How to get application whitelist working in a managed account

Question

Level 1

1 points

How to get application whitelist working in a managed account

I am having trouble getting the application whitelist for a managed user working on 10.7 in the same manner it worked on 10.6. I am restricting which applications can open by allowing applications in certain folders. These are tightly managed machines, and this has the advantage of being able to update applications without re-authorizing them.

This works great on 10.6 and also works on 10.7. However, it appears that child processes are not being allowed. On logging into the managed account, the system throws up dialogs stating that "pboard" and "distnoted" are not allowed. These appear to be child processes of loginwindow. There are also some scripts run by applications which are allowed. The scripts themselves are allowed, but the system is preventing commands like rsync or shutdown - anything found in /bin or /sbin.

It seems that I need a setting to allow child processes. I use an exported mcx file to import using an installer, so I can edit that directly if I need to. Anyone know what I need to add here?

Mac OS X (10.7.1)

Posted on Oct 8, 2011 5:59 AM

Reply

Answer 1

softwater

Level 5

5,556 points

Oct 8, 2011 6:25 AM in response to bryan3000000

I am restricting which applications can open by allowing applications in certain folders.

I'm not sure I understand your problem fully, but Lion expects apps to be in the apps folder (unlike SL, which didn't care where you put them). If you're trying to run them from somewhere else or blocking the managed account access to their own apps folder that could be your trouble.

The best solution is to make sure your managed users have all their apps (and only those apps you want to allow) in the Apps folder. That in effect is (or should be) their 'whitelist' of allowed apps.

Reply

Answer 2

bryan3000000 Author

Level 1

1 points

Oct 8, 2011 9:23 AM in response to softwater

If what you are saying is true, that would be a tremendous change from 10.6. In fact, whitelisting applications in folders in other locations seems to work just fine. In fact there are many helper apps that continue to be installed in the various Application Support folders and so forth.

The problem seems to be rather that when managing applications in this way (whitelist by folder), 10.7 is not allowing anything that is not explicitly whitelisted to run. It is not even allowing some user-level system services to run. For example - pboard is the system pasteboard, and is started by the loginwindow process for the user. distnoted is the distributed notification service, and is again started by the loginwindow process for the user. It seems quite odd to me that setting an application whitelist (by folder) would disallow these system services.

By the same token, if I allow Terminal, Terminal will run. But the login process (/usr/bin/login) will be blocked, making the Terminal unusable. And if I allow /usr/bin and try to run any command inside the terminal - ls, mv, cp (contained in /bin rather than /usr/bin/) - the system will disallow that process.

Basically, the managed preferences system is disallowing anything not contained in a folder allowed by the "by folder" whitelist. That is on one hand, the way folder whitelisting is supposed to work. However, in 10.6, child processes were allowed, and that behavior is in fact absolutely necessary to a functioning system. The behavior in 10.7 seems to break this, unless there is a managed prefs setting I am missing.

I have tried recreating managed prefs from scratch for a new user on a freshly installed copy of 10.7, and it still does not work properly. So my question is - is this a bug? Is it a (very broken but nevertheless intentional) change in the way the system works? Or is there a setting for allowing child processes that I am missing?

Reply