Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Allow non-Admin users to modify system preferences' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 06, '03 08:19:38AM

This will not work; I tried it. Files of type "prefPane" are not treated like files of type "app". And, actually, they're not files at all, but rather folders (bundles). The system does not consider file-level permissions when dealing with preferences; there is some higher level security abstraction going on.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 07, '03 03:26:06AM

it worked fine for us--we've implemented the method and it's what we're doing for our cluster of 30+ OS X mac's.

bundles are not a problem--just do a chmod -R, and you're right, they're just like directories.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 07, '03 03:28:12AM

P.S. you gotta use the command line to do this.



[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 07, '03 08:59:48AM

I tried this and it does not work. I'm not sure why it's working for you; are you sure all your users are not privileged? For those who want to perform their own tests, it's easy enough to do.

1. Create a new unprivileged user from System Preferences.

2. Backup the original file...

sudo cp -r /System/Library/PreferencePanes/DateAndTime.prefPane /System/Library/PreferencePanes/DateAndTime.orig

3. Set the new permissions...

sudo chmod -R +s /System/Library/PreferencePanes/DateAndTime.prefPane

4. Log out and log in as the new unprivileged user. Try to modify the date and time from System Preferences. Notice it still requires an admin password.

5. Log out and log in as admin. Restore your original file...

sudo cp -r /System/Library/PreferencePanes/DateAndTime.orig /System/Library/PreferencePanes/DateAndTime.prefPane

sudo rm -r /System/Library/PreferencePanes/DateAndTime.orig

I have tried this on several machines with the same results. Once again: When it comes to System Preferences, the OS does not look at the individual file and folder permissions to determine who gets to run what; there is a higher level security abstraction going on.

[ Reply to This | # ]

Allow non-Admin users to modify system preferences
Authored by: sgrey on Aug 07, '03 10:38:05AM

Well, I guess I got lucky when I tried this, because I didn't have much trouble. I will recheck things when I get to work today, but I'm sure it's working!

Now, in your step below, you cite:

>3. Set the new permissions...

>sudo chmod -R +s /System/Library/PreferencePanesDateAndTime.prefPane

What I did differently is leave the Date and Time pref pane alone, because I wanted everyone, admin or non-admin alike, to be able to access and change it. I only changed the permissions on pref panes I DIDN'T want non-privileged users to access, which was most of them. So for instance I'd log in as root and:

chmod -R u=rwx,g=r,o=r /System/Library/EnergySaver.prefPane

'cause I didn't want people messing with the Energy Saver.

then you get something like this:

ls -l /System/Library/EnergySaver.prefPane

and you get:

-rwxr--r-- 1 root wheel 749 Dec 4 2002 EnergySaver.prefPane

So everyone and wheel can still read it, but only root can change it.

Honestly, I ain't lying, it works like a charm! When a non-privileged user logs in and calls up System Preferences, they can see all the pref panes, but when they go to click on one for which the privs have been altered it gives them an error message.

I guess the "+s" you specified above is a perm option, and I don't know how that works.






[ Reply to This | # ]
Allow non-Admin users to modify system preferences
Authored by: masskinner on Aug 07, '03 11:14:40AM

I believe this technique works for you, but only because the System Preferences you are dealing with are accessible to unprivileged users by default. If you try this trick with DateAndTime, it will not work.

chmod -R +s recursively sets the user id (SUID) on execution.

So far, modifying the /etc/authorization file seems to be the best solution. Perhaps the trick is to combine that with file permissions as well. In other words: modify the authorization file to allow everyone to modify the system prefs, then lock the users out of certain system prefs by changing the individual file and folder permissions. -S

[ Reply to This | # ]