Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create 'managed' admin users' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create 'managed' admin users
Authored by: klktrk on Mar 26, '04 02:41:15PM

As per Vondrix's suggestion, the more secure way to solve a problem is only grant the privileges necessary. In this case, you basically want to give certain users the right to install software in the Main /Applications folder on the computer. So, keeping security in mind, you don't look for a way to up the user's privileges across the board and then limit them in some llittle ways, you look for a way to enable them to JUST do that added thing you want to let them.

Vondrix's suggestion would work. You could follow it up with the following bash code added to /etc/daily.local which would ensure that the Applications folder would continue to have the appropriate permissions.

chmod 775 /Applications; chown root:caninstall /Applications

where "caninstall" would be the group name you've given installation privileges to.



[ Reply to This | # ]
Create 'managed' admin users
Authored by: Anonymous on Mar 26, '04 04:24:43PM

We had this same discussion with our Apple Eng a couple of weeks ago. My users need admin rights, but I didn't want them playing with thier pref panes ( i.e. remote desktop ) So what we determined was removing the actual pane from System:Library:PrefrencePanes ( ARDPref.prefPane ) after making the settings in Remote Desktop. This alows Remote Desktop to work, but the pref pane is gone in System Preferences. Even with Admin Rights, without the actual pane, no changes can be made. I keep a copy of the pane on the server that onlly I have access to. It seems to be working really nice so far.



[ Reply to This | # ]
Create 'managed' admin users
Authored by: TvE on Mar 26, '04 04:44:34PM

Can't the user use "defaults" to set different settings for the prepane - or even provide their own copy of the prefpane?



[ Reply to This | # ]
Create 'managed' admin users
Authored by: JohnnyMnemonic on Mar 27, '04 01:10:06AM

The problem with this is illustrated by an example: we moved the System Preference for "Software Update"; we didn't want our users installing an update that we haven't had the chance to test first. Problem is, they could just use the terminal to "softwareupdate". Removing sudo permissions in /etc/sudoers only changed sudo on the command line; users could still unclick locks in the GUI (for example, to change permissions on directories, and reaccess the hidden preference pane).

Finally, we found that changing permissions on System installed items were "fixed" the next time "Fix Permissions" was run by Disk Utility, which, IIRC, doesn't even require admin rights to do.

The best solution is to modify /etc/authorization, as Joel says, but I've found the documentation for it cryptic at best.

The real solution is to set up Network Authentication + WorkGroup Manager, but that requires the care and feeding of a server.



[ Reply to This | # ]