Mac OS X 10.7 / Lion – First look at /etc/authorization usage

The /etc/authorization file in Mac OS X / 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only admins could otherwise unlock.  It can also be used in the reverse to lock down panes you don’t want users messing with. An example by Apple was Allowing non-admin users to change the time zone setting – http://support.apple.com/kb/TA23576 (Note this still works under Lion, tested on 10.7.4). Often the panes can’t be controlled to the exact level you may want via MCX (Local or Managed) or defaults write / plists.  Nor do you want to give users admin rights in a large business / university.

With 10.6 and now 10.7 the following Preference Panes are locked by default.  Meaning you need an admin username and password to unlock them: Security & Privacy, Energy Saver, Print & Scan, Network, Sharing, Users & Groups, Parental Controls, Date & Time, Software Update, Time Machine and Startup Disk.  As a ‘Standard User’ you can’t unlock these panes.

SysPrefs-Locked

In 10.6 we could do the following to the /etc/authorization file, to give a standard user semi-admin access to the Preference Panes.

<key>system.preferences</key>
 <dict>
 <key>allow-root</key>
 <true/>
 <key>class</key>
 <string>user</string>
 <key>comment</key>
 <string>Checked by the Admin framework when making changes to certain System Preferences.</string>
 <key>group</key>
   <string>everyone</string>  * Changing this from 'admin', to another local group. i.e. staff, everyone, or a custom group you created yourself.
 <key>shared</key>
 <true/>
 </dict>

This unlocks the majority of the preference panes above, the downside being you probably don’t want them all unlocked. (i.e Startup Disk) For some this was acceptable and used.  Some of us however just wanted a few unlocked, i.e. Date & Time for laptop users who travel a lot. Time Machine, so staff could connect to a Time Capsule or USB Hard Drive at home.  Energy Saver so they could adjust the settings to their liking. etc…

With 10.7 / Lion the /etc/authorization has undergone some changes and has much more granular control available in it. Making locking or unlocking individual Preference Panes possible!  (Yes TimeMachine)

Before you start make a copy of the authorization file.  If you make a wrong edit your machine will get stuck and the spinning cog on boot.  You can restore from your backup by booting into Single User mode (Command + S on boot) & trashing the messed file and renaming your backup. You can also edit the file from this mode, use ‘sudo mount -auw’ then, cd etc, ‘sudo pico authorization’ at the command line.  Find the bit you messed up fix it and save and reboot.

So open up the /etc/authorization file (Finder, Go to Folder, /etc), I’d recommend using TextWrangler to edit it.  In general you are going to be searching for a <key> key-name </key> and then editing the very end section of the key / dict entry. From this, to this:

	<string>__APPNAME__ 正在嘗試解鎖“安全性與隱私”偏好設定。</string>
</dict>
<key>group</key>
<string>admin</string>  ** Change admin to another local group that your user is in.
i.e. staff, everyone etc...
<key>shared</key>
<false/>

* Standard Users when created are automatically put into the “staff” group. “Admin” users are in the “staff” and “admin” groups

Save the file.   Update: You don’t actually need to reboot your Mac.  Sys Prefs re-reads from the file at the time of credential checking.

*

To unlock the Systems Preferences in General so all changes below will actually work you first need to edit this top level key.  <key>system.preferences</key>   adjust it as above changing it to a local group, i.e. staff or everyone.  Save & Close.

*

I certainly don’t recommend unlocking all the Prefs panes, as it may give users more access than you want or have unintended side effects.  But I will document them all incase needed.

To Unlock the Security & Privacy Pane – search for the following key  <key>system.preferences.security</key> & adjust it as above,  save & reboot.  This alone will unlock the pane, but you still won’t be able to get into it. Try logging in as a Standard user & unlocking it, it will work the first time but you’ll be prompted again at which point it won’t accept your password.  This is because it’s actually trying to unlock the FileVault tab, if you cancel out of the 2nd credential prompt and go back in you’ll get this slightly different prompt 2nd time round.

First time round it was ‘is trying to unlock Sharing preferences’, 2nd time its ‘modify an encrypted disk’.  So go back to the etc/authorization file and search for this <key>com.apple.DiskManagement.reserveKEK</key> 

	<dict>
		<key>en</key>
		<string>__APPNAME__ is trying to modify an encrypted disk.</string>
	</dict>
	<key>group</key>
	<string>admin</string> *Change this to another local group: staff, everyone
	<key>shared</key>

save and reboot.  Login as your standard user, you can now get into the Security & Privacy pane.

Energy Saver – Unlockable by editing – <key>system.preferences.energysaver</key> (as above)
Print & Scan – Unlockable by editing – <key>system.preferences.printing</key> note this unlocks the pane but you need to be in the lpadmin group to add a printer.
Network – Unlockable by editing – <key>system.preferences.network</key>
Sharing – Unlockable by editing – <key>system.preferences.sharing</key> this alone won’t unlock sharing as the “File Sharing” component is still blocking your access You need to adjust <key>system.sharepoints.</key> as well.

Users & Groups – Unlockable by editing -> <key>system.preferences.accounts</key> again this alone won’t unlock the Pane, you will be prompted for credentials twice, it will fail on attempt two. you need to adjust <key>system.services.directory.configure</key> as well.  This key is slightly different and uses a rule key, rather than a group key. edit it as follows to allow the current ‘session user’ access.

  </dict>
	<key>rule</key>
	<string>root-or-admin-or-authenticate-admin</string>
        *Change it to authenticate-session-owner-or-admin
</dict>

Parental Controls – Unlockable by editing <key>system.preferences.parental-controls</key>
Date & Time – Unlockable by editing <key>system.preferences.datetime</key> &  you can manually add in <key>system.preferences.dateandtime.changetimezone</key>  as per this old article – http://support.apple.com/kb/TA23576 (Tested it under 10.7.4)
Software Update – Unlockable by editing <key>system.preferences.softwareupdate</key>
Time Machine – Unlockable by editing <key>system.preferences.timemachine</key>
Startup Disk – Unlockable by editing <key>system.preferences.startupdisk</key> 

and then there’s some new Keys of interest in Lion

<key>system.install.app-store-software</key>
<key>com.apple.SoftwareUpdate.scan</key>

That’s my wrap up of the authorization file in Lion.  Happy to try and answer any queries.

About these ads

About mattsmacblog

Mac Systems Administrator

Posted on July 30, 2011, in Mac, OS X 10.7 - Lion and tagged , , , , , , , , , , , . Bookmark the permalink. 36 Comments.

  1. Has anyone had any luck with actually changing any of these? It doesn’t seem to be working as anticipated.
    I am specifically trying to change the system.preferences.datetime, and system.device.dvd.setregion.initial

    I changed both items last five lines to read:
    group
    everyone
    shared

    I log in ith a local, non-admin user that is definitely a part of the everyone group and yet the prefs panes for date and time is still locked.
    It will also not accept any non-admin username/password. It should have no bearing but I tried creating the non-admin local account both before and after editing the /etc/authorization file (rebooted after edit). On a side note, does it seem silly to anyone else that they got rid of the “Details” drop down option so one could see which key is being used? See Pic (http://www.iclarified.com/images/tutorials/166/646/646.png)

  2. Thanks for this post,
    I’m trying to allow staff to modify system.preferences.network but without success, I’m probably doing something wrong/stupid but I was wondering if you could help.

    system.preferences.network

    allow-root

    class
    user
    comment
    Checked by the Admin framework when making changes to the Network preference pane.
    default-button

    ar
    ?~Aتح ا?~D?~B?~A?~D
    cs
    Odemknout
    ….
    Kilidi Aç
    zh-Hans
    解?~T~A
    zh-Hant
    解?~N~V

    default-prompt

    ar
    ?~Jحا?~H?~D __APPNAME__ ?~A?~C ?~B?~A?~D ت?~Aض?~J?~Dات ا?~Dشب?~Cة.
    cs
    …..
    ?~@~\__APPNAME__?~@~]正?~\??~X~W試解?~N~V?~@~\網路?~@~]?~A~O好設?~Z?~@~B

    group
    staff
    shared

    but it still prompts me for the admin password (after reboot)
    any idea ?

  3. So would we change this remotely via PListBuddy?
    Would you be so kind as to post an example PListBuddy command?

  4. I am unable to get the ‘everyone’ group to work for any key in the system.preferences section (or the actual system.preferences key).
    Did this work for you?

  5. Have you managed to allow standard users to do Apple Software Updates? Would the system.install.apple-software be the area I need to edit to allow this to happen?

    • Yes, you can allow standard users to install Apple Software Updates by changing the following two keys:

      com.apple.SoftwareUpdate.scan
      … changing
      rule
      root-or-entitled-admin-or-authenticate-admin
      to
      allow

      &

      system.install.apple-software

      changing…
      rule
      root-or-entitled-admin-or-authenticate-admin
      to
      allow

      • While I suspect this would allow the user to initiate or complete a Software Update, would making this change be enough for a non-admin to be NOTIFIED of pending Software Updates?

      • I presume it would work, haven’t tested it. I know changing the softwareupdatescan key to “authenticate-session-owner-or-admin” allows you to use a non-admin account & password to run SoftwareUpdate, check for updates & install them (just tested it with Safari 5.1.5). If it doesn’t popup on schedule you could always setup a LaunchDaemon to open /System/Library/Core Services/Software Update.app at specific intervals.

      • While regular users can now manually check and install updates, unfortunately, I can’t get the SoftwareUpdateCheck to notify them that there are updates available.

      • Hi, haven’t looked into this much yet but SoftwareUpdate is just an app that lives in Mac HD/System/Library/CoreServices/Software Update.app. You could easily create a cron job or LaunchAgent that just opens it up once a week / fortnight / month. Have a look here for a more thorough solution to allowing Standard Users to install updates (different method) http://www.littleboyblue.co.nz/?p=5

  6. This has been a very useful post. I have been looking for a way to take away admin privileges from a majority of my users. Is there a modification I can make to allow standard users to download and install software? There are some users that I would trust this with but NOT allow them to change permissions on files. A helpful tip – Use the free app TextWrangler when modifying this and other system files. It does an amazing job at formatting what might otherwise look like a mess of text.

    • Thanks Jimmy

      In reply to your question, it depends. If you’re talking about Apple Updates then yes you can do it as per the article. If you’re talking about “any” software then no. The /Applications folder isn’t writeable by standard users. You could manually change this but I don’t recommend this. The alternative for drag and drop apps is to make a per user /Applications folder. We add a /username/Applications/ folder to User Template and advise users to drag & drop apps they download into it. i.e. CyberDuck, Skype, FireFox, any drag & drop app type installer. Installers that prompt for admin access are making changes to system folders so also not really possible / recommended.

      I’d also recommend taking a look at Munki – http://code.google.com/p/munki/ (good video & pdf here -> http://documentation.macsysadmin.se/2011/2011doc.html “Pushing Packages with Munki”) It can do everything above, you can make a set of ‘optional installers’ that you allow your staff to install, it can do Apple System Update, other apps, updates etc… all from the one system & your users don’t need to be admin’s for any of it to work.

      If you have $$ to spare have a look at JAMF’s Casper Suite as well. http://www.jamfsoftware.com/

  7. I found your article a while back and finally got around to testing some of these settings. I found one thing you might want to add. In an environment where your Macs are bound to Active Directory, anyone that logs into the Mac with their Active Directory username will not get added to the staff group by default. They are calculated members of the netaccounts group though.

    However, since netaccounts does not contain the admin group like staff does you would lose rights for admins. You could just use the everyone group, but if one is not willing to do that can you put in multiple groups like admin and netaccounts, or will you have to create a new group containing both of those and grant rights to that?

  8. Hey Matt,

    Another question, do you know if the Authorization file is the same in Lion OS across all models (Macbook, Macbook Pro, Mac Pro, and so on)?

    Thanks for any help.

    • Hi Jesse

      Yes the file is a core system file, unrelated to machine models. It maybe updated by Apple in a security update or point release of 10.7. e.g. 10.7.4. 3rd party developers can also add to it for their own use. e.g TextWrangler creates some entries.

      Matt

  9. I’d like standard users to be able to change the timezone and modify the menu-bar clock settings, but not to set date & time. Are there separate rights for those, and do you know what they are. Using system.preferences.datetime controls the entire Date & Time pane.

    • Hi Jeff

      Standard users can modify Clock settings via the Date & Time preference pane, no requirement to unlock it first.

      The TimeZone can be allowed as per this old article – http://support.apple.com/kb/TA23576 Just tested it under 10.7.4. Basically copy and paste the existing datetime key in the authorization file and rename it to system.preferences.dateandtime.changetimezone & then update the key from admin to everyone or a group of your choosing.

      • Thanks Matt. The presence of the padlock implies you need to authenticate to make changes to the clock display settings, so I assumed non-admins couldn’t do it.

  10. is there a way to prevent users from changing the hostname but still allow them to change sharing preferences?

  11. Thanks for all the help and info. I do have one question. I was able to modify the authorization file to allow standard users to apply updates. They can run and install without issues. The problem is when they run the update from 10.7.3-10.7.4. After the update, they are no longer able to run updates. I checked the authorization file and see that it has been changed back to default. Is there anyway I can prevent the system from modifying the file? I know its a major update/patch, but I have a lot of mac users and don’t want to go back to every since system and change the options again. Thanks

    • Hi, It’s a core system file and Apple don’t expect you to be messing with their default settings so no would be your answer. I’ll check that out as I’m surprised an update would just replace the whole file as 3rd party apps put entries in it as well. You could get round it by creating a LoginHook / LaunchAgent that runs on login that runs a script that contains the PListBuddy commands in my earlier post. I’ve been sending that out via Apple Remote Desktop’s Send Unix command to achieve the same result.

  12. Hey, great article! I’m able to get everything to work except system.preferences.parental-controls. I’m able to unlock the Parental Controls preference pane using any group I choose but the changes I make to parental controls are not saved when I close System Preferences. Any ideas?

  13. Hey, great article! I’m able to unlock any preference pane with a standard user but the changes I make to Parental Controls are not saved when I close System Preferences. Any ideas?

  14. I’m trying to sorta do the opposite, I would like to enable certain sharing services under the sharing pane in system prefs, and then hide them. I saw someone do it by editing what I might have been the authorization file but I can’t be certain.

  15. Awesome! Thanks for taking a look. Did you you discover anything?

    • I’m guessing it’s because the newly created user doesn’t have permissions to the /Library/Managed Preferences folder. Can I give that user permission to that folder?

      • Or it has to do with the “opendirectoryd” process. I think that’s the process that makes changes to the Managed Preferences folder. The standard user probably can’t tell “opendirectoryd” what to do. Does that make sense? Is there any way to make this happen?

  1. Pingback: unlocking preference panes in Lion

  2. Pingback: MacSysAdmin 2012 links « Managing OS X

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: