Macbook Pro, Mac OS X (10.6.6)
-PhS- wrote:
I use that on all my systems, it's very neat, when apps are self-contained (as they have to be on the App Store) …
Hi,
I have the following situation:
My girlfriend's dad got a new computer, and we planned not giving him the PW to the administrator user we setup, he only has a normal user account. This way he cannot download stuff from some dubious place on the internet, shouldn't fall in some MACdefender trap etc.
Problem: He also cannot download simple games from the App Store. Only if we give him the admin PW, and that clearly defeats the purpose of the separation of powers. Installing from the App Store should be possible for such situations, I think, if just by an admin specifying that the Mac Store of this login should install to ~Applications, and not /Applications.
Is there really NOBODY with this use-case out there?
regards
simon
There is a way around this. You need to run the App Store application as an administrator. If App Store.app is running and it was started by an administrator then it will not ask for the administrator password when installing or updating apps.
In essence you need to start the App Store application with the sudo command. For example, from a terminal window you would perform these steps:
su [administrator username]
This will ask you for the administrator’s password, enter it.
sudo /Applications/App\ Store.app/Contents/MacOS/App\ Store
Again you will be asked for the administrator’s password, enter it.
Now the App Store app will open and you will be running it as an administrator. The only password that will be needed to install or update apps on the App Store will be the iTunes Store account password of the user.
The above approach is just a proof of concept. You’ll still have a Terminal window open and running the App Store’s process, when you quick the Terminal or press Control+c the App Store will close. This runs a separate, administrator process of the App Store, it will not open again in administrator mode without invoking the sudo command. A more permanent solution would be to create a script that runs the sudo command, the user could then run the script or set it as a login item. Unfortunately, this is potentially disastrous as it would leave the administrator password in a clear text file. A better way would be to use a script encrypted with Platypus into an application the user could run. …I’ll look into this some more for my own purposes. Maybe someone else has a better method?
-Berylium
I very much disagree.
'Regular' users should not install applications in the system's application folder.
A user should create an Application folder within his own userspace.
This way no application (living within the user space) will be able to run with admin privileges.
This approach helps to keep your system safe.
On top of that there are added bonuses:
So the real solution must come from the appstore itself, where you get the choice whether an app is to be installed for the user or for all users on the system.
For instance, installing 'Pages' would be for all users, which warrants installation in the /Applications folder. (And requires the administrator's credentials to be installed)
Installing a game would be for the individual users should land in the /Users/<name>/Applications folder.
Hoot
Hoot,
Yes, installing to ~/Applications would be a better approach. Are you suggesting that the Mac App Store does this by default somehow? If it does then I am unaware of that behavior or how to enable it.
-Berylium
No I'm not suggesting that, appologies if I put you on the wrong foot.
My mentioning of this was intended in the context of what the appstore should provide.
Regards,
Hoot
My opinion on the matter is as follows:
1. Hacking an application to run as an administrator is an egregious security practice.
2. The Mac App Store is home exclusively to "safe" applications that my users know how to install and use. (A statement that I’ll stand behind more fully this winter when sandboxing is a requirement of applications submitted to the App Store)
3. Many of the applications on the Mac App Store are available on the web where they are more difficult and onerous to install and license. Worse, I can’t reasonably put any trust in something one of my users downloads from the web.
Ultimately, I am more afraid of what a user could download off the internet than what they could download off the Mac App Store. So even knowing the potentially dangerous security implications of the plan, I think it is safer to hack something to allow my users to run the Mac App Store as administrator.
Further, I fully agree with you, Hoot, that their should be a preference in the Mac App Store to download to ~/Applications for non-administrator users.
-Berylium
I concur that the MAS should have the ability to install into ~/Applications. The Admin on the box would have the ability to move the app from ~/Applications to /Applications and allow multi user access were that needed.
This is possible with Lion.
There is a _appstore group. All the user that are in this group are allowed to install applications from the Mac App Store.
You can add a user to this group with the workgroup manager (instal server admin tool first).
Or by typing in this command on the terminal.
dseditgroup -o edit -a shortusername -t user _appstore
Unfortunately this group does not exist in 10.6.8. So how to do that I'm still figuring out.
I just discovered in Workgroup Manager that essentially all default system accounts and groups are missing on my iMac. However, I never experienced any flaws on that system. (Except for Mac App Store asking for admin password each installation)
I discovered it because Terminal told me there was no _appstore group. (I recreated it manually, now I'm fine with that...but...)
I compared it to my MacBook Air - where all those users and groups are available...
See:
Also for groups:
HOW CAN I RESTORE ALL THOSE DEFAULT USERS & GROUPS? SOLUTION PLEASE?
Because this can't be good...
And I have no idea what made them all disappear.
Hi,
Have you tried if your show system records is off?
You can find this option in the View menu item.
Yes, it's definitely turned on.
No system users.
Not even a root user (System Administrator), as you can see.
App Store Asking for Admin
