• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: What's the official way to detect a user has administration privileges?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What's the official way to detect a user has administration privileges?

  • Subject: Re: What's the official way to detect a user has administration privileges?
  • From: "Finlay Dobbie" <email@hidden>
  • Date: Thu, 26 Jun 2008 12:21:20 +0100
On Wed, Jun 25, 2008 at 9:41 PM, Stephen J. Butler
<email@hidden> wrote:
> On Wed, Jun 25, 2008 at 10:31 AM, Stephane Sudre <email@hidden> wrote:
>> Trying to get Extended Rights for "system.privilege.admin" fails for users
>> with "Allow user to administer this computer" turned on. The error states
>> that it fails because it requires interaction. This is probably to request
>> the user to enter his admin password.
>>
>> So unfortunately, this does not look like to be a solution.
>
> Hmm... I could have sworn there was a way to do this, but now I can't
> find a way. Sorry to send you down the wrong path.

Probably the closest you can do is define your own right and apply
only the kAuthorizationRuleIsAdmin rule. Then you can attempt to gain
the right, which will determine if the user complies with the is-admin
rule as defined in /etc/authorization. This is probably closest that
you'll get to the concept of an "admin user" within Authentication
Services, but of course that won't work if, for example, you're trying
to determine whether someone will be able to perform the
authenticate-admin rule if they authenticated as themselves in advance
of asking them to do so, AND the local /etc/authorization policy file
has been modified in a weird and nonstandard way. Of course, this may
be an irrelevant degenerate case.

However, the wider point which you seem to have encountered is that
Authentication Services provides far more granularity than just "is
admin" or "is not admin", so it kind of depends what you're trying to
do overall.

If you have further questions about the intricacies of Security on Mac
OS X, you might find them better directed at the apple-cdsa list.

 -- Finlay
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >What's the official way to detect a user has administration privileges? (From: Stéphane <email@hidden>)
 >Re: What's the official way to detect a user has administration privileges? (From: "Stephen J. Butler" <email@hidden>)
 >Re: What's the official way to detect a user has administration privileges? (From: Stephane Sudre <email@hidden>)
 >Re: What's the official way to detect a user has administration privileges? (From: "Stephen J. Butler" <email@hidden>)

  • Prev by Date: Re: USB Mass Storage: command size limits
  • Next by Date: Re: which set of C++ headers?
  • Previous by thread: Re: What's the official way to detect a user has administration privileges?
  • Next by thread: which set of C++ headers?
  • Index(es):
    • Date
    • Thread