Startup Disk Privileges Problem

R

ReesArchibald

Registered
Hi,

I work at a university and we are attempting to set up an OSX disk image to distribute on our mac machines. The plan is to have users log in as non-admins. This however creates a problem when users need to use an OS9 only app as they cannot change the startup disk prefs without being an Admin.

How can we allow non-admins to change the Startup Disk prefs in OSX? Or what other solutions are out there?

Thank you,

Rees Archibald
 
I don't think you can. This would allow anyone to change the startup disk and would be a serious security hole. By doing this, "Joe Hacker" would get an account, change the startup disk, reboot, wipe the OSX drive.

Well I'll take that back a little, if you did give them access, you would have to incorporate OS9's logon feature to keep them from having "Admin Level" access in OS9. This is really the only way I can see this working semi-safely.

Why not just use Classic? If it is speed, then invest in RAM and you have a safer machine.

Good Luck.:)
SA
 
Hacker A: "I need this machine boot in OS 9, sir!"

Assistant: "Okay, lemme change the startup volume for you." (He goes to the machine, does it.)

Hacker A: "Thank you." *bigfriendlysmile*

Hacker A reboots in OS 9, erases Mac OS X volume.

Hacker B does very much the same with another machine and the same assistant, but he just starts messing around with the System files of the Mac OS X partition.
 
you could write a small shell script to change the boot volume, and make it suid root.

nvram boot-device=open firmware path to OS9 volume

or if OSX and OS9 are on the same volume, then bless -folder9 /System Folder (Mac OS 9)

presumably if you have OS9 in your labs now, then you have solutions for preventing problems of the sort that fryke and buc99 describe. i know the macs at my shcool did.
 
Originally posted by fryke
Hacker A: "I need this machine boot in OS 9, sir!"

Assistant: "Okay, lemme change the startup volume for you." (He goes to the machine, does it.)

Hacker A: "Thank you." *bigfriendlysmile*

Hacker A reboots in OS 9, erases Mac OS X volume.

Hacker B does very much the same with another machine and the same assistant, but he just starts messing around with the System files of the Mac OS X partition.
Click to expand...

Are you saying that both Hacker A and B gain root access through the assisstant but B just changes the OSX system files?

Or are you saying that Hacker A gains root access through the assisstant, while Hacker B just "Cracks" the system files through his OSX user account on his own?

Reason I ask is that the first scenario is the one I was talking about while the second scenario emplies a lack of security in the OSX system.

These are two totally different scenarios. And if you are emplying a "lack" of security within OSX, I would like to know what to look for myself to help me lock down my machines.

Thanks,
SA:)
 
You must log in or register to reply here.
Back
Top