authorization.plist   [plain text]


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>comment</key>
	<string>The name of the requested right is matched against the keys.  An exact match has priority, otherwise the longest match from the start is used.	Note that the right will only match wildcard rules (ending in a ".") during this reduction.

allow rule: this is always allowed
&lt;key&gt;com.apple.TestApp.benign&lt;/key&gt;
&lt;string&gt;allow&lt;/string&gt;

deny rule: this is always denied
&lt;key&gt;com.apple.TestApp.dangerous&lt;/key&gt;
&lt;string&gt;deny&lt;/string&gt;

user rule: successful authentication as a user in the specified group(5) allows the associated right.

The shared property specifies whether a credential generated on success is shared with other apps (same "session"). This property defaults to false if not specified.

The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule.

The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0.  This defaults to false if not specified.

See remaining rules for examples.
</string>
	<key>rights</key>
	<dict>
		<key></key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>All other rights will be matched by this rule.</string>
			<key>rule</key>
			<string>default</string>
		</dict>
		<key>config.add.</key>
		<dict>
			<key>class</key>
			<string>allow</string>
			<key>comment</key>
			<string>wildcard right for adding rights.  Anyone is allowed to add any (non-wildcard) rights</string>
		</dict>
		<key>config.config.</key>
		<dict>
			<key>class</key>
			<string>deny</string>
			<key>comment</key>
			<string>wildcard right for any change to meta-rights for db modification.  Not allowed programmatically (just edit this file)</string>
		</dict>
		<key>config.modify.</key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>wildcard right for modifying rights.  Admins are allowed to modify any (non-wildcard) rights.  Root does not require authentication.</string>
			<key>k-of-n</key>
			<integer>1</integer>
			<key>rule</key>
			<array>
				<string>is-root</string>
				<string>authenticate-admin</string>
			</array>
		</dict>
		<key>config.remove.</key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>wildcard right for deleting rights.  Admins are allowed to delete any (non-wildcard) rights.  Root does not require authentication.</string>
			<key>k-of-n</key>
			<integer>1</integer>
			<key>rule</key>
			<array>
				<string>is-root</string>
				<string>authenticate-admin</string>
			</array>
		</dict>
		<key>config.remove.system.</key>
		<dict>
			<key>class</key>
			<string>deny</string>
			<key>comment</key>
			<string>wildcard right for deleting system rights.</string>
		</dict>
		<key>com.apple.</key>
		<dict>
			<key>rule</key>
			<string>default</string>
		</dict>
		<key>system.</key>
		<dict>
			<key>rule</key>
			<string>default</string>
		</dict>
		<key>sys.openfile.</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>See authopen(1) for information on the use of this right.</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>system.device.dvd.setregion.initial</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>Used by the dvd player to set the regioncode the first time.  Note that changed the region code after it has been set requires a different right (system.device.dvd.setregion.change)
Credentials remain valid indefinitely after they've been obtained.
An acquired credential is shared amongst all clients.</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<true/>
		</dict>
		<key>system.login.console</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>comment</key>
			<string>Login mechanism based rule.  Not for general use, yet.
builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification.
builtin:krb5authnoverify skips the kdc verification.  Both fall back on local authentication.</string>
			<key>mechanisms</key>
			<array>
				<string>builtin:auto-login,privileged</string>
				<string>loginwindow_builtin:login</string>
				<string>builtin:reset-password,privileged</string>
				<string>authinternal</string>
				<string>builtin:getuserinfo,privileged</string>
				<string>builtin:sso,privileged</string>
				<string>HomeDirMechanism:login,privileged</string>
				<string>HomeDirMechanism:status</string>
				<string>MCXMechanism:login</string>
				<string>loginwindow_builtin:success</string>
				<string>loginwindow_builtin:done</string>
			</array>
		</dict>
		<key>system.login.done</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>comment</key>
			<string>builtin:krb5login can be used to do kerberos authentication as a side-effect of logging in.  Local username/password will be used.</string>
			<key>mechanisms</key>
			<array>
			</array>
		</dict>
		<key>system.login.pam</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>tries</key>
			<integer>1</integer>
			<key>mechanisms</key>
			<array>
				<string>push_hints_to_context</string>
				<string>authinternal</string>
			</array>
		</dict>
		<key>system.login.screensaver</key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>the owner as well as any admin can unlock the screensaver;modify the group key to change this.</string>
			<key>rule</key>
			<string>authenticate-session-owner-or-admin</string>
		</dict>
		<key>system.login.tty</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>tries</key>
			<integer>1</integer>
			<key>mechanisms</key>
			<array>
				<string>push_hints_to_context</string>
				<string>authinternal</string>
			</array>
		</dict>
		<key>system.keychain.create.loginkc</key>
		<dict>
			<key>allow-root</key>
			<false/>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>comment</key>
			<string>Used by Security framework when you add an item to a unconfigured default keychain</string>
			<key>mechanisms</key>
			<array>
				<string>loginKC:queryCreate</string>
				<string>loginKC:showPasswordUI</string>
				<string>authinternal</string>
			</array>
			<key>session-owner</key>
			<true/>
			<key>shared</key>
			<false/>
		</dict>
		<key>system.keychain.modify</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>Used by Keychain Access when editing a system keychain.</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>system.preferences</key>
		<dict>
			<key>allow-root</key>
			<true/>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>This right is checked by the Admin framework when making changes to the system preferences.</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<true/>
		</dict>
		<key>system.preferences.accounts</key>
		<dict>
			<key>allow-root</key>
			<true/>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>This right is checked by the Admin framework when making changes to the accounts preference pane</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
		</dict>
		<key>system.printingmanager</key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>The following right is checked for printing to locked printers.</string>
			<key>rule</key>
			<string>authenticate-admin</string>
		</dict>
		<key>system.preferences.accessibility</key>
		<dict>
			<key>allow-root</key>
			<true/>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>This right is checked by the Admin framework when enabling or disabling the Accessibility APIs</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>0</integer>
		</dict>
		<key>com.apple.activitymonitor.kill</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>Used by Activity Monitor to authorize killing processes not owned by the user</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>0</integer>
		</dict>
		<key>com.apple.Safari.parental-controls</key>
		<dict>
			<key>allow-root</key>
			<true/>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>This right is checked when changing parental controls for Safari</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>0</integer>
		</dict>
		<key>system.privilege.admin</key>
		<dict>
			<key>allow-root</key>
			<true/>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>Used by AuthorizationExecuteWithPrivileges(...)
		AuthorizationExecuteWithPrivileges is used by programs requesting
		to run a tool as root (ie. some installers).
		Credentials remain valid 5 minutes after they've been obtained.
		An acquired credential isn't shared with other clients.
		Clients running as root will be granted this right automatically.
			</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>system.restart</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>comment</key>
			<string>Multisession restart mechanisms</string>
			<key>mechanisms</key>
			<array>
				<string>RestartAuthorization:restart</string>
				<string>RestartAuthorization:authenticate</string>
				<string>RestartAuthorization:success</string>
			</array>
		</dict>
		<key>system.shutdown</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>comment</key>
			<string>Multisession shutdown mechanisms</string>
			<key>mechanisms</key>
			<array>
					<string>RestartAuthorization:shutdown</string>
					<string>RestartAuthorization:authenticate</string>
					<string>RestartAuthorization:success</string>
			</array>
		</dict>
		<key>system.burn</key>
		<dict>
			<key>class</key>
			<string>allow</string>
			<key>comment</key>
			<string>authorization to burn media</string>
		</dict>
		<key>system.services.directory.configure</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>group</key>
			<string>admin</string>
			<key>allow-root</key>
			<true/>
			<key>shared</key>
			<true/>
			<key>timeout</key>
			<integer>300</integer>
			<key>comment</key>
			<string>authorization to make directory service changes</string>
		</dict>
		<key>com.apple.server.admin.streaming</key>
		<dict>
			<key>class</key>
			<string>user</string>	
			<key>comment</key>
			<string>Used for admin requests with the QuickTime Streaming Server.</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>allow-root</key>
			<true/>
			<key>timeout</key>
			<integer>0</integer>
		</dict>
		<key>system.install.admin.user</key>
		<dict>
			<key>class</key>
			<string>user</string>	
			<key>comment</key>
			<string>Used by installer tool: user installling in admin domain (/Applications)</string>	
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>system.install.root.user</key>
		<dict>
			<key>class</key>
			<string>user</string>	
			<key>comment</key>
			<string>Used by installer tool: user installling in root domain (/System)</string>	
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>system.install.root.admin</key>
		<dict>
			<key>class</key>
			<string>user</string>	
			<key>comment</key>
			<string>Used by installer tool: admin installling in root domain (/System)</string>	
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>com.apple.appserver.privilege.admin</key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>Used to determine administrative access to the Application Server management tool.</string>
			<key>rule</key>
			<string>appserver-admin</string>
		</dict>
		<key>com.apple.appserver.privilege.user</key>
		<dict>
			<key>class</key>
			<string>rule</string>
			<key>comment</key>
			<string>Used to determine user access to the Application Server management tool.</string>
			<key>k-of-n</key>
			<integer>1</integer>
			<key>rule</key>
			<array>
				<string>appserver-admin</string>
				<string>appserver-user</string>
			</array>
		</dict>
		<key>com.apple.desktopservices</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>authorize privileged file operations from the finder</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<false/>
			<key>timeout</key>
			<integer>0</integer>
		</dict>
		<key>com.apple.builtin.generic-new-passphrase</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>mechanisms</key>
			<array>
				<string>builtin:generic-new-passphrase</string>
			</array>
		</dict>
		<key>com.apple.builtin.generic-unlock</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>mechanisms</key>
			<array>
				<string>builtin:generic-unlock</string>
			</array>
		</dict>
		<key>com.apple.builtin.confirm-access</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>mechanisms</key>
			<array>
				<string>builtin:confirm-access</string>
			</array>
		</dict>
		<key>com.apple.builtin.confirm-access-password</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>mechanisms</key>
			<array>
				<string>builtin:confirm-access-password</string>
			</array>
		</dict>
	</dict>
	<key>rules</key>
	<dict>
		<key>allow</key>
		<dict>
			<key>class</key>
			<string>allow</string>
			<key>comment</key>
			<string>allow anyone</string>
		</dict>
		<key>authenticate-admin</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>require the user asking for authorization to authenticate as an admin</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<true/>
			<key>timeout</key>
			<integer>0</integer>
		</dict>
		<key>authenticate-session-user</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>authenticate session owner</string>
			<key>session-owner</key>
			<true/>
		</dict>
		<key>authenticate-session-owner</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>authenticate session owner</string>
			<key>session-owner</key>
			<true/>
		</dict>
		<key>authenticate-session-owner-or-admin</key>
		<dict>
			<key>allow-root</key>
			<false/>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>the owner as well as any admin can authorize</string>
			<key>group</key>
			<string>admin</string>
			<key>session-owner</key>
			<true/>
			<key>shared</key>
			<false/>
		</dict>
		<key>is-admin</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>verify the user asking for authorization is an admin</string>
			<key>group</key>
			<string>admin</string>
			<key>authenticate-user</key>
			<false/>
			<key>shared</key>
			<string>true</string>
		</dict>
		<key>is-root</key>
		<dict>
			<key>allow-root</key>
			<true/>
			<key>class</key>
			<string>user</string>
			<key>authenticate-user</key>
			<false/>
			<key>comment</key>
			<string>verify the process that created this authref is root</string>
		</dict>
		<key>appserver-user</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>group</key>
			<string>appserverusr</string>
		</dict>
		<key>appserver-admin</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>group</key>
			<string>appserveradm</string>
		</dict>
		<key>default</key>
		<dict>
			<key>class</key>
			<string>user</string>
			<key>comment</key>
			<string>All other rights will be matched by this rule.	Credentials remain valid 5 minutes after they've been obtained.
An acquired credential is shared amongst all clients.
			</string>
			<key>group</key>
			<string>admin</string>
			<key>shared</key>
			<true/>
			<key>timeout</key>
			<integer>300</integer>
		</dict>
		<key>authenticate</key>
		<dict>
			<key>class</key>
			<string>evaluate-mechanisms</string>
			<key>mechanisms</key>
			<array>
				<string>builtin:authenticate</string>
				<string>authinternal</string>
			</array>
		</dict>
	</dict>
</dict>
</plist>