A look in /etc/authorization reveals some interesting things that can be authorized:
- Used by CoreRAID to allow access to administration functions of RAID devices
- Checked when changing parental controls for Safari.
- This right is used by Xcode to invoke a setuid tool to run launchctl as root to change distcc sharing on this machine
- Used by Activity Monitor to authorize killing processes not owned by the user.
- For administrative access to the Application Server management tool.
- For user access to the Application Server management tool.
- Used to allow admin reading of I/O space via the CHUD framework
- Used to allow admin writing of I/O space via the CHUD framework
- Used to allow user reading of the PCI configuration space via the CHUD framework
- Used to allow admin writing of PCI configuration space via the CHUD framework
- Used to allow admin access to physical memory addresses via the CHUD framework
- Used to allow user reading of CPU special purpose registers via the CHUD framework
- Used to allow admin writing of CPU special purpose registers via the CHUD framework
- For privileged file operations from within the Finder.
- Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.
- For making administrative requests to the QuickTime Streaming Server.
- For modifying Trust Settings in the Local Admin domain.
- For modifying per-user Trust Settings.
- Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.
- Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).
- Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.
- Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.
- Wildcard right for deleting system rights.
- See authopen(1) for information on the use of this right.
- For burning media.
- Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).
- For creating, changing or deleting local user accounts and groups.
- Checked when changing authentication credentials (password or certificate) for a local user account.
- Checked when changing authentication credentials (password or certificate) for the current user’s account.
- Checked when user is installing in admin domain (/Applications).
- Checked when admin is installing in root domain (/System).
- Checked when user is installing in root domain (/System).
- Used by the Security framework when you add an item to an unconfigured default keychain.
- Used by Keychain Access when editing a system keychain.
- Login mechanism based rule. Not for general use, yet.
- The owner or any administrator can unlock the screensaver.
- Checked by the Admin framework when making changes to certain System Preferences.
- Checked by the Admin framework when enabling or disabling the Accessibility APIs.
- Checked by the Admin framework when making changes to the Accounts preference pane.
- Checked when making changes to the Parental Controls preference pane.
- For printing to locked printers.
- authenticate-Used by AuthorizationExecuteWithPrivileges(…). to run a tool as root (e.g., some installers).
- Used by task_for_pid(…). authorize access to the program of another user.
- Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.
- For making Directory Services changes.
- Checked when making changes to the Sharepoints.
- Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.
- Authenticate as an administrator.
- Authenticate as the session owner.
- Authenticate either as the owner or as an administrator.
- Verify that the user asking for authorization is an administrator.
- Verify that the user asking for authorization is an lp administrator.
- Verify that the process that created this AuthorizationRef is running as root.