Managing the Authorization Database

New Contributor III

Hi from France.

I'm unable to achieve the following result :
- set changes to preferences to require authentication by a user with admin privileges
- let standard users to configure the Date & Time System Preference.

After some hours of tries and researches, either :
- the database is broken and has to be deleted
- the standard users can access the Date & Time System Preference but the setting of the time zone is not saved.

These are the lines I would like to insert in my hardening script :

security authorizationdb read system.preferences > /tmp/system.preferences.plist
defaults write /tmp/system.preferences.plist shared -bool false
security authorizationdb write system.preferences < /tmp/system.preferences.plist
rm /tmp/system.preferences.plist

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow

Any help would be greatly appreciated !

Best regards.



Contributor II

Here is how I am doing it in our environment, you can remove anything that is not applicable to your environment.


Give all end-users permissions full access to "Print & Scan, Network, Time" Preference Pane

/usr/bin/security authorizationdb write system.preferences allow /usr/bin/security authorizationdb write system.preferences.datetime allow /usr/bin/security authorizationdb write allow /usr/bin/security authorizationdb write allow /usr/bin/security authorizationdb write system.preferences.printing allow /usr/bin/security authorizationdb write system.print.operator allow /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin exit 0

New Contributor III


The challenge is to set "changes to preferences to require authentication by a user with admin privileges", with the combination of any other modification in the database.

If there was not this part, I would have no difficulty to execute a combination of different write system.preferences.[...]

See you.