Leopard Bonjour shares automatically reconnecting

Discussion in 'macOS' started by cottington, Sep 21, 2008.

  1. cottington macrumors member

    Joined:
    Feb 27, 2008
    #1
    Please forgive me if this has been asked elsewhere... I did look.

    I have two iMacs both running Leopard with all the latest updates as of this posting. I have an administrator account "admin" on Mac A. On Mac B, I connect to Mac A using the Bonjour share shortcut from the Finder sidebar. When I connect I do a "Connect As..." and supply the credentials for the "admin" account. This works fine. When I click "Disconnect" it seems to work and it says "Connected as: Guest." Great. That's what I want. But, if I select a different item from the Sidebar then click on Mac A again it says "Connected as: admin" and I have admin access to all files on Mac A.

    This doesn't seem right. If I log out and back in this behavior persists. Only after I restart the computer am I again asked for credentials. I do not have a Keychain entry for this connection. I have tried creating a fresh, standard user account and it has this problem as well.

    Is this a bug? Is OSX designed like this and I'm just failing to see the logic? Something else? Thanks in advance for any help.
     
  2. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #2
    I'm not sure I understand the point. If you log in as admin, why would you want to log out and log back in as guest? Are you worried about somebody walking up and using your machine to make admin changes to the other machine? If this is a concern, lock your screen. I have a 1 minute timeout on my screensaver. I enter my password a lot, but I don't have to worry about the kids sitting down to my keyboard and changing their parental controls settings from my machine.

    As for sloppy networking, staying logged in as admin after you think you've logged out, this sounds like a bug. You should bring this to the attention of Apple. If all your system updates on your machine and the machine you are logging into are up to date, call AppleCare and let them know about this. But the immediate fix is to use a screensaver with a password on your end with a short leash to keep other users from using your machine to do things as admin to the other machines.

    Here is a reasonably secure topology...

    Kids' machines...
    Kid machine 1 - auto login as kid 1 - only 2 accounts exist: kid1 and admin
    Strict parental controls including hours of the day and applications, firewall settings medium,
    Kid machine 2 - auto login as kid 2 - only 2 accounts exist: kid2 and admin
    Strict parental controls including hours of the day and applications

    Parents' machines...
    Mom machine - auto login as mom - non admin account - only 2 accounts exist: mom and admin - different admin password than kid machines
    Dad machine - auto login as dad - non admin account - only 2 accounts exist: dad and admin - different admin password than kid machines
    Dad machine another alternative:
    Dad machine - no auto login - only one admin account - 1 minute screenlock


    Office environment...
    In an office environment, no machines would have auto login. All would require login and have short-fuse screenlocking. Nobody would ever log in and use an admin account for routine work. "power users" would get admin access with routine audits of their machines. New apps would be authorized by an admin over screensharing or ARD. Yes, it's strict but you gotta keep basic stuff working more than you gotta let users download and play games.
     
  3. cottington thread starter macrumors member

    Joined:
    Feb 27, 2008
    #3
    Hey, I'm from Detroit (area) too! Thanks for the reply. I'm not sure if I was clear enough about my situation. Mac A is my every-day machine. Mac B is a machine I have in my kitchen/dining room for guests. By default, guests on Mac B (or any other Mac on the network) only have drop box privileges to only the admin public folder on Mac A. If I'm on Mac B and I need a file on Mac A, I should be able to connect to Mac A supplying Mac A admin credentials, get what I need, then disconnect the network share without worrying that any guest will be able to sit down and reconnect to that share (as admin again, without being asked for credentials).

    I understand that there are probably several other ways I could be secure my computer/files, but the problem I described yesterday really seems troubling. Has anyone else had this happen?
     
  4. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #4
    Create an account for yourself on Mac B that has its own keychains, etc. Log out of the "untrusted guest" account (use fast user switching) and become "privileged guest" on Mac B for the duration of your activities that require access to admin stuff on Mac A. Log out or fast user switch back to "untrusted guest" when you are done. Never never look at admin stuff on Mac A while logged in as "untrusted guest" on Mac B. This should mean there is no risk that "untrusted guest" would ever see any admin stuff on Mac A. You should be able to test this. I know it works fine for me. You can even go through the entire scenario from Mac B using screen sharing. One thing I love about Mac is that I very rarely need to climb the stairs to edit settings on the kids' machines or the "shared machine" in the basement. Everything I need to do happens from one machine.

    In the following instructions, "lowlife" is the guest account and "admin" is you. Mac A is your protected machine and Mac B is your public/guest/unprotected machine...

    1 - From Mac A, use screen sharing to view the screen on Mac B. (by the way, this would be a good time to point out that the admin credentials should be different between Mac A and Mac B). The rest of this is done via screen sharing...

    2 - log out lowlife and log in as admin on Mac B

    3 - connect to Mac A (yes we are still sitting at Mac A but using screensharing to do all this on Mac B) and view some admin stuff

    4 - enable fast user switching on Mac B (if it wasn't already enabled)

    5 - enable auto login as lowlife on Mac B (if it wasn't already enabled)

    6 - fast user switch to lowlife

    7 - check to see what you can see on Mac A from Mac B as lowlife you shouldn't even be connected to Mac A as lowlife on Mac B. You should be able to see drop box on Mac A and that's about it.

    8 - fast user switch back to admin and make sure you can still see the admin stuff on Mac A as admin on Mac B

    9 - assuming all of the above went as expected, log out as admin on Mac B and leave lowlife logged in. Go ahead and close screen sharing, your data on Mac A is safe from the default/guest/lowlife user on Mac B
     
  5. cottington thread starter macrumors member

    Joined:
    Feb 27, 2008
    #5
    I do appreciate your suggestions, and I will probably have to use these methods for now, but I did open this thread hoping to find some answers (not workarounds) to the issue I described. I hope you understand.
     

Share This Page