PSU MacAdmins May 23, 2013 at 12:44 pm

Notes from “Security: Locking Down OS X Without Locking Up Users”

These are some resources from my Security session at PSU MacAdmins 2013:

Slides – PSU MacAdmins 2013 Security

Web resources:

Managing OS X – Payload Free Package template

Matt’s Mac Blog – Making use of the /etc/authorization file in Lion / 10.7.x

Scripts:

#!/bin/sh
#############################################################################
# #
# Power Users group example #
# Version 1.0, 2013-05-21 #
# Samuel Keeley #
# #
# Creates the group 'powerusers', adds the admin group to it, and adds #
# the sample account 'teacher' #
# #
#############################################################################
## create powerusers group
sudo dseditgroup -o create -r "Power Users" powerusers
## add admin group to powerusers group
sudo dseditgroup -o edit -a admin -t group powerusers
## add user 'teacher' to powerusers group
sudo dseditgroup -o edit -a teacher -t user powerusers
exit 0

view raw
powerusers.sh
hosted with ❤ by GitHub

#!/bin/sh
#############################################################################
# #
# /etc/authorization modification example #
# Version 1.0, 2013-05-21 #
# Samuel Keeley #
# #
# modifies /etc/authorization to allow all users to shut down, restart, #
# and some to change timezone, manage print queues run softwareupdate. #
# #
# #
#############################################################################
#* PLIST BUDDY
PB="/usr/libexec/PlistBuddy"
logger "editing /etc/authorization"
##backup original
sudo /bin/cp -f /etc/authorization{,.original}
##set the rights
## allow everyone access to system preferences itself
sudo $PB -c "set rights:system.preferences:group powerusers" "/etc/authorization"
##restart, changing from "evaluate-mechanisms" to "user"
sudo $PB -c "add rights:system.restart:class string user" "/etc/authorization"
sudo $PB -c "set rights:system.restart:class user" "/etc/authorization"
sudo $PB -c "add rights:system.restart:allow-root bool true" "/etc/authorization"
sudo $PB -c "set rights:system.restart:allow-root true" "/etc/authorization"
sudo $PB -c "add rights:system.restart:group string everyone" "/etc/authorization"
sudo $PB -c "set rights:system.restart:group everyone" "/etc/authorization"
sudo $PB -c "add rights:system.restart:shared bool false" "/etc/authorization"
sudo $PB -c "set rights:system.restart:shared false" "/etc/authorization"
sudo $PB -c "delete rights:system.restart:mechanisms" "/etc/authorization"
##shutdown, changing from "evaluate-mechanisms" to "user"
sudo $PB -c "add rights:system.shutdown:class string user" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:class user" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:allow-root bool true" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:allow-root true" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:group string everyone" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:group everyone" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:shared bool false" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:shared false" "/etc/authorization"
sudo $PB -c "delete rights:system.shutdown:mechanisms" "/etc/authorization"
##timezone, need to add on 10.5 and later, everyone
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone dict" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:class string allow" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:class allow" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:comment string Timezones" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:comment Timezones" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:shared bool true" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:shared true" "/etc/authorization"
## print operator, everyone
sudo $PB -c "set rights:system.print.operator:group everyone" "/etc/authorization"
## printer prefpane, powerusers. requires additional right
sudo $PB -c "set rights:system.preferences.printing:group powerusers" "/etc/authorization"
## add group 'powerusers' to 'lpadmin' group
sudo dseditgroup -o edit -a powerusers -t group lpadmin
## software update, everyone, requires additional right
sudo $PB -c "set rights:system.preferences.softwareupdate:group everyone" "/etc/authorization"
sudo $PB -c 'Set :rights:system.install.apple-software:rule allow' "/etc/authorization"
sudo $PB -c 'set rights:com.apple.SoftwareUpdate.scan:rule allow' "/etc/authorization"
## network preferences, powerusers, requires additional right
sudo $PB -c "set rights:system.preferences.network:group powerusers" "/etc/authorization"
sudo $PB -c 'set rights:system.services.systemconfiguration.network:rule allow' "/etc/authorization"
## energy saver, powerusers
sudo $PB -c "set rights:system.preferences.energysaver:group powerusers" "/etc/authorization"
## time machine, powerusers
sudo $PB -c "set rights:system.preferences.timemachine:group powerusers" "/etc/authorization"
#+ Permissions
sudo chown root:wheel "/etc/authorization"
sudo chmod 644 "/etc/authorization"
exit 0

view raw
authorization.sh
hosted with ❤ by GitHub

#!/bin/sh
#############################################################################
# #
# Single user mode disabler #
# Version 1.0, 2013-05-21 #
# Samuel Keeley #
# #
# Adds a restart to the root profile with console 'vt100' to make the #
# machine reboot when booted to single user mode. #
# #
# #
#############################################################################
echo 'nvram boot-args=""' > /var/root/.profile
echo 'if [ $TERM = vt100 ]; then /sbin/reboot; fi' >> /var/root/.profile
exit 0

view raw
rootprofile.sh
hosted with ❤ by GitHub

Samuel Keeley

Samuel Keeley can frequently be found in ##osx-server on Freenode, or on Twitter @keeleysam.

More Posts - Website

Follow Me:
Twitter

4 Comments

  • Just wanted to give a heads up. The location of the Authorization DB has changed in Mavericks.

    Looks like it’s at `/System/Library/Security/authorization.plist` now.

  • Also note: I believe I’ve seen OS X updates (specifically, combo updates) overwrite this file. Be careful!

  • as of Mavericks you should be using the “security” command line instead like

    security authorizationdb write system.login.screensaver “authenticate-session-owner-or-admin”

    (which we use to activate the old fashioned screen-saver lock where you can put in an admin user name)

  • I tried your Single User Mode disabler on a 10.8.5 box and it resulted in that it couldn’t find the root/.profile. Am I missing something?

Leave a reply

You must be logged in to post a comment.