Add network interface without authenticating as Admin

jaywoodruff
New Contributor

Guys, I'm trying to allow users to with managed, mobile accounts to add network interfaces without authenticating as admin.

Specifically, I have Students with MacBook Airs that need to use Thunderbolt to Ethernet Adapters. They can "add" the interface with no problem, but when they click Apply, it requires Admin credentials.

Any ideas?

2 ACCEPTED SOLUTIONS

colonelpanic
Contributor

There may be an easier way to do this, but here is how I would do it:

cp -pr /etc/authorization /private/tmp/authorization

#Make all network users a part of the lpadmin group
dseditgroup -o edit -n /Local/Default -a Domain Users -t group lpadmin

# Unlock the Network Settings preference pane for the lpadmin group
/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization

#Change network settings to allow lpadmin to make network changes
/usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin' /private/tmp/authorization
/bin/mv /private/tmp/authorization /etc/authorization
chown root /etc/authorization
chown :wheel /etc/authorization

View solution in original post

mm2270
Legendary Contributor III

PlistBuddy is/should be installed by default unless your Macs are running a very old version of OS X.
But it has to be specified with the full path because its in /usr/libexec, so as long as you call it in the script like

/usr/libexec/PlistBuddy

you should be fine

View solution in original post

9 REPLIES 9

ckgov
New Contributor II

You can probably edit a key in this file to allow everyone to add a new network interface

/private/etc/authorization

colonelpanic
Contributor

There may be an easier way to do this, but here is how I would do it:

cp -pr /etc/authorization /private/tmp/authorization

#Make all network users a part of the lpadmin group
dseditgroup -o edit -n /Local/Default -a Domain Users -t group lpadmin

# Unlock the Network Settings preference pane for the lpadmin group
/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization

#Change network settings to allow lpadmin to make network changes
/usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin' /private/tmp/authorization
/bin/mv /private/tmp/authorization /etc/authorization
chown root /etc/authorization
chown :wheel /etc/authorization

jaywoodruff
New Contributor

Thanks for the help.
I've seen a lot of scripts that use PlistBuddy around here, but I don't think any of our machines have it installed. Is that something that I could install remotely?

...making a long list of things to accomplish at imaging next summer :)

mm2270
Legendary Contributor III

PlistBuddy is/should be installed by default unless your Macs are running a very old version of OS X.
But it has to be specified with the full path because its in /usr/libexec, so as long as you call it in the script like

/usr/libexec/PlistBuddy

you should be fine

jaywoodruff
New Contributor

that just changed my life. Now off to testing.

Tarek1400
New Contributor

humm no success with Mavericks 10.9.2 :( any idea?

hodgesji
Contributor

I was struggling with 10.9 as well - apparently Apple removed the /etc/authorization file and replaced with a new SQLite3 database located at /var/db/auth.d. I came across this reading for solutions:

– http://www.afp548.com/2013/10/22/modifying-the-os-x-mavericks-authorization-database/
– https://jamfnation.jamfsoftware.com/discussion.html?id=8900

rtrouton
Release Candidate Programs Tester

I've also got a post on modifying the authorization database in Mavericks. It's available from here:

http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/

globaldominatio
New Contributor II

Hi @[rtrouton](rtrouton),
Thanks for the genius post!
I, however am facing another issue. I have the following command in my post install script, still after installation of OS and this script, when I click on Network Preferences I get prompt - 'A new network interface has been detected'. Unfortunately I can't find any post anywhere to fix this.
#First I have the following line:
networksetup -setnetworkserviceenabled "Thunderbolt Bridge" "off" #and then I have done following lines as well to give access to users on Network Preferences, which seems working well.
security authorizationdb write system.preferences.network allow security authorizationdb write system.services.systemconfiguration.network allow