Re: Detecting if Admin user
Re: Detecting if Admin user
- Subject: Re: Detecting if Admin user
- From: Mark Thomas <email@hidden>
- Date: Sun, 06 Aug 2006 16:02:33 -0700
- Organization: Coderus Ltd
Hi Quinn,
Thanks for pointers, I like the idea of using Security framework, as that
would allow for greater controller instead of testing user is admin.
What I'm trying to detect is a user is allow to install software on their
computer. Maybe a bad assumption was if you are admin then your allowed
otherwise you shouldn't be allowed.
Reading the technote it seems to imply that you need to know what the
admin user is going define their security keys for the users. But shouldn't
this be defined by the application not the admin user ? - or have I missed
something here ? Or how do you work out what the security keys you can test
for per application ?, Here I thinking that the Finder controls if the user
can install software and I should find out what the Finder security keys are
?
Thanks
Mark.
> Message: 6
> Date: Fri, 4 Aug 2006 08:45:32 -0700
> From: Quinn <email@hidden>
> Subject: Re: Detecting if Admin user
> To: Macintosh Network Programming <email@hidden>
> Message-ID: <p06230926c0f91aaa4453@[17.203.24.241]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
> At 18:35 +0100 3/8/06, Mark Thomas wrote:
>> Does anybody know how you can tell if a user is admin user or a normal
>> user, is there a way to tell or does it make any sense not to allow non
>> admin users to do basic administration tasks if they know what the admin
>> password is ?
>
> Admin users are all in group admin. On 10.4 and later, you can check
> for that using the mbr_check_membership routine from <membership.h>.
> Specifically:
>
> mbr_uid_to_uuid(uid) -> uuid
>
> getgrnam("admin") -> gid
>
> mbr_gid_to_uuid(gid) -> guid
>
> mbr_check_membership(uuid, guid) -> result
>
> Prior to 10.4, you have to check the membership yourself, using
> getgroups to get the list of groups.
>
> getgroups -> groupList
>
> getgrnam("admin") -> gid
>
> groupList contains gid -> result
>
> * * *
>
> Rather than testing for this stuff yourself, however, you should
> really use the Security framework to request authorisation to do a
> particular task. This allows the system administrator to override
> your default policy decision as to who should be allowed to do what.
> This concept is covered in great detail in Technot 2095
> "Authorization for Everyone", and the accompanying sample code.
>
> <http://developer.apple.com/technotes/tn2002/tn2095.html>
>
> S+E
> --
> Quinn "The Eskimo!" <http://www.apple.com/developer/>
> Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden