Making use of the /etc/authorization file in Lion / 10.7.x

This post will look at putting the authorization file to use in a partially managed Mac environment.  Yes some of this can be done via OD & MCX but as we’re a small environment we don’t use it nor really need it.  All testing was done with 10.7.2 and I’ve been using it with all our Mac’s up to 10.8.2 at the moment.

Q:  What’s the problem we want to solve?
A
: I want my users to be somewhere in between what Apple defines as a “Standard User” and a “Admin User”.  Stealing from Windows terminology,  I want them to be a “Power User”.

I want the System Preference panes marked below with red X’s to no longer require an Admin password to unlock them.  Your environment will be different to mine, so pick, choose & extend these ideas to what fits your environment.

Desired Sys Prefs

Energy Saver:  I want users to be able to set their own Sleep schedules.  I don’t want support requests from users about changing their sleep from 10 to 15minutes. Cons:   The potential downside of this is that I really don’t want them to be able to turn off  “Wake for Ethernet network access” (ARD use) but I’m hoping most won’t mess with this setting.

Print & Scan: I want laptop users to be able to add a home inkjet / laser printer. Cons:  I don’t really want them deleting or adding other printers at work so I’m not actually going to unlock this preference pane in this example.  But you may want to in your environment.  I will do it by adding the user to the lpadmin group instead.  Adding a user to the lpadmin group allows them to install or remove printers it doesn’t however unlock the Print & Scan System Preference pane but it does allow them to use the less obvious + and – buttons in that pane to make changes.  They can also use the File > Print > Printer > Add New Printer… option to add a home printer.

Network: I want laptop users to be able to adjust network settings as they travel.  Often at conferences, home or other sites, custom network settings or proxy settings are required.  Opening this up lets them adjust them as needed. Cons: Users can break their network settings which may yield a support request.

Date & Time: I want laptop users to be able to change the time zone if the ‘automatic’ feature fails.  Also if the PRAM battery fails I want users to be able to set the correct date and time. Cons:  Users can be on the wrong time zone / time which will effect things like AD based login’s.

Time Machine: I want laptop users to be able to setup a USB drive or Time Capsule at home as they’re backup device.

Not mentioned above: Software Update:  I plan to enable Software Update once I get my own Software Update Server running using Reposado.  This way I can enable standard users to update their own Mac’s via the built-in Apple system but control what updates are available via reposado.  You can also do this via Munki or this app at http://www.littleboyblue.co.nz/ instead.

In my environment I’ve decided for now that I only want to open the above extra Preference Panes up for laptop users.  Desktop users I can help over the phone easily, change things remotely via ARD or go visit them.  Laptop users who are overseas or not on-site are the main concern as I can’t help them easily nor allowed to give them admin credentials.

In my environment for 10.7.x we are currently using the Apple Active Directory plug-in and Mobile User Accounts with local homes.  We add laptop users to the lpadmin group so they can install printers at home.  I do this via Apple Remote Desktop (ARD) using the Send Unix Command option:  dseditgroup -o edit -a USERNAME -t user _lpadmin if doing it locally via the command line as an admin use sudo dseditgroup -o edit -a USERNAME -t user _lpadmin  To verify the user has been added use dscl . -read /Groups/lpadmin at the command line.  Looking at the “Group Membership” field.

I am going to leverage this as it distinguishes between desktop and laptop users in our environment to achieve the outcome above. You could also create a new group and use that or use another built-in group.  Be aware that creating your own group means that you’d also need to add admin accounts to that group or the admin group itself.  By default all local admin accounts are members of the lpadmin group.  You could also use the staff or everyone group to open it wider.

So from the info in my earlier post we’re going to change the following keys in the /etc/authorization file from group admin to lpadmin using TextWrangler:

<key>system.preferences</key>
<key>system.preferences.energysaver</key>
<key>system.preferences.network</key>
<key>system.preferences.datetime</key>
<key>system.preferences.timemachine</key>

changing the bottom part of each entry above from
<key>group</key>
<string>admin</string>

to

<key>group</key>
<string>lpadmin</string>

Note: TextWrangler will change the files owner and group, you can easily set it back via chown & chmod or just run Disk Utility – Repair Permissions which will set it back to root and wheel.

To make this even easier and ARD compatible I’ve adjusted a script from here which can be sent out via ARD to a Machine to change it immediately.  If a future apple update changes the file back to it’s original state it’s easily changed back.

#!/bin/bash
#Copy the authorization file to a temporary location & make it a plist
/bin/cp -pr /etc/authorization /private/tmp/authorization.plist
# Unlock System Preferences for lpadmin group members.
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Network Settings preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.network:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Time Machine preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.timemachine:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Energy saver preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.energysaver:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Date and Time preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.datetime:group lpadmin’ /private/tmp/authorization.plist
# Move file back to original location
/bin/mv /private/tmp/authorization.plist /etc/authorization

You can just copy and paste the text above into the “Send Unix Command” text area in ARD and send it as a local admin or root.  Alternatively copy the text into TextWrangler, do a save as i.e. auth-changescript.sh then go to the command line and make it executable via chmod +x auth-changescript.sh then run it with sudo ./auth-changescript.sh or sudo sh auth-changescript.sh

This is what you’ll see when trying to unlock a pane as a standard user that you haven’t added to the lpadmin group.
Print Admin Prompt

And this is what you’ll see once you’ve added a standard user to the lpadmin group (or when logged in as an admin)

There’s other ways to achieve the same result.  You can change the key’s above from class “user” to “rule” keys and make your own rule at the bottom of the authorization file or use a built-in one but it’s much more complex & not well documented by Apple.

About these ads

About mattsmacblog

Mac Systems Administrator

Posted on January 5, 2012, in Mac, OS X 10.7 - Lion, Uncategorized and tagged , , , , , , . Bookmark the permalink. 16 Comments.

  1. Great! Works perfect.

    Any idea on how to change it to a mobile account createt localy (at first login by an active directory) – eg. group is “ADDOMAIN\Domain Users”. Thanks! Michael

  2. Does this still work for Mountain Lion or has the authorization file changed?

  3. BTW- I love you for this. Most helpful. It was such a pain to provide access to things in between User and Admin. The added granularity is great.

  4. I have a few questions regarding this. I am using mountain lion on my mac mini.
    I have to change “system.privilege.taskport” to .
    Last time when I changed it, the mac was bricked.
    Q: Is there any chance this change caused it?
    Q: Does it affect any other part (except developer tools) on mac?
    Q: Is it necessary to run Disk Utility after changing the /etc/authorization file?

    • Yes, quite possibly depending on what you changed it to. You can always boot to single user mode and copy your backup file back over it.

      I am not sure I have not used the .taskport key.

      Yes/No it depends on how you edit the file. If you use a tool like TextWrangler it modifies the permissions setting you as the owner so I’d recommend it. You can tell straight away, make a change save the file, run permission repair if it has repaired the file then the way you are editing the file is changing the permissions.

  5. Hi Matt,

    I’m looking to unlock others preferences panes like Xsan and also one from a third party software maker. Can you help me to find out how I can do it ?

    Great post !

    Eric

    • Hi Eric

      Install TextWrangler and then have a look at the entires it creates for itself, it may help with your 3rd party app problem. Otherwise you may be able to adjust permissions on the actual .prefpane file. There appears to be nothing for Xsan unfortunately.

  6. hi how do we assign permission for managed user account to install softwares

    • You can’t easily, some Applications can run out of /Users/username/Applications. You’re best to look at projects like Munki, StarDeploy or the Casper Suite for App Management.

  7. Jason Borchardt

    At least in Mountain Lion, the network preference pane will not unlock without this additional change:
    /usr/libexec/PlistBuddy -c ‘Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin’ /private/tmp/authorization

  1. Pingback: MacSysAdmin 2012 links « Managing OS X

  2. Pingback: AFP548 – Covering Apple IT – Notes from “Security: Locking Down OS X Without Locking Up Users”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: