Posted on 01-27-2017 12:24 PM
Hi from France.
I'm unable to achieve the following result :
- set changes to preferences to require authentication by a user with admin privileges
- let standard users to configure the Date & Time System Preference.
After some hours of tries and researches, either :
- the database is broken and has to be deleted
- the standard users can access the Date & Time System Preference but the setting of the time zone is not saved.
These are the lines I would like to insert in my hardening script :
security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist
rm /tmp/system.preferences.plist
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
Any help would be greatly appreciated !
Best regards.
Franck
Posted on 01-30-2017 06:39 AM
Here is how I am doing it in our environment, you can remove anything that is not applicable to your environment.
#!/bin/bashGive all end-users permissions full access to "Print & Scan, Network, Time" Preference Pane
/usr/bin/security authorizationdb write system.preferences allow /usr/bin/security authorizationdb write system.preferences.datetime allow /usr/bin/security authorizationdb write system.preferences.network allow /usr/bin/security authorizationdb write system.services.systemconfiguration.network allow /usr/bin/security authorizationdb write system.preferences.printing allow /usr/bin/security authorizationdb write system.print.operator allow /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin exit 0
Posted on 01-30-2017 08:00 AM
Hi.
The challenge is to set "changes to preferences to require authentication by a user with admin privileges", with the combination of any other modification in the database.
If there was not this part, I would have no difficulty to execute a combination of different write system.preferences.[...]
See you.