Authorization File Change Log (of sorts) & Archive

I’ve been playing with VMWare Fusion Snapshots and OS builds and have compiled a repository of original etc/authorization files incase you mess yours up.  Authorization File Archive.

And the correct permissions are: permissions

A few have asked if these posts are still valid for 10.8.x & I’d like to confirm Yes they are.  I decided to go back and look at each & compare them to find the changes throughout the OS builds in the etc/authorization files.

10.7.2 to 10.7.3  Just some new strings added in to support multiple new languages.

.

10.7.3 to 10.7.4 – A couple of new Keys were added, brief description below:

<key>com.apple.Safari.show-passwords</key> (Probably allows you to set who can see passwords in Safari)

<string>This right is used by Safari to show passwords </string>

<key>com.apple.library-repair</key>  (Probably allows you to set who can repair libraries)

<string>__APPNAME__ is trying to repair your photo library.</string>

<key>com.apple.security.assessment.update</key> (Not too sure)

<string>Modify Settings</string>

 

10.7.4 to 10.7.5 – No Changes

 

10.7.5 to 10.8 – Lots of Changes, Notes below.

<key>com.apple.AOSNotification.FindMyMac.modify</key> (To investigate) 

<key>com.apple.DiskManagement.internal.</key>

<string>Used by diskmanagementd to allow access to its privileged functions</string> (To investigate) 

<key>com.apple.SoftwareUpdate.modify-settings</key>  appears to be exactly the same as <key>system.preferences.softwareupdate</key>  but new rule of   <string>root-or-entitled-admin-or-app-specific-admin</string>  (app-specific-admin seems to be new as well)

<key>com.apple.lldb.LaunchUsingXPC</key> (This replaced a Podcast Producer key, to investigate)

<key>com.apple.opendirectoryd.linkidentity</key> (To investigate) 

<key>system.install.apple-config-data</key> (To investigate) 

<key>system.preferences.nvram</key> (To investigate) 

<key>system.services.directory.configure</key> (Is now a USER rule)

—-

New Keys (abbreviated)

<key>system.services.systemconfiguration.network</key> (Appears the same, To investigate) 

<string>For making change to network configuration via System Configuration.</string>

<key>system.volume.</key> (Not sure about this lot of volume related keys) 

<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>

<key>system.volume.external.</key>

<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>

<key>system.volume.external.adopt</key>

<key>system.volume.removable.</key>

<key>system.volume.removable.adopt</key>

<key>app-specific-admin</key> (New Rule type, To investigate) 

<dict>

<key>class</key>

<string>user</string>

<key>group</key>

<string>admin</string>

</dict>

 

10.8 to 10.8.1 – No Changes

 

10.8.1 to 10.8.2 - Some Changes.

<key>system.login.console</key>

<dict>

<key>class</key>

<string>evaluate-mechanisms</string>

<key>comment</key>

<string>Login mechanism based rule.  Not for general use, yet.</string>

<key>mechanisms</key>

<array>

<string>builtin:policy-banner</string>

<string>loginwindow:login</string>

<string>builtin:login-begin</string> (NEW, not sure of use)

 &

<string>builtin:login-success</string> (NEW, not sure of use)

 

———  Updated : 22 July 2013  ———-

 

10.8.2 to 10.8.4 - A few new entries

 

<key>com.apple.container-repair</key>  (Described as: __APPNAME__ needs to repair your Library to run applications)

<dict>
<key>class</key>
<string>user</string>

 

A couple of New Wifi Strings that look very useful

<key>com.apple.wifi</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For restricting WiFi control</string>
<key>k-of-n</key>
<integer>1</integer>
<key>rule</key>
<array>
<string>is-admin</string>
<string>is-root</string>
<string>default</string>
</array>
</dict>
<key>com.apple.wireless-diagnostics</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the wdhelper daemon</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
</dict>

Adobe Flash 11.3 Enable or Disable Silent Update Package

Flash Logo

Adobe Flash Player 11.3 for Mac has a new “Silent Update” feature, detailed here: http://blogs.adobe.com/asset/2012/06/flash-player-11-3-delivers-additional-security-capabilities-for-mac-and-firefox-users.html

“The background updater being delivered for Mac OS X uses the same design as the Flash Player updater on Windows. If the user chooses to accept background updates, then the Mac Launch Daemon will launch the background updater every hour to check for updates until it receives a response from the Adobe server. If the server responds that no update is available, the system will begin checking again 24 hours later. If a background update is available, the background updater can download and install the update without interrupting the end-user’s session with a prompt.”

Supposedly it will allow Flash to update itself with no user interaction but I can’t confirm this until another Flash Update comes out.  Anyway I’ve put together a really basic Package the turns the feature On for anyone who wants to give it a try.

It  simply puts a new mms.cfg files into /Library/Application Support/Macromedia/ with the following 2 lines of text:

AutoUpdateDisable=0
SilentAutoUpdateEnable=1

This package can be deployed via the normal methods. (ARD, Munki, Casper)

Pic of Package IconPKG - https://docs.google.com/open?id=0ByZBlcehUDfOZFNyOU1wR1ZWN3c  (use the File Menu > Download)

 

& here’s a PKG todo the opposite – AutoUpdateDisable = 1 & SilentAutoUpdateEnable = 0

Pic of Package Icon PKG - https://docs.google.com/open?id=0ByZBlcehUDfORFQ1eWdpMnp4Rzg (use the File Menu > Download)

 

Checkout Greg’s package here for a Package that disables updates - http://managingosx.wordpress.com/2011/05/13/disabling-auto-update-notifications-for-flash-player-10-3/

 

Using Network Accounts with the Authorization file – 10.7.3

I’ve had a couple of comments about using Network based accounts / groups instead of local groups.  I’ve done some tests on 10.7.3 and here’s a couple of ways to go about it. (Thanks goes to Shane for some of the info)

My testing and examples below assume a similar setup to mine which is.  Staff are allocated one machine each.  Windows Server 2008 Active Directory setup, Domain Users and Mac’s bound to AD via the native apple plug-in.  A local admin account on every mac for installing software, ARD use, backup for when directory services falls over.  Try and adjust my examples below to fit your needs.

A. Create a new local group and add users to it. (Small scale scenarios)

1. Login as an admin account, goto System Preferences > User & Groups, unlock the pane and click the + button.

2. Scroll down and choose the Group option at the bottom and give it a name.  i.e. testgroup.

3. Simply tick the users you want in that group and close the pane.  In the picture below I’ve added an account called Mickey Mouse.  The machine was bound to Active Directory via the built in Apple plugin then I logged in as the network user (mimouse) and forced a local home, creating a “Managed, Mobile” account.  I’ve also ticked my local admin account called The Boss.

4. You now have a group with your network non-admin account and your local admin account. As pictured below.

Now you can do as per my previous post simply replacing lpadmin with testgroup / whatever you called your new group for whichever Preference Panes you want to unlock.

B. Create a new local group and add existing groups to it, nested groups. (Larger scale scenario)

The example above works for a machine that has one or two known users but not multiple unknown users logging in. We’re going to add existing groups where the members are calculated, to a new local group so it covers all potential users.  Where going to effectively add Domain Users and local admins to this new group.

1. Create a new local group for the purpose.  As per above via Users & Groups or via the command line. (have a look at dscl . -create)

2. Active Directory users get added to the netaccounts local group when you login on your Mac.  Both Mobile and Network accounts. (See my note at the bottom about directly using Domain Groups)  To verify, login as a non-admin AD based user and check the account is in that group via Terminal:  dsmemberutil checkmembership -U mimouse -G netaccounts  (subbing mimouse for your network accounts shortname) you can also use dseditgroup -o checkmember netaccounts (it will check if the current terminal sessions user is in the group or not)

you’ll get a one line reply like this:  “yes mimouse is a member of netaccounts”

3. Add the netaccounts group to your new group, in my example  it’s called testgroup.  In Terminal paste the following: sudo dseditgroup -o edit -a netaccounts -t group testgroup

4. Verify your AD user is now also now part of test group. dsmemberutil checkmembership -U mimouse -G testgroup

 Note: Any other non-admin domain users that login to this machine will also get put into the netaccounts group and therefore be part of your new ‘testgroup’ automatically.

5. Add the local administrator group to this group as well.   You want to be able to edit all the System Preferences as well.  In Terminal paste the following: sudo dseditgroup -o edit -a admin -t group testgroup

6. Verify it’s worked as per step 4, subbing in a local admin’s username.  In my example ‘theboss’.

7. You now have a local group called testgroup, which contains nested groups Administrators and Network Accounts.  Open System Preferences > Users & Groups and you should see a result as pictured below.  Noting that you can’t achieve this result from the GUI.

Accounts Pane

Now you can do as per my previous post simply replacing lpadmin with testgroup / whatever you called your new group for whichever Preference Panes you want to unlock.

NOTE: You can also directly add Domain Groups into this new local group: i.e. below I’ve added Domain Admins and Domain Users from Active Directory to my group.

sudo dseditgroup -o edit -a “Domain Users” -t group testgroup
sudo dseditgroup -o edit -a “Domain Admins” -t group testgroup

BUT this membership is calculated or searched for at the time of credential checking.  A simple check of Shutting down, booting up with no network cable plugged in, logging in as my mobile AD account yields no mimouse is NOT a member of testgroup.  If I connect the Ethernet cable and wait 60 seconds it returns yes they are.  This gets cached for some time period.  I wouldn’t recommending doing it this way, as a network connection is basically required at all times.

Making use of the /etc/authorization file in Lion / 10.7.x

This post will look at putting the authorization file to use in a partially managed Mac environment.  Yes some of this can be done via OD & MCX but as we’re a small environment we don’t use it nor really need it.  All testing was done with 10.7.2 and I’ve been using it with all our Mac’s up to 10.8.2 at the moment.

Q:  What’s the problem we want to solve?
A
: I want my users to be somewhere in between what Apple defines as a “Standard User” and a “Admin User”.  Stealing from Windows terminology,  I want them to be a “Power User”.

I want the System Preference panes marked below with red X’s to no longer require an Admin password to unlock them.  Your environment will be different to mine, so pick, choose & extend these ideas to what fits your environment.

Desired Sys Prefs

Energy Saver:  I want users to be able to set their own Sleep schedules.  I don’t want support requests from users about changing their sleep from 10 to 15minutes. Cons:   The potential downside of this is that I really don’t want them to be able to turn off  “Wake for Ethernet network access” (ARD use) but I’m hoping most won’t mess with this setting.

Print & Scan: I want laptop users to be able to add a home inkjet / laser printer. Cons:  I don’t really want them deleting or adding other printers at work so I’m not actually going to unlock this preference pane in this example.  But you may want to in your environment.  I will do it by adding the user to the lpadmin group instead.  Adding a user to the lpadmin group allows them to install or remove printers it doesn’t however unlock the Print & Scan System Preference pane but it does allow them to use the less obvious + and – buttons in that pane to make changes.  They can also use the File > Print > Printer > Add New Printer… option to add a home printer.

Network: I want laptop users to be able to adjust network settings as they travel.  Often at conferences, home or other sites, custom network settings or proxy settings are required.  Opening this up lets them adjust them as needed. Cons: Users can break their network settings which may yield a support request.

Date & Time: I want laptop users to be able to change the time zone if the ‘automatic’ feature fails.  Also if the PRAM battery fails I want users to be able to set the correct date and time. Cons:  Users can be on the wrong time zone / time which will effect things like AD based login’s.

Time Machine: I want laptop users to be able to setup a USB drive or Time Capsule at home as they’re backup device.

Not mentioned above: Software Update:  I plan to enable Software Update once I get my own Software Update Server running using Reposado.  This way I can enable standard users to update their own Mac’s via the built-in Apple system but control what updates are available via reposado.  You can also do this via Munki or this app at http://www.littleboyblue.co.nz/ instead.

In my environment I’ve decided for now that I only want to open the above extra Preference Panes up for laptop users.  Desktop users I can help over the phone easily, change things remotely via ARD or go visit them.  Laptop users who are overseas or not on-site are the main concern as I can’t help them easily nor allowed to give them admin credentials.

In my environment for 10.7.x we are currently using the Apple Active Directory plug-in and Mobile User Accounts with local homes.  We add laptop users to the lpadmin group so they can install printers at home.  I do this via Apple Remote Desktop (ARD) using the Send Unix Command option:  dseditgroup -o edit -a USERNAME -t user _lpadmin if doing it locally via the command line as an admin use sudo dseditgroup -o edit -a USERNAME -t user _lpadmin  To verify the user has been added use dscl . -read /Groups/lpadmin at the command line.  Looking at the “Group Membership” field.

I am going to leverage this as it distinguishes between desktop and laptop users in our environment to achieve the outcome above. You could also create a new group and use that or use another built-in group.  Be aware that creating your own group means that you’d also need to add admin accounts to that group or the admin group itself.  By default all local admin accounts are members of the lpadmin group.  You could also use the staff or everyone group to open it wider.

So from the info in my earlier post we’re going to change the following keys in the /etc/authorization file from group admin to lpadmin using TextWrangler:

<key>system.preferences</key>
<key>system.preferences.energysaver</key>
<key>system.preferences.network</key>
<key>system.preferences.datetime</key>
<key>system.preferences.timemachine</key>

changing the bottom part of each entry above from
<key>group</key>
<string>admin</string>

to

<key>group</key>
<string>lpadmin</string>

Note: TextWrangler will change the files owner and group, you can easily set it back via chown & chmod or just run Disk Utility – Repair Permissions which will set it back to root and wheel.

To make this even easier and ARD compatible I’ve adjusted a script from here which can be sent out via ARD to a Machine to change it immediately.  If a future apple update changes the file back to it’s original state it’s easily changed back.

#!/bin/bash
#Copy the authorization file to a temporary location & make it a plist
/bin/cp -pr /etc/authorization /private/tmp/authorization.plist
# Unlock System Preferences for lpadmin group members.
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Network Settings preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.network:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Time Machine preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.timemachine:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Energy saver preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.energysaver:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Date and Time preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.datetime:group lpadmin’ /private/tmp/authorization.plist
# Move file back to original location
/bin/mv /private/tmp/authorization.plist /etc/authorization

You can just copy and paste the text above into the “Send Unix Command” text area in ARD and send it as a local admin or root.  Alternatively copy the text into TextWrangler, do a save as i.e. auth-changescript.sh then go to the command line and make it executable via chmod +x auth-changescript.sh then run it with sudo ./auth-changescript.sh or sudo sh auth-changescript.sh

This is what you’ll see when trying to unlock a pane as a standard user that you haven’t added to the lpadmin group.
Print Admin Prompt

And this is what you’ll see once you’ve added a standard user to the lpadmin group (or when logged in as an admin)

There’s other ways to achieve the same result.  You can change the key’s above from class “user” to “rule” keys and make your own rule at the bottom of the authorization file or use a built-in one but it’s much more complex & not well documented by Apple.

Mac OS X 10.7 / Lion – First look at /etc/authorization usage

The /etc/authorization file in Mac OS X / 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only admins could otherwise unlock.  It can also be used in the reverse to lock down panes you don’t want users messing with. An example by Apple was Allowing non-admin users to change the time zone settinghttp://support.apple.com/kb/TA23576 (Note this still works under Lion, tested on 10.7.4). Often the panes can’t be controlled to the exact level you may want via MCX (Local or Managed) or defaults write / plists.  Nor do you want to give users admin rights in a large business / university.

With 10.6 and now 10.7 the following Preference Panes are locked by default.  Meaning you need an admin username and password to unlock them: Security & Privacy, Energy Saver, Print & Scan, Network, Sharing, Users & Groups, Parental Controls, Date & Time, Software Update, Time Machine and Startup Disk.  As a ‘Standard User’ you can’t unlock these panes.

SysPrefs-Locked

In 10.6 we could do the following to the /etc/authorization file, to give a standard user semi-admin access to the Preference Panes.

<key>system.preferences</key>
 <dict>
 <key>allow-root</key>
 <true/>
 <key>class</key>
 <string>user</string>
 <key>comment</key>
 <string>Checked by the Admin framework when making changes to certain System Preferences.</string>
 <key>group</key>
   <string>everyone</string>  * Changing this from 'admin', to another local group. i.e. staff, everyone, or a custom group you created yourself.
 <key>shared</key>
 <true/>
 </dict>

This unlocks the majority of the preference panes above, the downside being you probably don’t want them all unlocked. (i.e Startup Disk) For some this was acceptable and used.  Some of us however just wanted a few unlocked, i.e. Date & Time for laptop users who travel a lot. Time Machine, so staff could connect to a Time Capsule or USB Hard Drive at home.  Energy Saver so they could adjust the settings to their liking. etc…

With 10.7 / Lion the /etc/authorization has undergone some changes and has much more granular control available in it. Making locking or unlocking individual Preference Panes possible!  (Yes TimeMachine)

Before you start make a copy of the authorization file.  If you make a wrong edit your machine will get stuck and the spinning cog on boot.  You can restore from your backup by booting into Single User mode (Command + S on boot) & trashing the messed file and renaming your backup. You can also edit the file from this mode, use ‘sudo mount -auw’ then, cd etc, ‘sudo pico authorization’ at the command line.  Find the bit you messed up fix it and save and reboot.

So open up the /etc/authorization file (Finder, Go to Folder, /etc), I’d recommend using TextWrangler to edit it.  In general you are going to be searching for a <key> key-name </key> and then editing the very end section of the key / dict entry. From this, to this:

	<string>__APPNAME__ 正在嘗試解鎖“安全性與隱私”偏好設定。</string>
</dict>
<key>group</key>
<string>admin</string>  ** Change admin to another local group that your user is in.
i.e. staff, everyone etc...
<key>shared</key>
<false/>

* Standard Users when created are automatically put into the “staff” group. “Admin” users are in the “staff” and “admin” groups

Save the file.   Update: You don’t actually need to reboot your Mac.  Sys Prefs re-reads from the file at the time of credential checking.

*

To unlock the Systems Preferences in General so all changes below will actually work you first need to edit this top level key.  <key>system.preferences</key>   adjust it as above changing it to a local group, i.e. staff or everyone.  Save & Close.

*

I certainly don’t recommend unlocking all the Prefs panes, as it may give users more access than you want or have unintended side effects.  But I will document them all incase needed.

To Unlock the Security & Privacy Pane – search for the following key  <key>system.preferences.security</key> & adjust it as above,  save & reboot.  This alone will unlock the pane, but you still won’t be able to get into it. Try logging in as a Standard user & unlocking it, it will work the first time but you’ll be prompted again at which point it won’t accept your password.  This is because it’s actually trying to unlock the FileVault tab, if you cancel out of the 2nd credential prompt and go back in you’ll get this slightly different prompt 2nd time round.

First time round it was ‘is trying to unlock Sharing preferences’, 2nd time its ‘modify an encrypted disk’.  So go back to the etc/authorization file and search for this <key>com.apple.DiskManagement.reserveKEK</key> 

	<dict>
		<key>en</key>
		<string>__APPNAME__ is trying to modify an encrypted disk.</string>
	</dict>
	<key>group</key>
	<string>admin</string> *Change this to another local group: staff, everyone
	<key>shared</key>

save and reboot.  Login as your standard user, you can now get into the Security & Privacy pane.

Energy Saver – Unlockable by editing - <key>system.preferences.energysaver</key> (as above)
Print & Scan – Unlockable by editing - <key>system.preferences.printing</key> note this unlocks the pane but you need to be in the lpadmin group to add a printer.
Network - Unlockable by editing - <key>system.preferences.network</key>
Sharing – Unlockable by editing - <key>system.preferences.sharing</key> this alone won’t unlock sharing as the “File Sharing” component is still blocking your access You need to adjust <key>system.sharepoints.</key> as well.

Users & Groups – Unlockable by editing -> <key>system.preferences.accounts</key> again this alone won’t unlock the Pane, you will be prompted for credentials twice, it will fail on attempt two. you need to adjust <key>system.services.directory.configure</key> as well.  This key is slightly different and uses a rule key, rather than a group key. edit it as follows to allow the current ‘session user’ access.

  </dict>
	<key>rule</key>
	<string>root-or-admin-or-authenticate-admin</string>
        *Change it to authenticate-session-owner-or-admin
</dict>

Parental Controls - Unlockable by editing <key>system.preferences.parental-controls</key>
Date & Time – Unlockable by editing <key>system.preferences.datetime</key> &  you can manually add in <key>system.preferences.dateandtime.changetimezone</key>  as per this old article – http://support.apple.com/kb/TA23576 (Tested it under 10.7.4)
Software Update – Unlockable by editing <key>system.preferences.softwareupdate</key>
Time Machine – Unlockable by editing <key>system.preferences.timemachine</key>
Startup Disk – Unlockable by editing <key>system.preferences.startupdisk</key> 

and then there’s some new Keys of interest in Lion

<key>system.install.app-store-software</key>
<key>com.apple.SoftwareUpdate.scan</key>

That’s my wrap up of the authorization file in Lion.  Happy to try and answer any queries.

Mac OS X Related Notes of a Mac Sys Admin

Hi All

Often I investigate things, try to solve a problem and never remember the finer details.  From now on I’m going to post them here for myself and everyone else.  Hopefully some of the info will be useful to others.

Follow

Get every new post delivered to your Inbox.