Hi Gary
Thanks for your reply.
>Do you really want a hierarchy of administrators, or do you want to
>divide up administrative responsibilities (and authority, and blame)
>among a group of administrators?
Ya, Actually I want one administrator to restrict the privileges
of other admins.
All admins are part of "admin" group. Is there any way in Mac
to get
hierarchy of administrators?
The actual requirement for me is that I don't want other admins
to kill some process. (Specially root processes) and I also don't
want them to change some of the system preferences. Can you suggest
me some way to come out of this problem? In other words, I want
one admin which can be treated as super admin by me and which has
privileges little more than the other admins.
Also what I have noticed in Mac is that one admin can any time
delete the other admin's account from system preference. Which I think
is not logical. Because if as an Admin I create another admin so this
new admin should not be able to delete at least my admin's account
from system preference. Whats your opinion on this?
>The Authorization subsystem allows an administrator (with full
>superuser privileges) to configure parts of the system according to
>groups (man group(5)). You could, in theory, assign various
>Authorization-gated activities to different administrators if each of
>the administrators was in his/her own group.
How can I do this? When we create new admin account from system
preference, then for each account new group is created . Though every
admin user is part of admin group .
So can I apply your above suggestion to these kind of admins??
>That said, this partitioning would only apply to activities governed
>by the Authorization subsystem. Otherwise you're back to the usual
>possibilities--filesystem permissions and ACLs are all that come to
>mind in my pre-coffee stupor....
Can you pls elaborate above mentioned point . I couldn't get it
clearly.
Hope to get some help from your side .
Thanks and regards,
Nidhi
-----Original Message-----
From: Gary Hoo [mailto:email@hidden]
Sent: Tuesday, January 17, 2006 11:36 PM
To: Nidhi Chadha
Cc: email@hidden
Subject: Re: Admin previleges
On 17 Jan 2006, at 2:25 AM, Nidhi Chadha wrote:
> Is there any way to restrict the administrator privileges? If my
> system has 2 or 3 administrator account. Can I make one admin as
> master admin for other admins. Here I am not talking about root
> password because any admin can "disable the root account"
> In mac , when disabling the root account, it should ask for the root
> password . But it takes any admin password .. Isnt this point worth
> thinking??
What do you mean by "disabling the root account"?
The root user by default has no password (*not* an empty password) in
Mac OS X. It would therefore be a little difficult to require "the
root password" to do anything. :-)
> Actually I want to restrict one of the admin for some operations .
> How can one admin be at greater privilege level than other ??
>
>
Do you really want a hierarchy of administrators, or do you want to
divide up administrative responsibilities (and authority, and blame)
among a group of administrators?
The Authorization subsystem allows an administrator (with full
superuser privileges) to configure parts of the system according to
groups (man group(5)). You could, in theory, assign various
Authorization-gated activities to different administrators if each of
the administrators was in his/her own group.
That said, this partitioning would only apply to activities governed
by the Authorization subsystem. Otherwise you're back to the usual
possibilities--filesystem permissions and ACLs are all that come to
mind in my pre-coffee stupor....
/gh
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
