PDA

View Full Version : Accidently deleting apps - how to restrict access



mdmcholet
28th January 2008, 09:42 PM
All

My father in-law who has a brand new (first time) iMac is deleting apps left right and centre and driving us crazy saying its broken blah blah (not that he admits that has done anything wrong)

Can we restrict his access so that cant do that anymore? or turn up the password protect on that sort of thing.

Thanks

mab
28th January 2008, 10:06 PM
Create another account on the machine called admin and set this account to be able to administer the computer. Log on as the admin account and un-check user can administer box on his account.

The first account created when installing OS X is set to be an admin, which I think Apple should change. Even Microsoft doesn't do that anymore.

Currawong
29th January 2008, 01:58 PM
Make sure you also only install apps as the Admin user, then he wont be able to delete them while logged in as himself.

soulman
29th January 2008, 02:47 PM
You will just piss him off by doing this though and it won't really solve the problem. The amount of things he will need an admin password for will bug you both - because you will have to provide it - until you do something about the actual problem: that he shouldn't delete things. Making it so he needs a password will almost certainly end up with you giving it to him because at some point he will need to do something legitimate while you are not there and he will ring you for it.

Tell him the only way to resolve things getting broken because he has "played with" the computer is to reinstall the OS and all updates. Get him to do it himself. He'll stop it soon enough.

detail
29th January 2008, 03:11 PM
Are you sure he is actually deleting the applications and just not pulling them off the dock.

Ie up with that puff of smoke.

They might be still there on disk but not visible in the dock.

mdmcholet
29th January 2008, 04:56 PM
You will just piss him off by doing this though and it won't really solve the problem. The amount of things he will need an admin password for will bug you both - because you will have to provide it - until you do something about the actual problem: that he shouldn't delete things. Making it so he needs a password will almost certainly end up with you giving it to him because at some point he will need to do something legitimate while you are not there and he will ring you for it.

Tell him the only way to resolve things getting broken because he has "played with" the computer is to reinstall the OS and all updates. Get him to do it himself. He'll stop it soon enough.

He denies he deletes anything at all! it is never his fault and that the computer is broken - i wish he had never got the iMac!!! He is the only person who uses it, but never his fault (must be that mystery man again)

With his window machine when he did this sort of thing he called his PC guy (who was ripping him off) and knowing now how much he plays and randomly deletes things no wonder it was costing him a fortune *sigh*

What I want to stop his accidently deleting apps, so its not a case of him not knowing the password if he needs to do something, but if he has to put in a password to confirm a deletion of a app then that makes me happy.

Things are definitely deleted tho, not just gone from the dock, and as he is paranoid about security he empties his trash constantly so can't recover...all very frustrating.

soulman
29th January 2008, 05:18 PM
hat I want to stop his accidently deleting apps, so its not a case of him not knowing the password if he needs to do something, but if he has to put in a password to confirm a deletion of a app then that makes me happy. Fair enough. In that case, creating another user without admin privileges will probably do the job then.

Just be aware that if he keeps using his existing account - as per mab's suggestion - then any apps he has already installed himself will be able to be deleted without a password. It may be easier to just start over and keep the original admin account clean but that will depend on how much he has customised his existing account.

Good luck! I don't envy you providing tech support to such a person. :p

AusMac
29th January 2008, 06:07 PM
^ points go to the detail

Look .. being a dodgy old bloke myself I can suggest talking him into stopping the involunatry click by keeping his bloody finger away from the mouse when he doesn't need to have it there... •then talk him into not clicking again on the "do you really want to delete?"

The main issue is though is that you set an admin account and give him his own .. only an admin can do the stuff he is doing. Change his bloody password, whatever.

Let me tell you that I have deleted my utilities folder and my downloads folder .. and yes.. emptied the trash because I was tired and the computer was behaving sluggishly.

You may have an idea of how much I had to replace to repair these problems.

now don't get me whining about the blue iSkin that seems to stick keys down and completely screw my mind up

Andrew T Chadwick
29th January 2008, 06:32 PM
:)Just a thought,would changing the permisions on the Aplications folder be an idea?

mdmcholet
29th January 2008, 07:31 PM
^ points go to the detail

Look .. being a dodgy old bloke myself I can suggest talking him into stopping the involunatry click by keeping his bloody finger away from the mouse when he doesn't need to have it there... •then talk him into not clicking again on the "do you really want to delete?"

The main issue is though is that you set an admin account and give him his own .. only an admin can do the stuff he is doing. Change his bloody password, whatever.

Let me tell you that I have deleted my utilities folder and my downloads folder .. and yes.. emptied the trash because I was tired and the computer was behaving sluggishly.

You may have an idea of how much I had to replace to repair these problems.

now don't get me whining about the blue iSkin that seems to stick keys down and completely screw my mind up

We have tried to talk to him...but he denies he is the one doing the deleting or anything wrong, which is frustrating - my hubby has seen him do stuff in front of him and my FIL will still deny he did it

But maybe as Andrew suggested will change permissions on the apps folder, hubby going to visit them today (I am at work shame so cant go!)

Thanks everyone for all the suggestions

soulman
29th January 2008, 07:50 PM
...but maybe as Andrew suggested will change permissions on the apps folder...I wouldn't do this. It's a little like swallowing a spider to catch a fly and has a the potential to interfere with any subsequent installations. Apple say not to mess with stuff that's owned by the system - like the Applications folder - which I think is fair enough.

The non-admin user account is neat and should be functional by the sounds of it. I recommend you do that. :)

Another thought, just to hand, would be to create a Folder Action AppleScript and attach it to the Applications folder. A 5 minute job to write it. It would throw a dialogue that could tell him that whatever he tried to delete is going back unless he knows the secret handshake, or whatever. PM me if you are interested and I'll whip one up.

mab
29th January 2008, 08:24 PM
Another thing to note is that if you do create a non admin account for him. The automatic notification of updates to the OS wont work, he will have to periodically do a check (from the apple menu). This is another thing Apple should change. Unless someone knows of a widget or something that will do this.

mdmcholet
29th January 2008, 08:46 PM
Another thing to note is that if you do create a non admin account for him. The automatic notification of updates to the OS wont work, he will have to periodically do a check (from the apple menu). This is another thing Apple should change. Unless someone knows of a widget or something that will do this.

He wont do any installs at all, we will on visits, so that is not a problem.

Cheers

soulman
29th January 2008, 09:51 PM
For mdmcholet and anyone else with an interest, the script below will return any item(s) that is/are deleted from the folder to which it is attached, unless the correct password is given.

Instructions:
• Copy all of the code below and paste it into a new Script Editor document. Script Editor is in /Applications/AppleScript/

• Save the document like this:
File name: Replace removed items (or whatever makes sense to you)
File format: script
Location: /Users/<username>/Library/Scripts/Folder Action Scripts/

• Right click on the icon of folder to be protected and select "Attach a Folder Action..." from the contextual menu. Navigate to the script you just saved.

That should be about it I think.


property secretPassword : "Britannia Rules"

on removing folder items from this_folder after losing these_items
repeat
display dialog "Sorry old chap but taking items out of this folder is just not cricket!

Whatever you have removed will be going back quicksmart unless you give us a jolly good reason to let you continue." default answer "Rule Britannia" buttons {"OK"} default button 1 with icon 1
if text returned of result is secretPassword then
error number -128 -- exits the repeat loop and terminates execution
else
display dialog "Fraid not old chum. Care to have another crack at the password?" buttons {"Yes", "No"} default button 2 with icon 2
if button returned of result is "No" then exit repeat
end if

end repeat
tell application "Finder" to move these_items to this_folder
end removing folder items from


To try it out for yourself before you inflict it on the FIL, just save it to your own computer and attach it to a folder temporarily - you can remove folder actions the same way you attach them - so you can see how it works.

Good luck and let me know if you want the text changed to something a bit more serious.

mab
29th January 2008, 10:14 PM
For mdmcholet and anyone else with an interest, the script below will return any item(s) that is/are deleted from the folder to which it is attached, unless the correct password is given.


Very cool. But shows that after managing UNIX system's for over 15 years I still can't get my head around the extremely wordy apple script.

i.e.

"on removing folder items from this_folder after losing these_items"

How do you find/remember all these reserved words?

Powerful, I know, but give me shell/perl/python or even ruby any day.

Not that I wouldn't like a good resource for Apple Script so if you have any hints:)

AusMac
29th January 2008, 10:30 PM
whatever .. just take admin away from his grasp.

The internet capacity,



especially in Australia works far slower than the human brain .. even in our dotage we are still far faster than the computer/net connection/RAM issues\. even our arthritic fingers are far faster..
this leads to much bullshit and frustration. for senior users.

Something our current government needs to address.

and .. the kids could say to their parents "because you have Parkinsons.. don't put your hand near the mouse unless you are in control"

soulman
29th January 2008, 11:31 PM
...I still can't get my head around the extremely wordy apple script.

i.e. "on removing folder items from this_folder after losing these_items"

How do you find/remember all these reserved words?That line came from one of the boilerplate code snippets that come with Script Editor. All scriptable apps and other helpers, called Scripting Additions, or OSAX, have things called Dictionaries which contain a catalogue of commands and objects. I know some people find its verbosity strange &/or irritating but it was my first language, so I didn't have a reference.



Powerful, I know, but give me shell/perl/python or even ruby any day.It seems that people who have used other languages before AS are more prone to finding it frustrating to learn and use. It does have plenty of limitations but it has unique capacities too - complex inter-application communication and interaction. Many people suggest that AppleScript is one of the reasons Apple remains dominant in publishing because of its ability to automate complex workflows. In OS X it can also execute shell scripts, so it can easily be integrated with other languages now too.


Not that I wouldn't like a good resource for Apple Script so if you have any hints:)Macscripter.net (http://macscripter.net/) is always good. I've got a swag of code & other stuff here (http://www.foodoo.sunreal.com.au/). I haven't updated it for some time but most things still seem to work OK.

mab
29th January 2008, 11:43 PM
Macscripter.net (http://macscripter.net/) is always good. I've got a swag of code & other stuff here (http://www.foodoo.sunreal.com.au/). I haven't updated it for some time but most things still seem to work OK.

Thanks for that info. I will do a crash course on Apple Script this coming weekend.

jonargall
29th January 2008, 11:59 PM
#in the Terminal, type:

sudo chown -R root:admin /Applications
sudo chmod -R go-w /Applications

#If you're not used to the Terminal, please note that when sudo asks you for your password, it won't print **** as you type, in fact the cursor won't move at all.
#From then on, any changes to the /Applications folder (such as trashing an app) will prompt for an admin password, even if it's an admin user tries to trash it. This'll remind everyone to be careful in the /Applications folder!

mab
30th January 2008, 12:10 AM
#in the Terminal, type:

sudo chown -R root:admin /Applications
sudo chmod -R g-w /Applications


Not wanting to argue too much on this at the moment as I'm not at an OS X box, but the second command looks like it will stuff things for a lot of people. The first sets the group ownership to admin and the second removes the admin group's write permissions. The "admin" account (whether the first user created or hopefully a dedicated user) is a member of this group which allows them to administer the machine. This command leaves only root with write permissions on the Application directory which I must admit is a strange directory in UNIX land.

Might be wrong will check when I get home.

Edit: but anyone reading this should defiantly not run the second command until checked.
The first command is OK.

jonargall
30th January 2008, 01:06 AM
You've read correctly, mab.

After you run these 2 commands, if a user tries to write inside the /Applications folder (drag in a new app, delete an app etc.), Finder will ask for your password.
If you're an admin, Finder will give you root privileges for that operation. Users who aren't admins aren't able to change anything.
This setup poses no problem for me, I just have to type my password more often if I'm moving stuff around in the /Applications folder.
In fact, the only time I do any write operations in the /Applications folder is when I'm installing or removing applications, something which I'd prefer to have to type my password for.

PS: I just added 'o' to the 2nd command for extra security
PPS: If you don't like the level of security, type:

sudo chmod -R g+w /Applications

mab
30th January 2008, 01:44 AM
PPS: If you don't like the level of security, type:
sudo chmod -R g+w /Applications

I'm not saying i don't like the level of security, the more the better as far as I'm concerned.
I was mainly unsure of whether the finder after the user/password check was being elevated to root or admin (ie UID/GID) and the ownership of the resulting files.

But from what you have said it seems OK

I'll have a look when I get home. I'm working on a AIX box at the moment :(