Managing the Authorization Database

francksartori
New Contributor III

Hi from France.

I'm unable to achieve the following result :
- set changes to preferences to require authentication by a user with admin privileges
- let standard users to configure the Date & Time System Preference.

After some hours of tries and researches, either :
- the database is broken and has to be deleted
- the standard users can access the Date & Time System Preference but the setting of the time zone is not saved.

These are the lines I would like to insert in my hardening script :

security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist
rm /tmp/system.preferences.plist

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow

Any help would be greatly appreciated !

Best regards.

Franck

2 REPLIES 2

jconte
Contributor II

Here is how I am doing it in our environment, you can remove anything that is not applicable to your environment.

#!/bin/bash

Give all end-users permissions full access to "Print & Scan, Network, Time" Preference Pane

/usr/bin/security authorizationdb write system.preferences allow /usr/bin/security authorizationdb write system.preferences.datetime allow /usr/bin/security authorizationdb write system.preferences.network allow /usr/bin/security authorizationdb write system.services.systemconfiguration.network allow /usr/bin/security authorizationdb write system.preferences.printing allow /usr/bin/security authorizationdb write system.print.operator allow /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin exit 0

francksartori
New Contributor III

Hi.

The challenge is to set "changes to preferences to require authentication by a user with admin privileges", with the combination of any other modification in the database.

If there was not this part, I would have no difficulty to execute a combination of different write system.preferences.[...]

See you.