New in Xcode 3.2 is an authorization setting that looks like this:
<dict> <key>allow-root</key> <false/> <key>class</key> <string>rule</string> <key>comment</key> <string>For use by Apple. WARNING: administrators are advised not to modify this right.</string> <key>k-of-n</key> <integer>1</integer> <key>rule</key> <array> <string>is-admin</string> <string>is-developer</string> <string>authenticate-developer</string> </array> <key>shared</key> <true/> </dict>
The upshot of this is that if you aren’t in the
_developer group in the local directory, you’ll have to authenticate as an administrator to use
gdb or some of the performance tools. For the vast majority of developers on Mac OS X, who run as an administrator, this is fine, but if you’re running as a regular user, either for security reasons or because you’re in something like a lab setting, this can be a problem. To add a user to the
_developer group, use the
dscl . -append /Groups/_developer GroupMembership UserName
UserName with the short name of your user account (or
$(whoami)) and you should be all set.
If you’re administering Mac OS X in a lab setting, you can either create a LaunchAgent that handles this or a login hook. See the Apple tech note “Running At Login” for more information on login hooks. As an added touch, my login and logout scripts to handle this also remove all users from the group, like so:
dscl . -delete /Groups/_developer GroupMembership
GroupMembership key doesn’t exist,
dscl will create it—and it doesn’t exist by default—so deleting it outright shouldn’t cause any problems.
7 thoughts on “Xcode 3.2: Using GDB as a Non-Admin User”
Could I just hack that authorization in Xcode? I run hundreds of lab machines with arbitrary users loggin in, who are not admins, and who I want to be able to use Xcode. Instead of making some horrible loginhook shell script that adds users to _developer (which I’m failing at anyway so far) I’d like to just make Xcode not require admin auth.
There’s nothing stopping you from modifying the right in
/etc/authorization—other than the warning from Apple—just keep in mind that you’ll need to re-do that when Xcode is updated.
Thanks! So this is in /etc/authorization? I don’t find “developer” in my copy, which I admit I have hacked to allow kerberos login…
c012h036:etc cus$ grep -i developer authorization
Can’t find it! Do I have to run Xcode as an admin once to make it appear there?
Found it in a clean copy. I will try hacking there to allow all users to do what they need. Any pointers welcome!
I would modify the
is-developerrule. By default, it looks at the
_developergroup. Assuming your users’ default group is
staff, I’d change it to that.
You’re a genius! I changed the group to “netaccounts” since everyone who logs in is in that group and it worked!
No problem, I’m glad to help.
Comments are closed.