Month: November 2007

Apple education trade-in and recycling

Apple are running a trade-in and recycling program for US Educational customers, which offers features such as:

  • All recycled hard drives are ground into confetti-sized pieces.
  • Data on all hard drives to be resold is deleted in a manner consistent with federal standards.
  • Customers receive a certificate of destruction for each lot recycled through the program.
  • All asset tags and other identifying information are removed prior to disposition.
  • No waste from Apple’s U.S. recycling program is shipped outside North America.

The last part is interesting given that the ‘waste’ wouldn’t have originally originated in North America anyway, having mostly been constructed somewhere in Asia from parts manufactured in Asia.

Things you can authorize in Leopard

A look in /etc/authorization reveals some interesting things that can be authorized:

  • Used by CoreRAID to allow access to administration functions of RAID devices
  • Checked when changing parental controls for Safari.
  • This right is used by Xcode to invoke a setuid tool to run launchctl as root to change distcc sharing on this machine
  • Used by Activity Monitor to authorize killing processes not owned by the user.
  • For administrative access to the Application Server management tool.
  • For user access to the Application Server management tool.
  • Used to allow admin reading of I/O space via the CHUD framework
  • Used to allow admin writing of I/O space via the CHUD framework
  • Used to allow user reading of the PCI configuration space via the CHUD framework
  • Used to allow admin writing of PCI configuration space via the CHUD framework
  • Used to allow admin access to physical memory addresses via the CHUD framework
  • Used to allow user reading of CPU special purpose registers via the CHUD framework
  • Used to allow admin writing of CPU special purpose registers via the CHUD framework
  • For privileged file operations from within the Finder.
  • Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.
  • For making administrative requests to the QuickTime Streaming Server.
  • For modifying Trust Settings in the Local Admin domain.
  • For modifying per-user Trust Settings.
  • Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.
  • Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).
  • Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.
  • Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.
  • Wildcard right for deleting system rights.
  • See authopen(1) for information on the use of this right.
  • For burning media.
  • Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).
  • For creating, changing or deleting local user accounts and groups.
  • Checked when changing authentication credentials (password or certificate) for a local user account.
  • Checked when changing authentication credentials (password or certificate) for the current user’s account.
  • Checked when user is installing in admin domain (/Applications).
  • Checked when admin is installing in root domain (/System).
  • Checked when user is installing in root domain (/System).
  • Used by the Security framework when you add an item to an unconfigured default keychain.
  • Used by Keychain Access when editing a system keychain.
  • Login mechanism based rule. Not for general use, yet.
  • The owner or any administrator can unlock the screensaver.
  • Checked by the Admin framework when making changes to certain System Preferences.
  • Checked by the Admin framework when enabling or disabling the Accessibility APIs.
  • Checked by the Admin framework when making changes to the Accounts preference pane.
  • Checked when making changes to the Parental Controls preference pane.
  • For printing to locked printers.
  • authenticate-Used by AuthorizationExecuteWithPrivileges(…). to run a tool as root (e.g., some installers).
  • Used by task_for_pid(…). authorize access to the program of another user.
  • Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.
  • For making Directory Services changes.
  • Checked when making changes to the Sharepoints.
  • Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.
  • Authenticate as an administrator.
  • Authenticate as the session owner.
  • Authenticate either as the owner or as an administrator.
  • Verify that the user asking for authorization is an administrator.
  • Verify that the user asking for authorization is an lp administrator.
  • Verify that the process that created this AuthorizationRef is running as root.

A Leopard ate my Keyboard

It seems one of theother niceties of Leopard (10.5.0, that is, haven’t upgraded to 10.5.1 yet) is that sometimes it will forget that the MacBook Pro has a keyboard, and you’re unable to type, even to the extent of the caps lock light no longer working. In my case the keyboard still appears as a USB device in System Profiler even when it’s not working, and there are no obvious log events happening in the Console Log. This never happened under Tiger. Others seem to be reporting this on Apple forums as well.

Update – Yes, an external USB keyboard works while the internal one is not responding.

Leopard can’t handle ‘%’ in fileshare passwords

In Leopard if you try to connect to a remote server in the Finder and have ‘%’ in the password, NetAuthAgent will crash with a bus error. As reported on Macintouch (and indirectly on MacEnterprise). I’m not sure if this behaviour persists in 10.5.1.