desktop copy of authorization. Then use Terminal move the existing authorization file:
    sudo mv /etc/authorization /etc/authorization.apple
  4. Copy the edited (desktop copy) of authorization to /etc. You can do this with Terminal or the Finder -- use Go to Folder to navigate to /etc, which is hidden.
  5. Ensure that the POSIX owner and group for /etc/authorization are correct:
    sudo chown root:admin /etc/authorization
    Since you made a copy of the original /etc/authorization, the POSIX permission bits are preserved - they are 0644.
  6. Reboot.
To undo your changes, simply switch out the authorization files and reboot:
$ sudo mv /etc/authorization /etc/authorization.mychanges
$ sudo mv /etc/authorization.apple /etc/authorization
[robg adds: I haven't tested this one -- and it does involve modifying a system file, so take care...]

Comments (10)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071227091850995