Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create 'managed' admin users' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create 'managed' admin users
Authored by: Anonymous on Mar 26, '04 02:34:29PM

/etc/authorization allows you to give non-admin users the ability to do things, like install things into the "admin" areas like /Applications and /Network, in addition to much much more.

That is a much better way of doing this. Elevate a non-admin as opposed to demoting an admin. As other posters have mentioned, since they can still do sudo and other CLI commands it would be trivial to remove the MCX info from their account. This is security through obscurity at best.

More info on my site.

Joel

www.afp548.com
mactroll@afp548.com



[ Reply to This | # ]
More on /etc/authorization?
Authored by: klktrk on Mar 26, '04 02:45:32PM

This is really interesting, and I was totally unaware of the /etc/authorization file. Looking at the file, it's in a .plist format, though it doesn't have the extension.

Does anyone have a good resource, faq, or tutorial on how to configure this file?



[ Reply to This | # ]
More on /etc/authorization?
Authored by: peterneillewis on Mar 26, '04 10:08:49PM

I don't know if I would call it a good resource, but you can find out more information at:

http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/index.html

It is more of a programmer's resource for adding support to your application (for example we used it in Interarchy to allow administrators to limit access to the network traffic watching facility), but I haven't seen much else around, so perhaps this is as good as it get.



[ Reply to This | # ]
Create 'managed' admin users
Authored by: andyinindy on Mar 26, '04 09:13:37PM

Thanks, Joel, for pointing this out. I had no idea that this existed either. I agree that it makes more sense to add privileges to a normal user than to demote an admin. Glad to see that there is an alternative. This is exactly what I was angling for with this hint... some expert advice!

afp548 rocks, BTW! Tons of great articles.



[ Reply to This | # ]