Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.6: Unlock screens using any admin password' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Unlock screens using any admin password
Authored by: bryan_g on Jan 07, '11 08:44:31AM
I may have done something wrong, but I just implemented this and it looks like non-admin users are now able to unlock each other's accounts as well. I am in a setting where this is definitely undesired behavior (as I imagine it would be in most cases). I played with it a little bit and ended up using this in /etc/pam.d/screensaver:

# screensaver: auth account
auth       optional       pam_krb5.so
auth       required       pam_opendirectory.so nullok
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account    sufficient     pam_group.so no_warn deny group=admin,wheel ruser fail_safe
As far as I can tell, it lets admins unlock any screen and only allows non-admins to unlock their own.

[ Reply to This | # ]