PDA

View Full Version : hide bootcamp partition from guest user?



snark
8th April 2008, 05:56 PM
Is there any way to prevent the Guest account from having access to the Bootcamp disk partition? I've formatted mine as FAT32, and when I logged into OS X as Guest, I was able to do pretty much anything I wanted on the Windows partition - eg. edit boot.ini, save files to the root directory.

In the meantime, I'll disable this account, as it looks like a pretty big security hole to me. Maybe I'll go back to setting a specific account for visitors.

vecsty
8th April 2008, 06:10 PM
Use NTFS.

You will be able to read but not write by default.

purana
8th April 2008, 06:24 PM
Not at all sure if it will work, but you could try using the following tool from CLI like so;

SetFile -a V "/Volumes/Windows_Volume_Name"

If you need a copy of SetFile, you can download a copy here (http://static.heimic.net/2008/04/SetFile.zip).

And then to undo it you use;

SetFile -a v "/Volumes/Windows_Volume_Name"

snark
8th April 2008, 06:35 PM
Use NTFS.

You will be able to read but not write by default.

I deliberately chose FAT32 so that I could easy read and write to the Windows file system while using OS X.
I just didn't realise that the Guest account would get the same access.

scritch
8th April 2008, 07:12 PM
This isn't easy - but you can try the following (at your own risk). My drive is NTFS but it should work the same for FAT32:

1. Open Terminal and type "diskutil list". Mine came up like this:


/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *298.1 Gi disk0
1: EFI 200.0 Mi disk0s1
2: Apple_HFS Shane's Mac 254.9 Gi disk0s2
3: Microsoft Basic Data Bootcamp 42.9 Gi disk0s3

2. You want to look for your "Microsoft Basic Data" drive - in my case it is disk0s3.
3. Type "diskutil info disk0s3" (replacing disk0s3 with your drive name). Mine comes back with:


Device Identifier: disk0s3
Device Node: /dev/disk0s3
Part Of Whole: disk0
Device / Media Name: Untitled

Volume Name: Bootcamp
Mount Point:
File System: NTFS

Partition Type: Microsoft Basic Data
Bootable: Is bootable
Media Type: Generic
Protocol: SATA
SMART Status: Verified
Volume UUID: 4452F064-768C-4185-B84C-2E982D1AE8DA

Total Size: 42.9 Gi (46059012096 B) (89959008 512-byte blocks)
Free Space: 0.0 B (0 B) (0 512-byte blocks)

Read Only: No
Ejectable: No
Whole: No
Internal: Yes

4. You want the "UUID" string - mine above is "4452F064-768C-4185-B84C-2E982D1AE8DA"
5. Still in Terminal, type "sudo pico /etc/fstab"
6. Copy the following into the terminal window:
UUID=4452F064-768C-4185-B84C-2E982D1AE8DA none ntfs ro,noauto 0 0

* Replacing the info after "UUID=" and before " none" with your drives UUID.

7. Save the file by hitting CTRL-X, then hit the keys to save and exit (it may ask you to name the file, keep this as "/etc/fstab").

8. Reboot, and it should no longer be mounted.

You may then need to adjust the parent settings for the Guest Account to not allow access to Disk Utility, and possibly enable Simple Finder only.

Regards,
Shane.

snark
8th April 2008, 07:35 PM
...You may then need to adjust the parent settings for the Guest Account to not allow access to Disk Utility, and possibly enable Simple Finder only.


Thanks for the detailed post Shane. I'm not sure if I want to go to those lengths, but how do I adjust the parent settings for the Guest account? That way, I could just change the Finder preferences to not show the disks.

scritch
8th April 2008, 08:19 PM
Thanks for the detailed post Shane. I'm not sure if I want to go to those lengths, but how do I adjust the parent settings for the Guest account? That way, I could just change the Finder preferences to not show the disks.

Whilst the above steps look long, they aren't that hard - someone should make an App to do it.

As for Parental Controls, if you are under Leopard:

1. Go into System Preferences, then Accounts.
2. Click on the padlock (bottom left of window) to authenticate.
3. Click on "Guest Account" and choose "Allow Guests to login to this computer" and "Enable Parental Controls".
4. Click on "Open Parental Controls"
5. Click on "Guest Account"
6. Choose all of the settings you want to restrict - down to the specific apps they can run.

Regards,
Shane.

snark
8th April 2008, 08:26 PM
D'oh - completely misunderstood your post. I was thinking "parent" as in some sort of template account that the Guest account uses to inherit all its settings.

I've been working in IT too long, and I was thinking parent = inheritability

snark
11th April 2008, 01:22 PM
Thanks for you suggestions. I don't want to prevent the Bootcamp partition from mounting at all, because I still need it when I'm logged in.

I tried and rejected Parental Controls (it can only prevent certain apps from being launched).
Simple Finder was better - it removed the volume icons from the desktop, but it also hid the Dock, actually making it harder to launch applications.

What I'd really like to do is to edit the Guest account settings, and then "freeze" them, so that the next time the account was used, it would remember my customisations. Is this possible? Or should I just stick with a normal account for my guests?