OS X Power User using the security command

ericbenfer
Contributor III

I have been wanting to update my “Power User” https://jamfnation.jamfsoftware.com/discussion.html?id=5666 script for some time now to leverage the “security” command.

Using the info from Rich Trouton's http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/, I know how to allow access to specific system preferences.

For instance to allow non-admin users to modify the Date & Time prefs:

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow

That works.

I also want to be able to undo this, like I was able to in my previous “Power User” script.

You would think this would work:

security authorizationdb write system.preferences.datetime deny

The command replies NO. :-(

Thoughts?

12 REPLIES 12

gregneagle
Valued Contributor
You would think this would work:
security authorizationdb write system.preferences deny
The command replies NO. :-(

Good thing. If it worked, NO-ONE (including admins) would be able to use (or authorize to use) System Preferences.

You should save the original settings with

security authorizationdb read system.preferences > /path/to/saved/system.preferences.right

Then to reverse your changes:

security authorizationdb write system.preferences < /path/to/saved/system.preferences.right

ericbenfer
Contributor III

I meant I would want to undo access to Date and Time.

security authorizationdb write system.preferences.datetime deny

(Original post updated.)

Either way I get your point.

Lets assume the original settings have not been saved.
The power user has been given access to Date and Time. But now you want to revoke those privileges for non-admin users.
What security command mojo is needed for that?

gregneagle
Valued Contributor
Lets assume the original settings have not been saved. The power user has been given access to Date and Time. But now you want to revoke those privileges for non-admin users.

Find a machine (or build one if needed) that still has the original rights definition.

Use `security authorizationdb read system.preferences.datetime` to read the right. Copy it to a file. Use it to restore the right definition on the modified machine.

I don't think I've modified that right on my machine, and it looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allow-root</key>
    <true/>
    <key>authenticate-user</key>
    <true/>
    <key>class</key>
    <string>user</string>
    <key>comment</key>
    <string>Checked by the Admin framework when making changes to the Date &amp; Time preference pane.</string>
    <key>created</key>
    <real>404177905.02627999</real>
    <key>group</key>
    <string>admin</string>
    <key>modified</key>
    <real>404177905.02627999</real>
    <key>session-owner</key>
    <false/>
    <key>shared</key>
    <true/>
    <key>timeout</key>
    <integer>2147483647</integer>
    <key>tries</key>
    <integer>10000</integer>
    <key>version</key>
    <integer>0</integer>
</dict>
</plist>

ericbenfer
Contributor III

What I want to be able to do is to give non admin users access to a System pref, AND I also want to be able to undo that.
So what would be the best use of the "security authorizationdb" command to allow and then later deny access?

ericbenfer
Contributor III

I think I am over the "security authorizationdb" hurdle.
This is what I am successfully testing right now.

Authorize non-admin users (everyone) access to Energy Saver

security authorizationdb read  system.preferences.energysaver > /tmp/system.preferences.energysaver.plist

defaults write /tmp/system.preferences.energysaver.plist group everyone
# This grants access to the "everyone" group. this could be any group.

security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plist

Revoke non-admin users (everyone) access to Energy Saver

security authorizationdb read  system.preferences.energysaver > /tmp/system.preferences.energysaver.plist

defaults write /tmp/system.preferences.energysaver.plist group admin
# This changes access back to admin only - effectively resetting it back to the default.

security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plist

Much more testing needed, but this is huge progress.
Thanks Rich!

danhutchings
New Contributor II

I know this thread is a little old, but i'm running in to the same issue. i cannot provide access to the energy saver preferences without admin permissions. i have tried the commands above and they all seem to work ok. however, when i login as a "standard" user i see the padlock on the energy saver settings.

please help.

s_gaynor
New Contributor III

Dan, did you push out "security authorizationdb write system.preferences allow" before trying your commands?

Rich Trouton has an excellent write-up of this on his website:

http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/

erikblack
New Contributor II

Sorry to resurrect a long-dead thread, but there's a one-line solution to this instead of writing temp files. Using "admin" instead of "deny" will give the desired effect of requiring administrator access again.

security authorizationdb write system.preferences.datetime admin

Hope that helps someone searching this thread.

stevenjklein
Contributor II

Hooray, @erikblack!

I'm trying to learn my way around authorizationdb, and your post answered a question that's been bugging me for along time.

Thank you!

tkimpton
Valued Contributor II

Anyone get any luck with allowing the security preference pane access for non admin in El Capitan?

everything i am trying is not working

Chuey
Contributor III

@erikblack I know this is an old thread but I had to thank you for this. I always like a way to undo what I have done and this works.

@tkimpton I'm using El Capitan and the security authorizationdb write commands work just fine for me.

#!/bin/sh
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow

erikblack
New Contributor II

Happy to provide something useful! I get a lot of good information from these forums!