get OSXvnc to run without user login or root permissions?

Hello all,

I’m trying to find out if there is a solution, or some workaround, to this problem. We have 12 users on a machine running Mac OS X Server 10.4.6 and OSXvnc 1.71. We want to have all users be able to access their GUI remotely at their discretion. Only one of the users has admin/root privileges. So far, everything works pretty well.

Recently, we had to restart to fix some error that was not allowing new shell processes to be created. After restart, of course, none of our users was logged into the GUI. Since we had forced the users to enter new passwords at their first login, we didn’t know any of their passwords after the restart. Thus, we were unable to log them into the GUI at the local terminal in order to start the OSXvnc server process in their account.

Consequently, none of our users (with the exception of the user with root privileges) will be able to access their GUI unless they first sit down at the local terminal to log in. We don’t want to give out admin privileges to all of our users, but we do not want to force them to come in to the machine to log in if there is ever a situation where they are logged out.

Has anyone figured out a way to start a OSXvnc-server instance for a user who is not logged into their GUI without root permissions? Obviously that could be a security risk, so I’d welcome other suggestions. Is there a way to automatically log all users into their GUI at start up, or for the root user to fast user switch into other accounts without the user password?

Any suggestions will be appreciated!

We haven’t found a good way to start user sessions without logging them in.

The best I’ve found is to log them in with this little command:

/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -switchToUserID UID

What I’ve done is make a linked-list of users. When the first user logs in it launches a scripts that uses this command to log in the next person and so on until it gets back to the original user (who is already logged in and so won’t call any more login scripts).

It’s a bit of a hack and makes the login after reboot process pretty slow, but it works for making sure all the users that you want are logged in from the beginning.

Problem is that it still appears to require the user password, which I don’t know. I can’t sudo the command to get around this. I know that it is probably impossible, given the security risks associated… but is there any way to get around the need to know the user passwords?

What I have done is to set all the user level passwords blank which causes Fast User Switching to occur immediately. (I do have a separate keychain password and then you can use FileVault to secure files if you need).

I recognize that probably is not workable in many scenarios - but as you mention any other way to work around it would be, by it’s very nature, a security vulnerability.