Skip to main content
Question

Managing the Authorization Database

  • January 27, 2017
  • 2 replies
  • 20 views
F
Forum|alt.badge.img+4

Hi from France.

I'm unable to achieve the following result :
- set changes to preferences to require authentication by a user with admin privileges
- let standard users to configure the Date & Time System Preference.

After some hours of tries and researches, either :
- the database is broken and has to be deleted
- the standard users can access the Date & Time System Preference but the setting of the time zone is not saved.

These are the lines I would like to insert in my hardening script :

security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist
rm /tmp/system.preferences.plist

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow

Any help would be greatly appreciated !

Best regards.

Franck

    2 replies

    jconte
    Forum|alt.badge.img+12
    • jconte
    • Valued Contributor
    • January 30, 2017

    Here is how I am doing it in our environment, you can remove anything that is not applicable to your environment.

    #!/bin/bash

    Give all end-users permissions full access to "Print & Scan, Network, Time" Preference Pane

    /usr/bin/security authorizationdb write system.preferences allow /usr/bin/security authorizationdb write system.preferences.datetime allow /usr/bin/security authorizationdb write system.preferences.network allow /usr/bin/security authorizationdb write system.services.systemconfiguration.network allow /usr/bin/security authorizationdb write system.preferences.printing allow /usr/bin/security authorizationdb write system.print.operator allow /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin exit 0
    F
    Forum|alt.badge.img+4
    • FranckS
    • Author
    • Contributor
    • January 30, 2017

    Hi.

    The challenge is to set "changes to preferences to require authentication by a user with admin privileges", with the combination of any other modification in the database.

    If there was not this part, I would have no difficulty to execute a combination of different write system.preferences.[...]

    See you.

    Terms & ConditionsCookie settingsAccessibility statement