Limiting different users on a single machine to different connectivity

Networksnow leopardwifi

I have a iMac running 10.6 where I have been tasked with creating two different users who can use different network profiles(locations).

User 1 will be connecting via Ethernet through a filtered network, all other connections are disabled, which works fine.

User 2 needs to connect to the unfiltered Wi-Fi but no access to any other connections.

I have most of this implemented in Network Locations, the problem is that both of these locations are available to both Users.

What I'd like to be able to do is assign the customized Location as a Default for each user.

From a security standpoint it isn't perfect, but if I can get this sort of thing working, I'd like to assign the Wi-Fi connection to the guest user, so they can navigate without the filters. Then the Regular user will have Ethernet, and will not be able to switch Locations, or enable Wi-Fi.

The trick with this is that the User will be a single user. They will know both user passwords, they will just need to switch users to perform different tasks.

Is it possible with plain OSX, or will I need external software/scripts?

Best Answer

Well, I cracked it, it wasn't loginHooks I needed, but launchctl.

Basically, create two scripts (executable of course, you can make em root only too):

User1.sh

!/bin/bash ifconfig en0 up; ifconfig en1 down;

User2.sh

!/bin/bash ifconfig en1 up; ifconfig en0 down;

These of course make the assumption you're using an imac, en0 is the enthernet, en1 is the WiFi.

Then create a plist file (with root ownership, 644), mine was this:

User1's went in /Users/user1/Library/LaunchAgents/org.user1.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>org.user1.plist</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Users/user1/bin/User1.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

User2's in /Users/user2/Library/LaunchAgents/org.user2.plist

 <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>Label</key>
        <string>org.user2.plist</string>
        <key>ProgramArguments</key>
        <array>
            <string>/Users/user2/bin/User2.sh</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
    </dict>
    </plist>

After that run

sudo launchctl load -w /Users/user1/Library/LaunchAgents/org.user1.plist

and

sudo launchctl load -w /Users/user2/Library/LaunchAgents/org.user2.plist

as each user.

That's it, it's quick, simple, and if you set the owner of the scripts as someone else (and on another path), it's fairly secure (not bulletproof, but that's not in my scope at the moment).

Related Question