Windows-type super user accounts in OS X

DougKing · 06-08-2007, 12:17 PM

As a department of Macs in a PC based company, I have been tasked with finding a way to set up 'Windows-like' super user accounts in OS X. The goal is to allow certain users the rights to install applications but not to be able to access the computer as a full administrator. After over two hours of searching the net for things such as 'role based administration os x', ' super user groups os x' and the like I have come up with nothing. Can anyone make any suggestions?

I am not averse to installing 3rd party software that achieves this goal but would prefer not to do so.

Some pertinent system info:
We are running OS 10.4.9 Server with OD connected to AD.
All desktops are either 10.4.8 or 10.4.9.
The users have home folders setup on the Mac Servers.

I appreciate your time and your help. Thank you.

hayne · 06-08-2007, 01:50 PM

Note that apps can be installed under each user's home folder. There isn't a ~/Applications folder by default but you can create one.
In general, apps don't have to be in any particular location (there are just certain advantages to putting them in one of the 3 Applications folder locations (network, machine, user) e.g. populating the Services menu if I recall correctly)
and most apps are self-contained - they don't need to put anything into the /Library area and hence don't require admin privileges.

So maybe you don't need to do anything?

One the other hand, allowing non-admins to be able to install apps would necessarily open the possibility for them to have full control over the computer since installers running with admin privileges can in principle do anything. I.e. a non-admin user wanting more power could just write their own application and then install it.

JDV · 06-08-2007, 02:46 PM

The difficulty, as you no doubt know, is that SOME programs require access to parts of the computer accessible only by the administrator or with equivalent status. Not all do; many can be installed without that authority, for better or worse. But that's the rub. You really can't give a person authority to permit installations of this sort (including Apple updates) without essentially giving them access to the whole administration of the computer. There are a variety of restrictions you can place on managed accounts, but no way that I know of to expand their authority without giving them administrative access. I do not know of any third-party workarounds for this myself, and I'm not sure how such a hack would work without being a dangerous one.

So the question is: what do you have to lose by giving them administrative access? While it is generally discouraged to work normally in an administrative user mode, even for the most trusted users of the system, there may not be that much harm that the user can do to the system with the administrative password for the machine unless you suspect open malice on the part of your users, in which case access can then be shut off. Can you explain your main reservations about that approach to see if they can be addressed in another way?

Joe VanZandt

DougKing · 06-12-2007, 10:48 AM

Thanks for your response guys.

The deal is that corporate audit does not want anyone outside of IT to be able to have full administrative control of a system. There are some users in the department that have been given authority to be able to install applications. The authority to install does not mean complete system administration.

I E-mailed an Apple Certified Trainer at l3training.com that I know. His response is as follows:

You can set the sticky bit on /Applications - but if you ever run Repair Permissions it will be undone.

Do this in the terminal:

sudo chmod +t /Applications
This will make the /Applications directory writable by all - but the
sticky bit will make it so they cannot remove anything already in place.

Restrictions on which System Prefs can be run can bet set locally through
Parental Controls or through the Preferences module of Workgroup Manager
if you're using LDAP managed accounts/logins.

My only problem with that is it gives literal access to the specific parts of the computer but a lot of applications require a password to perform the installation.

Doug

acme.mail.order · 06-12-2007, 09:54 PM

In your original post you said you are running OSX Server with network home folders living on the server.

With this setup you really don't have much to lose by writing the local machine admin password on the wall. Full access to the local machine doesn't allow access to files on the server. Sure, they could create new (local) users and read anyone's files, but there aren't anyone else's files to be be read. A Trojan could probably work its way around things but that would apply to many situations, not just this one.

06-08-2007, 12:17 PM	#1
DougKing Prospect Join Date: Jun 2007 Location: Phoenix, AZ Posts: 5	Windows-type super user accounts in OS X As a department of Macs in a PC based company, I have been tasked with finding a way to set up 'Windows-like' super user accounts in OS X. The goal is to allow certain users the rights to install applications but not to be able to access the computer as a full administrator. After over two hours of searching the net for things such as 'role based administration os x', ' super user groups os x' and the like I have come up with nothing. Can anyone make any suggestions? I am not averse to installing 3rd party software that achieves this goal but would prefer not to do so. Some pertinent system info: We are running OS 10.4.9 Server with OD connected to AD. All desktops are either 10.4.8 or 10.4.9. The users have home folders setup on the Mac Servers. I appreciate your time and your help. Thank you.

06-08-2007, 01:50 PM	#2
hayne Moderator Join Date: Jan 2002 Location: Montreal Posts: 29,279	Note that apps can be installed under each user's home folder. There isn't a ~/Applications folder by default but you can create one. In general, apps don't have to be in any particular location (there are just certain advantages to putting them in one of the 3 Applications folder locations (network, machine, user) e.g. populating the Services menu if I recall correctly) and most apps are self-contained - they don't need to put anything into the /Library area and hence don't require admin privileges. So maybe you don't need to do anything? One the other hand, allowing non-admins to be able to install apps would necessarily open the possibility for them to have full control over the computer since installers running with admin privileges can in principle do anything. I.e. a non-admin user wanting more power could just write their own application and then install it. __________________ hayne.net/macosx.html

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:

06-08-2007, 02:46 PM	#3
JDV Hall of Famer Join Date: Sep 2004 Location: Chicago, Illinois Posts: 3,194	The difficulty, as you no doubt know, is that SOME programs require access to parts of the computer accessible only by the administrator or with equivalent status. Not all do; many can be installed without that authority, for better or worse. But that's the rub. You really can't give a person authority to permit installations of this sort (including Apple updates) without essentially giving them access to the whole administration of the computer. There are a variety of restrictions you can place on managed accounts, but no way that I know of to expand their authority without giving them administrative access. I do not know of any third-party workarounds for this myself, and I'm not sure how such a hack would work without being a dangerous one. So the question is: what do you have to lose by giving them administrative access? While it is generally discouraged to work normally in an administrative user mode, even for the most trusted users of the system, there may not be that much harm that the user can do to the system with the administrative password for the machine unless you suspect open malice on the part of your users, in which case access can then be shut off. Can you explain your main reservations about that approach to see if they can be addressed in another way? Joe VanZandt

06-12-2007, 10:48 AM	#4
DougKing Prospect Join Date: Jun 2007 Location: Phoenix, AZ Posts: 5	Thanks for your response guys. The deal is that corporate audit does not want anyone outside of IT to be able to have full administrative control of a system. There are some users in the department that have been given authority to be able to install applications. The authority to install does not mean complete system administration. I E-mailed an Apple Certified Trainer at l3training.com that I know. His response is as follows: You can set the sticky bit on /Applications - but if you ever run Repair Permissions it will be undone. Do this in the terminal: sudo chmod +t /Applications This will make the /Applications directory writable by all - but the sticky bit will make it so they cannot remove anything already in place. Restrictions on which System Prefs can be run can bet set locally through Parental Controls or through the Preferences module of Workgroup Manager if you're using LDAP managed accounts/logins. My only problem with that is it gives literal access to the specific parts of the computer but a lot of applications require a password to perform the installation. Doug

06-12-2007, 09:54 PM	#5
acme.mail.order Hall of Famer Join Date: Sep 2003 Location: Tokyo Posts: 4,285	In your original post you said you are running OSX Server with network home folders living on the server. With this setup you really don't have much to lose by writing the local machine admin password on the wall. Full access to the local machine doesn't allow access to files on the server. Sure, they could create new (local) users and read anyone's files, but there aren't anyone else's files to be be read. A Trojan could probably work its way around things but that would apply to many situations, not just this one.