authorization.plist [plain text]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
<!-- NOTICE: this file will be replaced by a system facility in
forthcoming releases. It is provided purely for your
convenience using this release.
The name of the requested right is matched against the keys.
An exact match has priority, otherwise the longest match from
the start is used. Note that the right will only match wildcard
rules (ending in a ".") during this reduction.
Rules are specified as a string or a dict. The latter being a
user-in-group rule.
allow rule: this is always allowed
<key>com.apple.TestApp.benign</key>
<string>allow</string>
deny rule: this is always denied
<key>com.apple.TestApp.dangerous</key>
<string>deny</string>
user-in-group rule: successful authentication as a user in the
specified group(5) allows the associated right.
The shared property specifies whether a credential generated on
success is shared with other apps (same "session"). This property
defaults to false if not specified.
The timeout property specifies the maximum age of a (cached/shared)
credential accepted for this rule.
The allow-root property specifies whether a right should be allowed
automatically if the requesting process is running with uid == 0.
This defaults to false if not specified.
See remaining rules for examples.
Successful login produces a credential.
-->
<!-- Used by AuthorizationExecuteWithPrivileges(...)
AuthorizationExecuteWithPrivileges is used by programs requesting
to run a tool as root (ie. some installers).
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential isn't shared with other clients.
Clients running as root will be granted this right automatically.
-->
<key>system.privilege.admin</key>
<dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
<key>allow-root</key>
<true/>
<key>timeout</key>
<integer>300</integer>
</dict>
<!-- Used by the dvd player to set the regioncode the first time
Note that changed the region code after it has been set requires a
different right (system.device.dvd.setregion.change)
Credentials remain valid indefinitely after they've been obtained.
An acquired credential is shared amongst all clients.
-->
<key>system.device.dvd.setregion.initial</key>
<dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
</dict>
<!-- All other rights will be matched by this rule.
Credentials remain valid 5 minutes after they've been obtained.
An acquired credential is shared amongst all clients.
-->
<key/>
<dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
</dict>
</dict>
</plist>