Tuesday, November 15, 2011

Using netgroups to control login and admin privileges on OS X

I wanted to use netgroups defined in /etc/netgroup to control:
  • Login access via access_loginwindow
  • OS X admin privs via the admin local group
  • sudo access via /etc/sudoers
Unfortunately I couldn't get it to work (on 10.6), but I'll document here for my own sake and the rest of the internet :) I suspect this was because I wanted to just use the flat file, without any NIS server, and OS X was expecting to do lookups to refresh the information in the file.

Run Directory Utility
open /System/Library/CoreServices/Directory\ Utility.app/
and tick 'BSD Flat File and NIS' and inside there tick 'Use User and Group records in BSD Local node'. Interestingly this is gone on Lion - it is now just NIS and there is no option for BSD local node...

Assuming you have some entries in /etc/netgroup:
smalltest (-,auser,)
You should be able to see them with dscl:
$ dscl localhost -read /BSD/local/NetGroups/smalltest
dsAttrTypeNative:triplet: -,auser,
AppleMetaNodeLocation: /BSD/local
RecordName: smalltest
And should theoretically be able to use them. I tried this for sudo, and although it passed syntax checking it just didn't work.
+smalltest ALL=(ALL) ALL
And I couldn't get dseditgroup to recognise the netgroup for use in access_loginwindow:
$ sudo dseditgroup -o edit -a smalltest -t group com.apple.access_loginwindow
Group not found.

No comments: