The macosxhints Forums - Can I pre-authenticate in the Terminal?

Page 2 of 2

Show 100 post(s) from this thread on one page

The macosxhints Forums (http://hintsforums.macworld.com/index.php)

- UNIX - Newcomers (http://hintsforums.macworld.com/forumdisplay.php?f=15)

- - Can I pre-authenticate in the Terminal? (http://hintsforums.macworld.com/showthread.php?t=92311)

ThreeBKK

08-10-2008 11:36 AM

I'll add to the equation that, if you use a strong password containing more than 12 characters, typing your admin password repeatedly eats up a lot of time and patience. It just isn't very practical from a productivity point of view.

NovaScotian

08-10-2008 11:38 AM

Quote:

Originally Posted by ThreeBKK (Post 487537)

Exactly -- I want two forms of the same account; not two accounts.

cwtnospam

08-10-2008 11:46 AM

I understand what you want, and to some degree you do have that with su, but not completely. You may be better off working in an admin account. You could hop into the current admin and set yours to admin, do your work, and then switch it back, but that's a hassle. Maybe a script would help?

On the other hand, I think that "most folks" aren't aware of scripting, or even this site. They're using admin accounts and don't even know it. They definitely should be using standard accounts. My wife and her sister are good examples of people who never go into their admin accounts. They have no need.

NovaScotian

08-10-2008 11:52 AM

I've come to the same conclusion, CWT -- I've switched my normal account back to Admin and left the new Admin account I created virgin -- I can use that for checking whether I have a problem peculiar to my normal account.

biovizier

08-10-2008 12:02 PM

Just as a precaution, it might be advisable to create the file "/Library/Preferences/com.apple.SystemLoginItems.plist", make sure it is owned by "root" and lock it. That will at least block this route of passwordless privilege escalation since Apple doesn't seem to be in any hurry to patch it despite the reports of the existence of malware using it.

The funniest thing about all this is that people do come up with complex passwords, get frustrated with having to remember and enter them to make changes to their computer, but if malware were to get running somehow, it wouldn't even need the password to take over their system at all.

NovaScotian

08-10-2008 12:15 PM

Sounds like good advice -- if I knew how to do it or what it did.

cwtnospam

08-10-2008 12:28 PM

I've just noticed that you can upgrade a standard account to an admin account right from the Accounts preference pane if you've got another (and you should!) admin account. It appears that you can temporarily give yourself admin rights when you need them, and then remove them when you're done.

ThreeBKK

08-10-2008 12:47 PM

Quote:

Originally Posted by cwtnospam (Post 487552)

Yes, but if you analyze the situation, you'll see that it probably won't save the user much time or energy to do it like that. They'd have to authenticate with a password and convert their account to admin just to (for example) change a label in their apps folder to orange. After they are finished doing that, they convert back to a standard account, and at the next admin required task, they'll have to repeat the process. For me, this might happen half a dozen times or more per logged in session. On top of that, if memory serves correctly, you must log out and back in again after converting your account to standard or admin "for this change to take effect".

It seems quicker to keep the account standard, and use something like su in the Terminal, or just authenticate in the pop-up dialogue boxes.

ThreeBKK

08-10-2008 12:50 PM

hayne's advice (from the thread that I linked to earlier):

Quote:

The correct way to handle this (IMHO) is to use fast-user-switching to switch to the admin user, do what is needed, then log out of the admin.
Or if it's just command-line admin access that is needed, then just use 'su - fred' in a Terminal window to switch to the admin user (named "fred" for concreteness above). Do your stuff, and then type 'exit' to return to your usual user's shell.

cwtnospam

08-10-2008 01:46 PM

Either way, it boils down to how often you need access. Hopefully, if you need access frequently, you also know how to protect your system while you're logged in as an admin.

ThreeBKK

08-10-2008 01:53 PM

Come to think of it, security card based authentication would cut dow on most of the typing. Does anyone have experience using one of these systems under Mac OS?

trevor

08-11-2008 03:10 PM

Quote:

Originally Posted by ThreeBKK (Post 487509)

Could a moderator or an admin please erase post number 15 along with this post? It seems that I posted a duplicate somewhere along the way. Thanks in advance. :)

The (former) post 15 has been deleted as requested.

Trevor

JadeStar

08-13-2008 02:30 PM

Quote:

I want a MeMyself&I account, and a PowerMeMyself&I account functioning on exactly the same content.

This is what the list of "sudoers" is for (mentioned earlier). When you sudo, you're executing an action as your own user, but with elevated permissions. AFAIK, this is all that is meant by using an "admin" account on a Mac -- it's why you'll have to authenticate for system-changing actions, and it's why you'll have to authenticate again after a while. Admin != root. Apple seems to have implemented the standard sudo behavior on this one, as far as I can tell.

If, on the other hand, you had the root account enabled, and logged in under that one, it would be very similar to logging into any Linux/Unix GUI as root, which is generally unneccesary.

However, if you enable the root account, and use the terminal to su to root (from your standard or admin account), you'll still have the proper permissions to view and change your standard user's files (or any other user on the Mac), without hassle. Be careful, however, to ensure that file permissions don't get set to root-only on any files you edit, and if they do, just change them back with chmod or chown. Also, if you're using X11 and plan to open an X11 window with root permissions, you may need to adjust your X11 authentication to allow it.

ThreeBKK

08-17-2008 10:13 AM

Quote:

Smart Card Unlock of FileVault and Encrypted Storage:
Smart cards enable you to carry your digital certificates with you. With Mac OS X, you
can use your smart card whenever an authentication dialog is presented.
Mac OS X v10.5 has the following four token modules to support this robust, two-factor
authentication mechanism and Java Card 2.1 standards:
• Belgium National Identification Card (BELPIC)
• Department of Defense Common Access Card (CAC)
• Japanese government PKI (JPKI)
• U.S. Federal Government Personal Identity Verification, also called FIPS-201(PIV)

This looks like it might be the way to go, but I don't know how much it would cost, or where to get a card reader system. The passage was found in the recently published Leopard Security Configuration Guide 2008.

rccharles

08-22-2008 12:31 AM

Quote:

Originally Posted by baf (Post 487366)

from man sudoers:

Code:

       timestamp_timeout

                   Number of minutes that can elapse before sudo will ask for

                   a passwd again.  The default is 5.  Set this to 0 to always

                   prompt for a password.  If set to a value less than 0 the

                   user's timestamp will never expire.  This can be used to

                   allow users to create or delete their own timestamps via

                   sudo -v and sudo -k respectively.

Important only edit this file with visudo.

I would like to do this but I cannot figure out the syntax. How about an example.

Robert

All times are GMT -5. The time now is 10:18 PM.

Page 2 of 2

Show 100 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.