Re: Administrator password (Getting list of admins)
Re: Administrator password (Getting list of admins)
- Subject: Re: Administrator password (Getting list of admins)
- From: Michael Smith <email@hidden>
- Date: Tue, 14 Nov 2006 08:19:15 -0800
Jerry Krinock wrote:
on 06/11/14 3:32, Terry Lambert at email@hidden wrote:
Be aware that some directory services do not permit enumeration of
group members,
The only directory service I care about is whatever is used in "grps.c" by
Mac OS X, right? And "whatever that is" seems to work.
No. Mac OS X supports many different directory services.
You cannot reliably assume that you can enumerate the membership of a
group, and you should not try.
Your question was "how do I tell if someone is an admin user".
That's already a bad question, because what you really mean is "how can
I tell if someone can perform some set of actions, which I am assuming
can only be performed by an admin user". Without knowing what those
actions are, all I can suggest is that you really should be verifying
their ability to perform them; how you might go about that (if at all)
is an exercise for the reader.
However, if you insist on using membership in the 'admin' group as your
litmus, you should verify it like this:
1) call getgrnam() and obtain the GID for the group
2) call mbr_gid_to_uuid() from <membership.h> to obtain the UUID for the
group
3) call mbr_uid_to_uuid() to obtain the UUID for the user
4) call mbr_check_membership() to ascertain whether the user is a member
of the group
This is the only mechanism that will reliably give you the same answer
that the OS will get when it makes a group membership check as part of
an authorisation operation.
= Mike
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden