site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=kmXKHdhtEM6MypZbKOxZaZEAwURaO0HDJhse8vkiqQ8=; b=VIWA9CROCA5sZv0FCav2UHBTVMnKP2viMIZ3pwn139g8WOVufDYTXi8jnFKzYNAYdx Ev4NJjHk0Dvg86y3k9hvn1d0oNAxf60JLIA5iiXy/Nu2DDI5wRN/oyYNxQAFGDdpbnEw zFLEuVmNKbuYxOOzWfTd/nKvURvZmuM2PEBuE= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:cc:in-reply-to :mime-version:content-type:content-transfer-encoding :content-disposition:references; b=oBS4M2ItfcnSwZASg+odk73CnPFUKSCFygJaD+PCjdcjO9rZ2VLLHs/2qxDj6etpud 2qi7HbxESKbtwHXTSZup4CR7ukKb7sHnXNrxNwbj0izXR2D6jMJd1Tf78JRj4Wy2+qFW wEXRjfOij8OexZUQ8iAaCmupW8/H9b5rPFXuY= On Wed, Jun 25, 2008 at 9:41 PM, Stephen J. Butler <stephen.butler@gmail.com> wrote:

On Wed, Jun 25, 2008 at 10:31 AM, Stephane Sudre <ssudre@intego.com> wrote:

...

Trying to get Extended Rights for "system.privilege.admin" fails for users with "Allow user to administer this computer" turned on. The error states that it fails because it requires interaction. This is probably to request the user to enter his admin password.

So unfortunately, this does not look like to be a solution.

Hmm... I could have sworn there was a way to do this, but now I can't find a way. Sorry to send you down the wrong path.

Probably the closest you can do is define your own right and apply only the kAuthorizationRuleIsAdmin rule. Then you can attempt to gain the right, which will determine if the user complies with the is-admin rule as defined in /etc/authorization. This is probably closest that you'll get to the concept of an "admin user" within Authentication Services, but of course that won't work if, for example, you're trying to determine whether someone will be able to perform the authenticate-admin rule if they authenticated as themselves in advance of asking them to do so, AND the local /etc/authorization policy file has been modified in a weird and nonstandard way. Of course, this may be an irrelevant degenerate case. However, the wider point which you seem to have encountered is that Authentication Services provides far more granularity than just "is admin" or "is not admin", so it kind of depends what you're trying to do overall. If you have further questions about the intricacies of Security on Mac OS X, you might find them better directed at the apple-cdsa list. -- Finlay _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com