site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com User-agent: Thunderbird 1.5.0.8 (Macintosh/20061025) on 06/11/14 3:32, Terry Lambert at tlambert@apple.com wrote: No. Mac OS X supports many different directory services. = Mike _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... Jerry Krinock wrote: Be aware that some directory services do not permit enumeration of group members, The only directory service I care about is whatever is used in "grps.c" by Mac OS X, right? And "whatever that is" seems to work. You cannot reliably assume that you can enumerate the membership of a group, and you should not try. Your question was "how do I tell if someone is an admin user". That's already a bad question, because what you really mean is "how can I tell if someone can perform some set of actions, which I am assuming can only be performed by an admin user". Without knowing what those actions are, all I can suggest is that you really should be verifying their ability to perform them; how you might go about that (if at all) is an exercise for the reader. However, if you insist on using membership in the 'admin' group as your litmus, you should verify it like this: 1) call getgrnam() and obtain the GID for the group 2) call mbr_gid_to_uuid() from <membership.h> to obtain the UUID for the group 3) call mbr_uid_to_uuid() to obtain the UUID for the user 4) call mbr_check_membership() to ascertain whether the user is a member of the group This is the only mechanism that will reliably give you the same answer that the OS will get when it makes a group membership check as part of an authorisation operation. This email sent to site_archiver@lists.apple.com