10.5: Prevent users from ejecting CDs with dscl

Jan 16, '08 07:30:00AM

Contributed by: deeproy

Sometimes in may become necessary to restrict access to local resources to certain users on a given workstation. In the past, NetInfo was the easiest way of accomplishing that finite control. Now with 10.5, that tool is no longer available, but has been replaced with the ever-popular dscl.

Recently I acquired a 10.5 machine for my two kids, and it became necessary to lock their access to the CD-ROM (since they broke the one on the 10.3 machine). Using some of the information I've gathered in the past from this site, I managed to put together the necessary command line arguments to lock that access. Read on for my solution.

Here's what I did:

  1. Output the mcx_settings to a text file saved to the root directory:
    dscl . -read /Users/kids mcx_settings > /mcx_settings.txt
  2. Opened this text file and found the entry for com.apple.finder. Then, I entered the following info in the file under the mcx_preference_settings node:
         <key>ProhibitEject</key>
         <true/>
    Save and close the text file.
  3. Create a new text file and entered the following:
    <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
            <dict>
                <key>has_mcx_settings</key>
                <true/>
                <key>simultaneous_login_enabled</key>
                <true/>
            </dict>
        </plist>
    Save the second file as /mcx_flags.txt.
  4. Run the following commands:
    $ mcx_set=`cat"$basepath"/mcx_settings.txt`
    $ mcx_flags=`cat"$basepath"/mcx_flags.txt`
    $ sudo dscl . -create /Users/kids "mcx_flags" "${mcx_flags}"
    $ sudo dscl . -create /Users/kids "mcx_settings" "${mcx_set}"
    Note: The top two commands use back quotes and not single quotes, which can trip you up depending on the font you're reading this in.
  5. Reboot.
Now the user "kids" cannot open the CD-ROM from the keyboard (or anywhere else, as far as I can tell). This combination of commands can also be used to automate user creation or control, and can be extended to limit access to a number of resources (more of which, such as ProhibitBurn, can be found in this older hint). All this trouble because NetInfo was removed from 10.5.

[robg adds: I haven't tested this one...]

Comments (11)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20080111162422869