Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: Detecting if Admin user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detecting if Admin user

Subject: Re: Detecting if Admin user
From: Mike Cohen <email@hidden>
Date: Fri, 4 Aug 2006 17:36:45 -0400

This is how I do it using BSD APIs:

int is_administrator() { struct group *g = getgrnam("admin"); char *u = getlogin(), *m; register int i; for (i=0; (m = g->gr_mem[i]) != NULL; ++i) { if (strcmp(u,m) == 0) return 1; } return 0; }

On Aug 4, 2006, at 5:24 PM, bc wrote:

Quinn, Regarding the MoreAuthSample...Is anyone going to fix the issue when running this on a user protected by FileVault? Basically, the functions in MoreSecurity to create a temp copy of the helper app fail on a FileVault protected user (SetUID not allowed).
Message: 6
Date: Fri, 4 Aug 2006 08:45:32 -0700
From: Quinn <email@hidden>
Subject: Re: Detecting if Admin user
To: Macintosh Network Programming <email@hidden>
Message-ID: <p06230926c0f91aaa4453@[17.203.24.241]>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 18:35 +0100 3/8/06, Mark Thomas wrote:
Does anybody know how you can tell if a user is admin
user or a normal
user, is there a way to tell or does it make any sense not
to allow non
admin users to do basic administration tasks if they know
what the admin
password is ?
Admin users are all in group admin.  On 10.4 and later, you can check
for that using the mbr_check_membership routine from <membership.h>.
Specifically:
mbr_uid_to_uuid(uid) -> uuid
getgrnam("admin") -> gid
mbr_gid_to_uuid(gid) -> guid
mbr_check_membership(uuid, guid) -> result
Prior to 10.4, you have to check the membership yourself, using
getgroups to get the list of groups.
getgroups -> groupList
getgrnam("admin") -> gid
groupList contains gid -> result
                  *                   *                   *
Rather than testing for this stuff yourself, however, you should
really use the Security framework to request authorisation to do a
particular task.  This allows the system administrator to override
your default policy decision as to who should be allowed to do what.
This concept is covered in great detail in Technot 2095
"Authorization for Everyone", and the accompanying sample code.
<http://developer.apple.com/technotes/tn2002/tn2095.html>
S+E
--
Quinn "The Eskimo!"
<http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core
OS/Hardware
_______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: 40mcdevzone.com
This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden



References:  
  >Re: Detecting if Admin user (From: "bc" <email@hidden>)




Prev by Date:
Re: Detecting if Admin user

Next by Date:
Re: ICDeletePref ??

Previous by thread:
Re: Detecting if Admin user

Next by thread:
Re: Detecting if Admin user

Index(es):

Date
Thread