Things you can authorize in Leopard

A look in /etc/authorization reveals some interesting things that can be authorized:

  • Used by CoreRAID to allow access to administration functions of RAID devices
  • Checked when changing parental controls for Safari.
  • This right is used by Xcode to invoke a setuid tool to run launchctl as root to change distcc sharing on this machine
  • Used by Activity Monitor to authorize killing processes not owned by the user.
  • For administrative access to the Application Server management tool.
  • For user access to the Application Server management tool.
  • Used to allow admin reading of I/O space via the CHUD framework
  • Used to allow admin writing of I/O space via the CHUD framework
  • Used to allow user reading of the PCI configuration space via the CHUD framework
  • Used to allow admin writing of PCI configuration space via the CHUD framework
  • Used to allow admin access to physical memory addresses via the CHUD framework
  • Used to allow user reading of CPU special purpose registers via the CHUD framework
  • Used to allow admin writing of CPU special purpose registers via the CHUD framework
  • For privileged file operations from within the Finder.
  • Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.
  • For making administrative requests to the QuickTime Streaming Server.
  • For modifying Trust Settings in the Local Admin domain.
  • For modifying per-user Trust Settings.
  • Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.
  • Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).
  • Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.
  • Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.
  • Wildcard right for deleting system rights.
  • See authopen(1) for information on the use of this right.
  • For burning media.
  • Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).
  • For creating, changing or deleting local user accounts and groups.
  • Checked when changing authentication credentials (password or certificate) for a local user account.
  • Checked when changing authentication credentials (password or certificate) for the current user’s account.
  • Checked when user is installing in admin domain (/Applications).
  • Checked when admin is installing in root domain (/System).
  • Checked when user is installing in root domain (/System).
  • Used by the Security framework when you add an item to an unconfigured default keychain.
  • Used by Keychain Access when editing a system keychain.
  • Login mechanism based rule. Not for general use, yet.
  • The owner or any administrator can unlock the screensaver.
  • Checked by the Admin framework when making changes to certain System Preferences.
  • Checked by the Admin framework when enabling or disabling the Accessibility APIs.
  • Checked by the Admin framework when making changes to the Accounts preference pane.
  • Checked when making changes to the Parental Controls preference pane.
  • For printing to locked printers.
  • authenticate-Used by AuthorizationExecuteWithPrivileges(…). to run a tool as root (e.g., some installers).
  • Used by task_for_pid(…). authorize access to the program of another user.
  • Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.
  • For making Directory Services changes.
  • Checked when making changes to the Sharepoints.
  • Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.
  • Authenticate as an administrator.
  • Authenticate as the session owner.
  • Authenticate either as the owner or as an administrator.
  • Verify that the user asking for authorization is an administrator.
  • Verify that the user asking for authorization is an lp administrator.
  • Verify that the process that created this AuthorizationRef is running as root.

Leave a Reply

Your email address will not be published. Required fields are marked *