• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag
 

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Detecting if Admin user
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detecting if Admin user

  • Subject: Re: Detecting if Admin user
  • From: "bc" <email@hidden>
  • Date: Fri, 4 Aug 2006 14:24:53 -0700
  • Importance: Normal
Quinn,
Regarding the MoreAuthSample...Is anyone going to fix the issue when running
this on a user protected by FileVault?  Basically, the functions in
MoreSecurity to create a temp copy of the helper app fail on a FileVault
protected user (SetUID not allowed).

>
> Message: 6
> Date: Fri, 4 Aug 2006 08:45:32 -0700
> From: Quinn <email@hidden>
> Subject: Re: Detecting if Admin user
> To: Macintosh Network Programming <email@hidden>
> Message-ID: <p06230926c0f91aaa4453@[17.203.24.241]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
> At 18:35 +0100 3/8/06, Mark Thomas wrote:
> >   Does anybody know how you can tell if a user is admin
> user or a normal
> >user, is there a way to tell or does it make any sense not
> to allow non
> >admin users to do basic administration tasks if they know
> what the admin
> >password is ?
>
> Admin users are all in group admin.  On 10.4 and later, you can check
> for that using the mbr_check_membership routine from <membership.h>.
> Specifically:
>
> mbr_uid_to_uuid(uid) -> uuid
>
> getgrnam("admin") -> gid
>
> mbr_gid_to_uuid(gid) -> guid
>
> mbr_check_membership(uuid, guid) -> result
>
> Prior to 10.4, you have to check the membership yourself, using
> getgroups to get the list of groups.
>
> getgroups -> groupList
>
> getgrnam("admin") -> gid
>
> groupList contains gid -> result
>
>                   *                   *                   *
>
> Rather than testing for this stuff yourself, however, you should
> really use the Security framework to request authorisation to do a
> particular task.  This allows the system administrator to override
> your default policy decision as to who should be allowed to do what.
> This concept is covered in great detail in Technot 2095
> "Authorization for Everyone", and the accompanying sample code.
>
> <http://developer.apple.com/technotes/tn2002/tn2095.html>
>
> S+E
> --
> Quinn "The Eskimo!"
> <http://www.apple.com/developer/>
> Apple Developer Relations, Developer Technical Support, Core
> OS/Hardware
>
>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Detecting if Admin user
      • From: Mike Cohen <email@hidden>
  • Prev by Date: Re: ICDeletePref ??
  • Next by Date: Re: Detecting if Admin user
  • Previous by thread: Re: Detecting if Admin user
  • Next by thread: Re: Detecting if Admin user
  • Index(es):
    • Date
    • Thread