I Have The Solution(s)!!!!
Okay, I think I've got the answer to our woes... keep in mind, I know enough about this stuff just to be dangerous, so if anyone sees or experiences any problems with the following solutions, please let me know what adjustments need to be made. I realize the following solutions will compromise overall security somewhat, but nowhere near as much as giving our STANDARD USERS total administrative rights.
SOLUTION 1: This does not prompt for *any* Authorization Windows
IMPORTANT: This solution will leave your system without the ability to prompt for authorization for any app requesting root access or ability to mount/unmount drives but it will provide a "promptless" entry into Parallels.
(Workgroup Manager not needed):
1. Open Terminal. Run as root by typing sudo -s. Make sure to type in your password correctly. The prompt should now read root#
2. Make a backup of the authorization file by typing: cp /etc/authorization /etc/authorization.bak
3. Edit the authorization file by typing: pico /etc/authorization
4. Scroll down to the key marked system.privilege.admin. It should look like this:
<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>
5. Replace that entire block of text with the following:
<key>system.volume.mount</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Ability to run applications as root</string>
</dict>
<key>system.volume.mount</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Ability to mount a drive</string>
</dict>
<key>system.volume.unmount</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Ability to unmount a drive</string>
</dict>
6. Exit, saving changes. Reboot.
SOLUTION 2: Prompts for Authorization from any registered user
IMPORTANT: This is a somewhat more secure solution as authentification prompts are required from any registered user before action is taken. However, you cannot select users which do not have this authority.
(Workgroup Manager not needed):
1. Open Terminal. Run as root by typing sudo -s. Make sure to type in your password correctly. The prompt should now read root#
2. Make a backup of the authorization file by typing: cp /etc/authorization /etc/authorization.bak
3. Edit the authorization file by typing: pico /etc/authorization
4. Scroll down to the key marked system.privilege.admin. It should look like this:
<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>
5. Replace that entire block of text with the following:
<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Ability to run applications as root</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>
<key>system.volume.mount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Ability to mount a drive</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>
<key>system.volume.unmount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Ability to unmount a drive</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>
6. Exit, saving changes. Reboot.
SOLUTION 3: Prompts for Authorization from specific users in a powerusers group
IMPORTANT: This is the most secure solution as authentification prompts are only accepted from users you specify in a powerusers group. The Administrators goup MUST be in this group.
(Workgroup Manager REQUIRED)
1. Install Workgroup Manager
- Download the latest set of server admin tools to get Workgroup Manager (you don't need a server to use it) at http://www.apple.com/support/downloads/serveradmintools1047.html
- Install just the ServerAdminTools.pkg located in Administration Tools->Installers->Packages
- Workgroup manager should now be located in Applications->Server
2. Setup a powerusers group in Workgroup Manager
- As you will not be connecting to a server, click Cancel on the first window you see when opening Workgroup Manager, then select View DIrectories under "Server" in the menu. Ignore any warning messages that may pop up at this point.
- Click on the lock icon in the upper right of the next screen and authorize to your directory node (for most this is the local NetInfo node, but for some this could be Active Directory) using your Administrative creds.
- Click on the GROUPS icon (middle button) in the menu on the left
- Select the "NEW GROUP" button in the menu at the top and create a group called powerusers.
- Click the "+" sign, a side window will open. Select the GROUPS icon. Drag the "Administrators" group to your powerusers group. Next, select the USERS icon. Drag your standard user account(s) into the powerusers group.
- When finished click SAVE.
- Exit out of Workgroup Manager
3. Open Terminal. Run as root by typing sudo -s. Make sure to type in your password correctly. The prompt should now read root#
4. Make a backup of the authorization file by typing: cp /etc/authorization /etc/authorization.bak
5. Edit the authorization file by typing: pico /etc/authorization
6. Scroll down to the key marked system.privilege.admin. It should look like this:
<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>
7. Replace that entire block of text with the following:
<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Ability to run applications as root.</string>
<key>group</key>
<string>powerusers</string>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
</dict>
<key>system.volume.mount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Ability to mount a drive</string>
<key>group</key>
<string>powerusers</string>
<key>shared</key>
<false/>
</dict>
<key>system.volume.unmount</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Ability to unmount a drive</string>
<key>group</key>
<string>powerusers</string>
<key>shared</key>
<false/>
</dict>
8. Exit, saving changes. Reboot.
FINAL NOTES:
If somehow you've botched the authorization file to the point where it crashes your computer on reboot, you can always fix it by booting your mac in single user mode by holding down Command-S during bootup.
Then, type: /sbin/mount -uw /
Then, cp /etc/authorization.bak /etc/authorization
Hope this helps!
-Mike
Last edited: Jun 20, 2007