Lukreme, Yes, you are right, this did start in 10.6 but was easily remedied by the following. NOTE: This only effects a locked screensaver.
The file that you want to edit is screensaver and is located at "/etc/pam.d/screensaver". When the file is open, it looks like this: # screensaver: auth account auth optional pamkrb5.so auth required pam_opendirectory.so nullok account required pam_opendirectory.so account sufficient pam_self.so account required pam_group.so no_warn group=admin,wheel fail_safe account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe You want to change this line: account required pam_group.so no_warn group=admin,wheel fail_safe To this: account sufficient pam_group.so no_warn group=admin,wheel fail_safe Save and all should be good. This allowed a tech to enter the tech user name and password to unlock a locked screensaver of logged in account to perform maintenance that could not be performed within a different user account, such as the tech account. The problem with Lion, as you said, "but when the screensaver lock come up, there doesn’t appear to be anyway to enter the admin login and password" Switching to a different user does us no good. Do you work with Final Cut Pro workstations? We need to gain access to the actual editor (user) account to perform many tasks that cannot be performed from a different user account. Period. Some maintenance could be done from the tech account I suppose... but not all. The screensaver is locked to make it harder, albeit not impossible, for an outsider or client to look at an editors files or a running FCP. This in addition to many other security measures are taken to help protect our clients assets. So, while this may be an "Improved Security Model" in Lion, it is not an end all - be all security measure that cannot be circumvented by someone who knows enough to circumvent it. It has however become an inconvenience in this situation. Thanks guys... your comments are truly appreciated. On Oct 8, 2011, at 3:19 PM, LuKreme wrote: > On 08 Oct 2011, at 10:52 , Karl Kuehn wrote: >> I thought that the place to do this was always /etc/authorization, >> specifically in the system.login.screensaver section. If the entry there >> indicates you should be able to do this, and you can't, then it is a bug and >> you should report it as such. > > Interesting, the rule for the screensaver is still set to > authenticate-session-owner-or-admin in /etc/authorization, but when the > screensaver lock come up, there doesn’t appear to be anyway to enter the > admin login and password short of clicking “Switch User” > > <http://arstechnica.com/civis/viewtopic.php?f=19&t=1149073> has no working > solution, though it does appear this started in 10.6, not 10.7. > > And yes, it is an improved security model, as I suspected. > > -- > Space Directive 723: Terraformers are expressly forbidden from > recreating Swindon. > > _______________________________________________ > MacOSX-talk mailing list > [email protected] > http://www.omnigroup.com/mailman/listinfo/macosx-talk Admiral Motti: Any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained. This station is now the ultimate power in the universe! I suggest we use it!
_______________________________________________ MacOSX-talk mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-talk
