|
#!/bin/sh |
|
############################################################################# |
|
# # |
|
# /etc/authorization modification example # |
|
# Version 1.0, 2013-05-21 # |
|
# Samuel Keeley # |
|
# # |
|
# modifies /etc/authorization to allow all users to shut down, restart, # |
|
# and some to change timezone, manage print queues run softwareupdate. # |
|
# # |
|
# # |
|
############################################################################# |
|
|
|
#* PLIST BUDDY |
|
PB="/usr/libexec/PlistBuddy" |
|
|
|
logger "editing /etc/authorization" |
|
|
|
##backup original |
|
sudo /bin/cp -f /etc/authorization{,.original} |
|
|
|
##set the rights |
|
|
|
## allow everyone access to system preferences itself |
|
sudo $PB -c "set rights:system.preferences:group powerusers" "/etc/authorization" |
|
|
|
##restart, changing from "evaluate-mechanisms" to "user" |
|
sudo $PB -c "add rights:system.restart:class string user" "/etc/authorization" |
|
sudo $PB -c "set rights:system.restart:class user" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.restart:allow-root bool true" "/etc/authorization" |
|
sudo $PB -c "set rights:system.restart:allow-root true" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.restart:group string everyone" "/etc/authorization" |
|
sudo $PB -c "set rights:system.restart:group everyone" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.restart:shared bool false" "/etc/authorization" |
|
sudo $PB -c "set rights:system.restart:shared false" "/etc/authorization" |
|
|
|
sudo $PB -c "delete rights:system.restart:mechanisms" "/etc/authorization" |
|
|
|
##shutdown, changing from "evaluate-mechanisms" to "user" |
|
sudo $PB -c "add rights:system.shutdown:class string user" "/etc/authorization" |
|
sudo $PB -c "set rights:system.shutdown:class user" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.shutdown:allow-root bool true" "/etc/authorization" |
|
sudo $PB -c "set rights:system.shutdown:allow-root true" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.shutdown:group string everyone" "/etc/authorization" |
|
sudo $PB -c "set rights:system.shutdown:group everyone" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.shutdown:shared bool false" "/etc/authorization" |
|
sudo $PB -c "set rights:system.shutdown:shared false" "/etc/authorization" |
|
|
|
sudo $PB -c "delete rights:system.shutdown:mechanisms" "/etc/authorization" |
|
|
|
##timezone, need to add on 10.5 and later, everyone |
|
|
|
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone dict" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:class string allow" "/etc/authorization" |
|
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:class allow" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:comment string Timezones" "/etc/authorization" |
|
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:comment Timezones" "/etc/authorization" |
|
|
|
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:shared bool true" "/etc/authorization" |
|
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:shared true" "/etc/authorization" |
|
|
|
## print operator, everyone |
|
sudo $PB -c "set rights:system.print.operator:group everyone" "/etc/authorization" |
|
|
|
## printer prefpane, powerusers. requires additional right |
|
sudo $PB -c "set rights:system.preferences.printing:group powerusers" "/etc/authorization" |
|
## add group 'powerusers' to 'lpadmin' group |
|
sudo dseditgroup -o edit -a powerusers -t group lpadmin |
|
|
|
|
|
## software update, everyone, requires additional right |
|
sudo $PB -c "set rights:system.preferences.softwareupdate:group everyone" "/etc/authorization" |
|
sudo $PB -c 'Set :rights:system.install.apple-software:rule allow' "/etc/authorization" |
|
sudo $PB -c 'set rights:com.apple.SoftwareUpdate.scan:rule allow' "/etc/authorization" |
|
|
|
|
|
## network preferences, powerusers, requires additional right |
|
sudo $PB -c "set rights:system.preferences.network:group powerusers" "/etc/authorization" |
|
sudo $PB -c 'set rights:system.services.systemconfiguration.network:rule allow' "/etc/authorization" |
|
|
|
## energy saver, powerusers |
|
sudo $PB -c "set rights:system.preferences.energysaver:group powerusers" "/etc/authorization" |
|
|
|
## time machine, powerusers |
|
sudo $PB -c "set rights:system.preferences.timemachine:group powerusers" "/etc/authorization" |
|
|
|
|
|
#+ Permissions |
|
sudo chown root:wheel "/etc/authorization" |
|
sudo chmod 644 "/etc/authorization" |
|
|
|
exit 0 |
Just wanted to give a heads up. The location of the Authorization DB has changed in Mavericks.
Looks like it’s at `/System/Library/Security/authorization.plist` now.
Also note: I believe I’ve seen OS X updates (specifically, combo updates) overwrite this file. Be careful!
as of Mavericks you should be using the “security” command line instead like
security authorizationdb write system.login.screensaver “authenticate-session-owner-or-admin”
(which we use to activate the old fashioned screen-saver lock where you can put in an admin user name)
I tried your Single User Mode disabler on a 10.8.5 box and it resulted in that it couldn’t find the root/.profile. Am I missing something?