Xcode 3.2: Using GDB as a Non-Admin User

New in Xcode 3.2 is an authorization setting that looks like this:

<dict>
	<key>allow-root</key>
	<false/>
	<key>class</key>
	<string>rule</string>
	<key>comment</key>
	<string>For use by Apple.  WARNING: administrators are advised not to
	        modify this right.</string>
	<key>k-of-n</key>
	<integer>1</integer>
	<key>rule</key>
	<array>
		<string>is-admin</string>
		<string>is-developer</string>
		<string>authenticate-developer</string>
	</array>
	<key>shared</key>
	<true/>
</dict>

The upshot of this is that if you aren’t in the _developer group in the local directory, you’ll have to authenticate as an administrator to use gdb or some of the performance tools. For the vast majority of developers on Mac OS X, who run as an administrator, this is fine, but if you’re running as a regular user, either for security reasons or because you’re in something like a lab setting, this can be a problem. To add a user to the _developer group, use the dscl command:

dscl . -append /Groups/_developer GroupMembership UserName

Replace UserName with the short name of your user account (or $(whoami)) and you should be all set.

If you’re administering Mac OS X in a lab setting, you can either create a LaunchAgent that handles this or a login hook. See the Apple tech note “Running At Login” for more information on login hooks. As an added touch, my login and logout scripts to handle this also remove all users from the group, like so:

dscl . -delete /Groups/_developer GroupMembership

If the GroupMembership key doesn’t exist, dscl will create it—and it doesn’t exist by default—so deleting it outright shouldn’t cause any problems.

Published by

Jeff Kelley

I make iOS apps for Detroit Labs.

7 thoughts on “Xcode 3.2: Using GDB as a Non-Admin User”

  1. Could I just hack that authorization in Xcode? I run hundreds of lab machines with arbitrary users loggin in, who are not admins, and who I want to be able to use Xcode. Instead of making some horrible loginhook shell script that adds users to _developer (which I’m failing at anyway so far) I’d like to just make Xcode not require admin auth.

    1. Ben,

      There’s nothing stopping you from modifying the right in /etc/authorization—other than the warning from Apple—just keep in mind that you’ll need to re-do that when Xcode is updated.

      1. Thanks! So this is in /etc/authorization? I don’t find “developer” in my copy, which I admit I have hacked to allow kerberos login…

        c012h036:etc cus$ grep -i developer authorization
        c012h036:etc cus$

        Can’t find it! Do I have to run Xcode as an admin once to make it appear there?

        1. Found it in a clean copy. I will try hacking there to allow all users to do what they need. Any pointers welcome!
          is-everyone ?
          Thanks,
          -Ben

          1. I would modify the is-developer rule. By default, it looks at the _developer group. Assuming your users’ default group is staff, I’d change it to that.

  2. You’re a genius! I changed the group to “netaccounts” since everyone who logs in is in that group and it worked!
    Thanks!

Comments are closed.