Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Admin previleges

Let me put it this way: "root" is a guy with the nuclear warhead. If he wants to (and has some rudimentary competency), he can blow everything up. Having three admins means having three maniacs (uh, administrators), each with their own warhead. Any of them can blow up the place. They better sit down in Vienna and have a chat.

The "demigod" model (of, say, VAX/VMS memory) has a perfectly useful equivalent in UNIX (and thus, Mac OS X): it's a set of privileged servers (or setuid-whatever binaries) that provide limited services to ordinary users based on their identity (say, their group membership). For example, the Authorization subsystem allows you to configure various activities to be allowed (only) once the user proves he's a member of some group (by default 'admin', but you can change that for each right). The trick to remember is that in UNIX, the privileges of the user are separate from the privileges of the service operating on his behalf.

But "admin" means "root" in Mac OS X, so "restricted admin" is an oxymoron here. (The difference between admins and root is simply that admins are usually asked whether they're sure before they get to blow the place up.) You want variously empowered users that are *not* administrators but can only do *some* administrative things. Figure out what those are, and configure directory permissions and authorizations based on membership to groups you create for that purpose. That's the UNIX (and thus Mac OS X) way.

(And while you can't technically make one group a member of another group, you can certainly arrange them so one is a subset of another. That gives you your hierarchies, in practice.)

Cheers
 -- perry

--On January 19, 2006 3:15:17 PM -0800 Gary Hoo <email@hidden> wrote:

On 17 Jan 2006, at 7:04 PM, Nidhi Chadha wrote:

>> Do you really want a hierarchy of administrators, or do you want to
>> divide up administrative responsibilities (and authority, and blame)
>> among a group of administrators?
>
>
>
> 	Ya, Actually I want one administrator to restrict the privileges
> of 	other admins.
>
> 	All admins are part of "admin" group.  Is there any way in Mac
> to get
> 	hierarchy of administrators?
>
> 	The actual requirement for me is that I don't want other admins
> to 	kill some process. (Specially root processes) and I also don't
> want 	them to change some of the system preferences.  Can you suggest
> me 	some way to come out of this problem?  In other words, I want
> one 	admin which can be treated as super admin by me and which has
> privileges little more than the other admins.

Root, ultimately, is the only real administrator.  Other "special"  users
on the system, like "daemon" or "uucp," are only special insofar  as they
have a set of files and/or processes owned by or running under  that UID
and/or GID.  The only hierarchy that exists, therefore, is  THE
privileged user vs. everybody else.

Managing privilege by UID and/or GID, of course, will not help you  with
the requirement that a "restricted" administrator should not be  able to
kill a root-running process, since you probably would like  that
restricted admin to be able to kill other processes s/he doesn't  own.

IIRC, other systems--VAX/VMS, for instance--have the notion of
"partially privileged" users (or as I like to think of them,
"demigods"), but AFAIK no equivalent exists in OS X.

> 	Also what I have noticed in Mac is that one admin can any time
> delete 	the other admin's account from system preference. Which I
> think
> is not 	logical. Because if as an Admin I create another admin so this
> new 	admin should not be able to delete at least my admin's account
> from 	system preference. Whats your opinion on this?

What you're asking for would be consistent with an administrative
hierarchy such as you discuss above, but AFAIK it isn't possible in OS
X: once you've got privilege, you know no bounds.  (More or less: I  know
that there are, e.g., file access flags that somewhat restrict  even what
root can do.  I'd be happy to know if there are other  restricting
mechanisms, in or out of the file system.)

Given this "all or nothing" privilege model, it would make sense to go
back to first principles: "Why am I giving Joe Schmoe administrative
privileges if I can't trust him not to blow away my account?"   Privilege
and trust to some degree go hand-in-hand.
>
>> The Authorization subsystem allows an administrator (with full
>> superuser privileges) to configure parts of the system according to
>> groups (man group(5)).  You could, in theory, assign various
>> Authorization-gated activities to different administrators if each of
>> the administrators was in his/her own group.
>
> 	How can I do this? When we create new admin account from system
> preference, then for each account new group is created . Though every
> admin user is part of admin group .
> 	So can I apply your above suggestion to these kind of admins??

The Authorization subsystem tries to protect privileged operations-- and
more to the point, to allow such operations to occur even if the
requestor isn't root--by defining criteria that must be met before
allowing a specific operation.  Usually the criteria are pretty basic:
you've got to prove that you're an admin, and to do that you generally
need to authenticate with your admin username and password.  If the
requestor meets the criteria, the Authorization-gated software  performs
the privileged operation on the requestor's behalf.  (Note  that the
requestor's privileges are never elevated.)

In principle you could tighten down Authorization-protected operations
to the point where only a specific user could perform a specific
privileged activity.  However, command-line operations, like kill(1),
usually don't use Authorization.  So for your needs, this is likely a
dead end.

>> That said, this partitioning would only apply to activities governed
>> by the Authorization subsystem.  Otherwise you're back to the usual
>> possibilities--filesystem permissions and ACLs are all that come to
>> mind in my pre-coffee stupor....
>
> 	Can you pls elaborate above mentioned point . I couldn't get it
> clearly.

I think--I hope--I addressed any confusion regarding Authorization.   As
far as filesystem permissions go, I think that's pretty  straightforward.
And as for ACLs, I really don't know anything beyond  the gloss in acl(3)
so I won't say anything lest I mislead you....

/gh



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden 



---------------------------------------------------------------------------
Perry The Cynic                                             email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden
References: 
 >RE: Admin previleges (From: Nidhi Chadha <email@hidden>)
 >Re: Admin previleges (From: Gary Hoo <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.