Bootcamp initializing every time...

More info

Okay. I know exactly what's the deal with the multiple logins we are seeing.

The first request is for system.privilege.admin. This is Parallels asking the system to let itself be run as root. Any application asking for root privileges will cause the OS to show an admin login which is why we get this first login screen.

The second request is for system.volume.unmount. This is parallels trying to unmount the Bootcamp partition, supposedly using the root permissions you just granted it. Why? I really couldn't say. To me, simply hiding the drive would be a better idea. Any mounting or unmounting of drives (even firewire externals) will cause the diskarbitrationd daemon to check credentials first. If the requesting app doesn't meet admin level creds, the diskarbitrationd dameon will kick it back to the OS and ask for admin login. What is strange is that the app should be now running as root, so it shouldn't be asking for unmount privileges at this point, but it does.

Lastly, on logging parallels off, the third request is for system.volume.mount. This is parallels trying to bring the boot camp drive back online when you exit. Again, diskarbitrationd will check credentials for this request.

So... I have found out how to give my standard users system.privilege.admin rights (somewhat involved process involving workgroup manager and editing the /etc/authorization file), which clears them for the first login window, but I can't find anywhere how to give them the system.volume.unmount and system.volume.mount privileges it still needs without full promotion to administrator group. Without being able to do this, the first solution is useless.

Does anyone know if this is possible?

Thanks

-Mike

 

Happen to have the steps for this somewhere? I have been wanting to do this for all sorts of various reasons.

 

I Have The Solution(s)!!!!

Okay, I think I've got the answer to our woes... keep in mind, I know enough about this stuff just to be dangerous, so if anyone sees or experiences any problems with the following solutions, please let me know what adjustments need to be made. I realize the following solutions will compromise overall security somewhat, but nowhere near as much as giving our STANDARD USERS total administrative rights.

SOLUTION 1: This does not prompt for *any* Authorization Windows
IMPORTANT: This solution will leave your system without the ability to prompt for authorization for any app requesting root access or ability to mount/unmount drives but it will provide a "promptless" entry into Parallels.

(Workgroup Manager not needed):

1. Open Terminal. Run as root by typing sudo -s. Make sure to type in your password correctly. The prompt should now read root#

2. Make a backup of the authorization file by typing: cp /etc/authorization /etc/authorization.bak

3. Edit the authorization file by typing: pico /etc/authorization

4. Scroll down to the key marked system.privilege.admin. It should look like this:

<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>

5. Replace that entire block of text with the following:

<key>system.volume.mount</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Ability to run applications as root</string>
</dict>

<key>system.volume.mount</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Ability to mount a drive</string>
</dict>

<key>system.volume.unmount</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Ability to unmount a drive</string>
</dict>

6. Exit, saving changes. Reboot.


SOLUTION 2: Prompts for Authorization from any registered user
IMPORTANT: This is a somewhat more secure solution as authentification prompts are required from any registered user before action is taken. However, you cannot select users which do not have this authority.

(Workgroup Manager not needed):

1. Open Terminal. Run as root by typing sudo -s. Make sure to type in your password correctly. The prompt should now read root#

2. Make a backup of the authorization file by typing: cp /etc/authorization /etc/authorization.bak

3. Edit the authorization file by typing: pico /etc/authorization

4. Scroll down to the key marked system.privilege.admin. It should look like this:

<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>

5. Replace that entire block of text with the following:

<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Ability to run applications as root</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>

<key>system.volume.mount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Ability to mount a drive</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>

<key>system.volume.unmount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Ability to unmount a drive</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>

6. Exit, saving changes. Reboot.


SOLUTION 3: Prompts for Authorization from specific users in a powerusers group
IMPORTANT: This is the most secure solution as authentification prompts are only accepted from users you specify in a powerusers group. The Administrators goup MUST be in this group.

(Workgroup Manager REQUIRED)

1. Install Workgroup Manager

- Download the latest set of server admin tools to get Workgroup Manager (you don't need a server to use it) at http://www.apple.com/support/downloads/serveradmintools1047.html
- Install just the ServerAdminTools.pkg located in Administration Tools->Installers->Packages
- Workgroup manager should now be located in Applications->Server

2. Setup a powerusers group in Workgroup Manager

- As you will not be connecting to a server, click Cancel on the first window you see when opening Workgroup Manager, then select View DIrectories under "Server" in the menu. Ignore any warning messages that may pop up at this point.
- Click on the lock icon in the upper right of the next screen and authorize to your directory node (for most this is the local NetInfo node, but for some this could be Active Directory) using your Administrative creds.
- Click on the GROUPS icon (middle button) in the menu on the left
- Select the "NEW GROUP" button in the menu at the top and create a group called powerusers.
- Click the "+" sign, a side window will open. Select the GROUPS icon. Drag the "Administrators" group to your powerusers group. Next, select the USERS icon. Drag your standard user account(s) into the powerusers group.
- When finished click SAVE.
- Exit out of Workgroup Manager

3. Open Terminal. Run as root by typing sudo -s. Make sure to type in your password correctly. The prompt should now read root#

4. Make a backup of the authorization file by typing: cp /etc/authorization /etc/authorization.bak

5. Edit the authorization file by typing: pico /etc/authorization

6. Scroll down to the key marked system.privilege.admin. It should look like this:

<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>

7. Replace that entire block of text with the following:

<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Ability to run applications as root.</string>
<key>group</key>
<string>powerusers</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>

<key>system.volume.mount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Ability to mount a drive</string>
<key>group</key>
<string>powerusers</string>
<key>shared</key>
<false/>
</dict>

<key>system.volume.unmount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Ability to unmount a drive</string>
<key>group</key>
<string>powerusers</string>
<key>shared</key>
<false/>
</dict>

8. Exit, saving changes. Reboot.


FINAL NOTES:
If somehow you've botched the authorization file to the point where it crashes your computer on reboot, you can always fix it by booting your mac in single user mode by holding down Command-S during bootup.

Then, type: /sbin/mount -uw /

Then, cp /etc/authorization.bak /etc/authorization


Hope this helps!
-Mike

 

I am using 3.0 build 4560
I spoke with Parallels Support and will try their answer (I will post back if successful or not):
(search the KB for) "Sharing a VM with Several User Accounts on a Mac" or click HERE

Desired Result:

Making the virtual machine accessible for several users (user accounts) on the same computer.

Required Steps:

1. Move the VM folder (located in Macintosh HD > "Your User Name" > Documents > Parallels by default) to your Mac shared folder (for example, Macintosh HD > Users > Shared).
2. In the Finder, right-click (Ctrl-click) the folder with the VM and choose Get Info from the pop-up menu.
3. In the Get Info window expand the Ownership&Permissions group.
4. Expand the Details group.
5. Set the access level for Others to Read&Write.
6. Click the Apply to the enclosed items button.

***In case of Parallels Desktop for Mac version 3.0 please do the following in addition to the steps above:

Please find the .hdd file in the virtual machine folder, right-click on the .hdd file, choose the "Show package contents" menu option, and set the access level in the "Others" field to "Read&Write" for each of the files in the package.

Now each user of your Mac is able to access the VMs stored in this folder.

 

well...this recommended procedure did not work. My non-admin accounts are not able to use their usernames & PW to launch Parallels. I will be back on the phone with Tech Support and see what they have to say.

 

has anyone else tried the procedure above?

I am curious if anyone else has tried the above method and solved the password problem yet. An easier method would be a wellcome I guess, at least from my part. This procedure is too complicated for new converts to Mac like myself!

 

Mike, on a personal note, however this may sound, I am not out to sink your boat. You did a nice job in documenting the procedure and even included a warning at the beginning. I just want to stress this so all the 'script kiddi3s' calling themselves 'l33t sysadmins' don't go around telling the Mom and Pops to set it up this way to have a 'secure way' of using the BC partition.

Well, yeah. It sure is dangerous. This can open the door to all sorts of holes for creative users... If you can do w/e the heck you want with mounting/unmounting the filesystem...

I don't call this an 'answer' to our woes, rather it is a workaround that has been entailed in theory before, but never practically applied because of the security implications.

If you feel comfortable leaving the gap open on your systems do so, but I for one would not roll this out in an enterprise environment. At home with computer illiterate kids, fine, but what happens if their 'l33t hax0r' friend finds on on-line exploit using the new permissions as a workaround?

Needless to say, if someone doesn't care about the potential holes, perfect workaround you wrote.

Maybe I am over-emphasising the risk, as anyone can pop a Boot CD in as the option between start-up volumes is open to the user if you use BC, this can do just as much damage, or more than the potential security hole. ("cd /Volumes/MacDisc" "rm -f -P *" :-/) Even OpenFirmware can be circumvented with physical access.

Anyways, "forewarned is forearmed".

 

I don't know about too complicated for new people to Mac, more of intimidating to anyone who doesn't work with the command prompt. Which, in the case of OS X, is Terminal uses a shell (tcsh, bash, etc.).