Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Normal Behavior' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Normal Behavior
Authored by: gerritdewitt on Dec 26, '07 08:03:46PM

As others have noted, this is normal behavior. If the Security system preference's "require password to wake" box is checked, this causes the loginwindow process to require that the system.login.screensaver authorization right be satisfied.

By default, satisfying that right requires that the rule "authenticate-session-owner-or-admin" be true.

The system's list of rights and rules is defined in the /etc/authorization file, which defines which users or groups are authorized to perform specific tasks (which may or may not be filesystem operations).

You can change this behavior with Property List Editor (part of the Developer Tools or Server Admin Tools).

1. First make a copy of the authorization file in /etc. Place the copy on your desktop (for example), and make changes to that file.

2. Then change the behavior as desired:

a. If you prefer that only the current user (called the session owner) be able to unlock his/her screen, make this change:

Expand the rights dictionary, and look for the system.login.screensaver right. Expand that dictionary, and change the value of the rule string from authenticate-session-owner-or-admin to authenticate-session-owner.

b. If you want the current user and members of a particular group other than admin to be able to wake/unlock the screen, make these changes:

i. You need to make a new group. We'll use "screengroup" for the short name. You can do this via dscl or the Accounts preference pane. This is the group that will be the "screen admins" - any member can unlock any user's screen.

ii. You need to make a new rule. Pick a name for your new rule; we'll use "authenticate-session-owner-or-screengroup". Open /etc/authorization, expand and select the rules dictionary, and click New Child. Name the child "authenticate-session-owner-or-screengroup," and change its type to Dictionary. Then expand the "authenticate-session-owner-or-screengroup" dictionary, highlight it, and add six new children (via New Child button).

The new children should be:

"allow-root" of type boolean (choose yes or no) No disables root's ability to unlock the screen.

"class" of type string should be "user"

"comment" of type string can be your notes

"group" of type string is the short name of the group whose members can unlock the screen. This example uses "screengroup" for the group name.

"session-owner" of type boolean should be Yes

"shared" of type boolean should be No

iii. Modify the system.login.screensaver right to use the new rule. As with (a), expand the rights and system.login.screensaver dictionaries. Change the value of the rule string to "authenticate-session-owner-or-screengroup"

3. Save changes to the desktop copy of authorization. Then use Terminal move the existing authorization file:

sudo mv /etc/authorization /etc/

4. Copy the edited (desktop copy) of authorization to /etc. You can do this with Terminal or the Finder - use Go to Folder to navigate to /etc, which is hidden.

5. Ensure that the POSIX owner and group for /etc/authorization are correct:

sudo chown root:admin /etc/authorization

(Since you made a copy of the original /etc/authorization, the POSIX permission bits are preserved - they are 0644.)

6. Reboot.

7. To undo your changes, simply switch out the authorization files and reboot:

sudo mv /etc/authorization /etc/authorization.mychanges
sudo mv /etc/ /etc/authorization


[ Reply to This | # ]
Normal Behavior
Authored by: coolsoldier on Dec 26, '07 11:59:11PM

<i>This</i> is the hint that needs to be on the front page.

[ Reply to This | # ]