Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Admin previleges

On 17 Jan 2006, at 7:04 PM, Nidhi Chadha wrote:

Do you really want a hierarchy of administrators, or do you want to
divide up administrative responsibilities (and authority, and blame)
among a group of administrators?




	Ya, Actually I want one administrator to restrict the privileges
of 	other admins.

	All admins are part of "admin" group.  Is there any way in Mac
to get
	hierarchy of administrators?

	The actual requirement for me is that I don't want other admins
to 	kill some process. (Specially root processes) and I also don't
want 	them to change some of the system preferences.  Can you suggest
me 	some way to come out of this problem?  In other words, I want
one 	admin which can be treated as super admin by me and which has
privileges little more than the other admins.

Root, ultimately, is the only real administrator. Other "special" users on the system, like "daemon" or "uucp," are only special insofar as they have a set of files and/or processes owned by or running under that UID and/or GID. The only hierarchy that exists, therefore, is THE privileged user vs. everybody else.

Managing privilege by UID and/or GID, of course, will not help you with the requirement that a "restricted" administrator should not be able to kill a root-running process, since you probably would like that restricted admin to be able to kill other processes s/he doesn't own.

IIRC, other systems--VAX/VMS, for instance--have the notion of "partially privileged" users (or as I like to think of them, "demigods"), but AFAIK no equivalent exists in OS X.

Also what I have noticed in Mac is that one admin can any time
delete the other admin's account from system preference. Which I think
is not logical. Because if as an Admin I create another admin so this
new admin should not be able to delete at least my admin's account
from system preference. Whats your opinion on this?

What you're asking for would be consistent with an administrative hierarchy such as you discuss above, but AFAIK it isn't possible in OS X: once you've got privilege, you know no bounds. (More or less: I know that there are, e.g., file access flags that somewhat restrict even what root can do. I'd be happy to know if there are other restricting mechanisms, in or out of the file system.)

Given this "all or nothing" privilege model, it would make sense to go back to first principles: "Why am I giving Joe Schmoe administrative privileges if I can't trust him not to blow away my account?" Privilege and trust to some degree go hand-in-hand. 

The Authorization subsystem allows an administrator (with full
superuser privileges) to configure parts of the system according to
groups (man group(5)).  You could, in theory, assign various
Authorization-gated activities to different administrators if each of
the administrators was in his/her own group.


	How can I do this? When we create new admin account from system
preference, then for each account new group is created . Though every
admin user is part of admin group .
	So can I apply your above suggestion to these kind of admins??

The Authorization subsystem tries to protect privileged operations-- and more to the point, to allow such operations to occur even if the requestor isn't root--by defining criteria that must be met before allowing a specific operation. Usually the criteria are pretty basic: you've got to prove that you're an admin, and to do that you generally need to authenticate with your admin username and password. If the requestor meets the criteria, the Authorization-gated software performs the privileged operation on the requestor's behalf. (Note that the requestor's privileges are never elevated.)

In principle you could tighten down Authorization-protected operations to the point where only a specific user could perform a specific privileged activity. However, command-line operations, like kill(1), usually don't use Authorization. So for your needs, this is likely a dead end.

That said, this partitioning would only apply to activities governed
by the Authorization subsystem.  Otherwise you're back to the usual
possibilities--filesystem permissions and ACLs are all that come to
mind in my pre-coffee stupor....


	Can you pls elaborate above mentioned point . I couldn't get it
clearly.

I think--I hope--I addressed any confusion regarding Authorization. As far as filesystem permissions go, I think that's pretty straightforward. And as for ACLs, I really don't know anything beyond the gloss in acl(3) so I won't say anything lest I mislead you....

/gh



_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden
References: 
 >RE: Admin previleges (From: Nidhi Chadha <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.