Posted on 07-05-2012 06:17 AM
Good morning! I'm trying to edit the /etc/authorization file to allow standard users to make changes to the Parental Controls preference pane. The instructions I followed are similar to these --> http://mattsmacblog.wordpress.com/2011/07/30/mac-os-x-10-7-lion-first-look-at-etcauthorization-usage/.
I actually followed an article written by Greg Neagle found in MacTech magazine. I made a script that creates a user called "Parent" and a group called "Power Users". The "Parent" user is added to the "Power Users" group. The "admin" group is added to the "Power Users" group.
I'm able to unlock the Parental Controls preference pane with the standard "Parent" user but the changes that are made are not saved when exiting System Preferences. When I test these steps with any other preference pane things work just fine. Parental Controls is the only thing I'm having troubles with.
Do you have any idea how to allow a standard user to make changes to the Parental Controls preference pane in Lion?
Posted on 07-05-2012 06:46 AM
With an unmodified /etc/authorization, run Composer in filesystem monitoring mode while you make the changes with an admin-class user. That may point you in the right direction. It may be down to some sort of file permissions that the user who makes those changes needs (which a non-admin user may not have).
Posted on 07-05-2012 07:07 AM
In some cases, just being able to unlock a System Preference Pane isn't enough. While you may have allowed unlock of Parental Controls in the /etc/authorization file, its possible when a user makes changes to some of the items located in it, they are in fact making changes to other areas of the system that aren;t accounted for in the authorization file. Make sense?
Back in Pre 10.6 OS X, it used to be easier to tell which actual process was requesting permissions in the authentication dialog box by turning down the little arrow for Details, but Apple removed that handy feedback, so its a little tougher now to know what is actually being called under the hood.
I don't use Parental Controls at all so I can't even really test anything here. Etc/authorization is not well documented so it can take some time, experimentation and patience to get it to all work right. At least that's been my experience in playing with it.
Posted on 07-05-2012 08:34 AM
I ran fseventer to see where the changes were being made. I think it might have something to do with writing to the /Library/Managed Preferences folder. I guess I'll need to change the preferences on that folder? I tried that and it seems I can't really change the preferences on that folder. Does it sound like I'm on the right track?
Posted on 07-05-2012 08:49 AM
did fseventer give you an indication as to what account made the change? (thought it listed that info as well)
I don't know if with parental controls if the account directly makes that change or if a system account does it on the admin-class account's behalf.
Posted on 07-05-2012 09:47 AM
Just a quick question for you. Is there a reason managed preferences or configuration profiles will not work for you? They can probably address all your needs and then there is no need for you to edit the /etc/authorization file. Which in my personal opinion has some down sides to it.
Posted on 07-05-2012 10:03 AM
We'd like to allow our student's parents to be able to make changes to parental controls so they can limit their child's computer use while at home. Every parent probably has different websites they'd like to block and different computer usage time limits.
Posted on 07-05-2012 11:02 AM
I don't see where it shows the user but it does show the process that's using a file/folder. Activity Monitor will show me which user is using that process. It looks like the two processes I see are "opendirectoryd" and "parentalcontrolsd". The "root" user is linked to those processes.
Does that help?
Posted on 07-06-2012 05:59 AM
Alright, I just tried monitoring file system changes with Composer and it looks like the only thing that's being changed is the contents of the /Library/Managed Preferences/ folder. The owner of this folder is root. The group of this folder is wheel. Root can read/write/execute. The wheel group can read/execute.
I'm guessing I need to add the "powerusers" group to this folder and give it read/write/execute permissions. I tried doing that but the changes weren't saved, I'm guessing the system doesn't want me to change the permissions on that folder.
Is there any way to make this happen?