Screen saver unlocking permissions

jarednichols
Honored Contributor

Hi-

Has anyone used managed prefs or editing /etc/authorization to limit the ability to unlock the screensaver to the person who’s logged in? The default state is that anyone who’s an admin can unlock it if the currently logged in user is a standard-class user. At least with Windows, if an admin unlocked a standard-user locked screen, it will log the user out and the admin in. OS X seems to just let an admin traipse on in.

Thanks!

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

3 REPLIES 3

stevewood
Honored Contributor II
Honored Contributor II

I thought I had seen this on the list last year, and I was right.

Do a search in the December archive for this subject:

Unlock Screensave with Admin to Logout

The gist of the conversation boiled down to this script/msg from Noah:

Sorry, I was testing a few things and ended up pasting the wrong script.

I was manually editing /etc/authorization. Open in Plist Editor> rights>
system.login.screensaver> rule> “authenticate-session-owner-or-admin”. I
backed up the original file, and changed the value of “rule” to
“authenticate-session-owner-or-admin”.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Sent from Dallas, TX, United States

noah_swanson
New Contributor

Correct, Edit /etc/authorization in a PLIST editor under rights> system.login.screensaver> rule> "authenticate-session-owner-or-admin" should just be "authenticate-session-session-owner". So far this has worked well. Good Luck!

Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com

Not applicable

system.login.screensaver> rule> "authenticate-session-owner-or-admin"
should just be >"authenticate-session-session-owner". So far this has
worked well. Good Luck!

Jim Bala over on the OS X admin list posted this earlier about the
screensaver.

http://discussions.apple.com/thread.jspa?threadID35793&tstart=0

Summary:

In 10.5: Admin can unlock anyone's screen saver.

In 10.6: Admin can unlock non-admin user's screen saver. Admin can

*not* unlock another admin's screen saver, regardless of what
/etc/authorization says. The file that controls this access is
/etc/pam.d/screensaver. /etc/authorization can override what the pam.d
file says but PAM overrides pretty much everything with respect to
authentication and authorization.

Regarding mucking-about with PAM stuff:

I can't stress strongly enough how important it is that you not mess
with PAM stuff without knowing precisely what you're doing and what

effect(s) your change(s) will have. And, whatever you do, make a backup
copy of any file you modify in /etc/pam.d -- before you make the
changes, of course. Do not log out of your admin account to test pam.d
changes -- use fast user switching or login remotely via ssh or ARD --
so you can undo your changes if they turn out to break something.
Breaking PAM can easily prevent anyone, including root, from logging in
and/or can make sudo unusable.

Just an FYI.

- JD