OSX: 治理认证数据库(Authorization Database)
在10.9之前,管理员为了达到管理系统级的用户管理,比如打印机权限, 普通用户管理System Prefereces等等选项,需要编辑/etc/authorization,它实际上是符合plist格式的XML文件。到了10.9之后,这个文件不见了,你会发现只存在一个叫authorization.deprecated的文件, 从文件名可以看出,它不再被使用了。
实际上的改动是,它的元文件被移动到了/System/Library/Security/文件夹下面了,而securityd系统进程,根据元文件会生成一个运行时文件叫/var/db/auth.db的SQLite3格式的文件,securityd使用这个auth.db文件进行系统的认证。这样,原来对/etc/authorization修改的程序/脚本不再适用于10.9。所以,需要适用/usr/bin/security命令来进行变更了。
其实Apple早在10.5的时候就已经引进了Security命令,但是因为缺乏文档和实际使用原驱动-可以使用原来证明成功而简单直观的方法,所以没有被广泛地使用。到了10.9,应该使用和熟悉它了。
基本的使用:
security authorizationdb read system.preferences.energysaver
它显示energysaver的用户权限配置。重点在于其中的一个值:
<key>group</key> <string>admin</string>
#!/usr/bin/env python
import subprocess
import sys
import plistlib
# Group System Preferences should be opened to
group = 'everyone'
command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences.energysaver']
task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()
formatted = plistlib.readPlistFromString(out)
# If the group doesn't match, we're going to correct it.
if formatted['group'] != group:
#input_plist = {}
formatted['group'] = group
# Convert back to plist
input_plist = plistlib.writePlistToString(formatted)
# Write the plist back to the authorizationdb
command = ['/usr/bin/security', 'authorizationdb', 'write', 'system.preferences.energysaver']
task = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate(input=input_plist)
或者如果你有自己的Plist的多行XML格式的配置文件运行类似下面的命令,这个命令恢复system.preferences.energysaver到10.8.5的默认值:
sudo security authorizationdb write system.preferences.energysaver <<EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>allow-root</key> <true/> <key>class</key> <string>user</string> <key>comment</key> <string>Checked by the Admin framework when making changes to the Energy Saver preference pane.</string> <key>default-button</key> <dict> <key>ar</key> <string>فتح القفل</string> <key>ca</key> <string>Desbloquejar</string> <key>cs</key> <string>Odemknout</string> <key>da</key> <string>Lås op</string> <key>de</key> <string>Entsperren</string> <key>el</key> <string>Ξεκλείδωμα</string> <key>en</key> <string>Unlock</string> <key>es</key> <string>Desbloquear</string> <key>fi</key> <string>Avaa</string> <key>fr</key> <string>Déverrouiller</string> <key>he</key> <string>בטל/י את הנעילה</string> <key>hr</key> <string>Otključaj</string> <key>hu</key> <string>Feloldás</string> <key>it</key> <string>Sblocca</string> <key>ja</key> <string>ロック解除</string> <key>ko</key> <string>잠금 해제</string> <key>nb</key> <string>Lås opp</string> <key>nl</key> <string>Ontgrendel</string> <key>pl</key> <string>Odblokuj</string> <key>pt</key> <string>Desbloquear</string> <key>pt-PT</key> <string>Desproteger</string> <key>ro</key> <string>Deblochează</string> <key>ru</key> <string>Снять защиту</string> <key>sk</key> <string>Odomknúť</string> <key>sv</key> <string>Lås upp</string> <key>th</key> <string>ปลดล็อก</string> <key>tr</key> <string>Kilidi Aç</string> <key>uk</key> <string>Відімкнути</string> <key>zh-Hans</key> <string>解锁</string> <key>zh-Hant</key> <string>解鎖</string> </dict> <key>default-prompt</key> <dict> <key>ar</key> <string>_يحاول __APPNAME__ فتح قفل تفضيلات موفر الطاقة.</string> <key>ca</key> <string>__APPNAME__ està intentant desbloquejar el tauler de preferències Economitzador.</string> <key>cs</key> <string>__APPNAME__ se pokouší odemknout předvolby Úspora energie.</string> <key>da</key> <string>__APPNAME__ prøver at låse vinduet Energibesparelse op.</string> <key>de</key> <string>__APPNAME__ versucht, die Systemeinstellung „Energie sparen“ zu entsperren.</string> <key>el</key> <string>Η εφαρμογή __APPNAME__ προσπαθεί να ξεκλειδώσει τις προτιμήσεις εξοικονόμησης ενέργειας.</string> <key>en</key> <string>__APPNAME__ is trying to unlock the Energy Saver preferences.</string> <key>es</key> <string>__APPNAME__ está intentando desbloquear el panel de preferencias Economizador.</string> <key>fi</key> <string>__APPNAME__ yrittää avata Energiansäästäjä-asetuksia.</string> <key>fr</key> <string>__APPNAME__ essaie de déverrouiller les préférences Économiseur d’énergie.</string> <key>he</key> <string>״ __APPNAME__״ מבקש לבטל את הנעילה של העדפות ״חסכון באנרגיה״.</string> <key>hr</key> <string>__APPNAME__ pokušava otključati postavke Štednja energije.</string> <key>hu</key> <string>A(z) __APPNAME__ megpróbálja feloldani az Energiatakarékos mód beállításait.</string> <key>it</key> <string>__APPNAME__ sta tentando di sbloccare le preferenze di Risparmio di energia.</string> <key>ja</key> <string>__APPNAME__ が“省エネルギー”環境設定のロックを解除しようとしています。</string> <key>ko</key> <string>__APPNAME__이(가) 에너지 절약 환경설정을 잠금 해제하려고 합니다.</string> <key>nb</key> <string>__APPNAME__ prøver å låse opp Strømsparing-valgpanelet.</string> <key>nl</key> <string>__APPNAME__ probeert het voorkeurenpaneel 'Energiestand' te ontgrendelen.</string> <key>pl</key> <string>__APPNAME__ próbuje odblokować preferencje oszczędzania energii.</string> <key>pt</key> <string>__APPNAME__ está tentando desbloquear as preferências Economizador de Energia.</string> <key>pt-PT</key> <string>__APPNAME__ está a tentar desproteger as preferências de Poupança de Energia.</string> <key>ro</key> <string>__APPNAME__ încearcă să deblocheze preferințele Economizor.</string> <key>ru</key> <string>Программа «__APPNAME__» пытается снять защиту с настроек панели «Экономия энергии».</string> <key>sk</key> <string>__APPNAME__ sa pokúša odomknúť nastavenia šetriča energie.</string> <key>sv</key> <string>__APPNAME__ försöker låsa upp inställningarna för Strömsparare.</string> <key>th</key> <string>__APPNAME__ กำลังพยายามปลดล็อกค่าปรับแต่งตัวช่วยประหยัดพลังงาน</string> <key>tr</key> <string>__APPNAME__, Enerji Tasarrufu tercihlerinin kilidini açmaya çalışıyor.</string> <key>uk</key> <string>Програма «__APPNAME__» намагається відімкнути параметри Збереження енергії.</string> <key>zh-Hans</key> <string>“__APPNAME__”正试图解锁“节能器”偏好设置。</string> <key>zh-Hant</key> <string>“__APPNAME__”正在嘗試解鎖“能源節約器”偏好設定。</string> </dict> <key>group</key> <string>admin</string> <key>shared</key> <false/> </dict> </plist> EOF
注意:一定要先执行一次read,今后即便是write错误,也可以使用上面的命令形式来恢复系统默认。
security authorizationdb read system.preferences > /tmp/system.preferences.plist /usr/libexec/PlistBuddy -c "set group everyone" /tmp/system.preferences.plist sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist
目前可知的可以用相同的方法设置的系统偏好有(但不止这些):
设置日期和时间:system.preferences.datetime
打开系统偏好:system.preferences
设置能源:system.preferences.energysaver
设置网络:system.services.systemconfiguration.network
设置打印:system.preferences.printing - 这个部分应该使用内置的lpadmin|lpoperator组来管理用户权限,参见OSX: 灵活运用控制打印机的用户组
这个命令应该使用于10.6以后的所有系统。
参考:下面是DssW英国公司公布的非常少见的各个版本的系统管理的用户组的默认设置,可供参考。
Default Rights in Mac OS X
|
Right |
10.6 |
10.7 |
10.8 |
10.9 |
Comment |
|
(empty) |
Yes |
Yes |
Yes |
Yes |
Matches otherwise unmatched rights (i.e., is a default). |
|
admin |
No |
Yes |
Yes |
Yes |
|
|
allow |
Yes |
Yes |
Yes |
Yes |
Allow anyone. |
|
app-specific-admin |
No |
No |
Yes |
Yes |
|
|
appserver-admin |
Yes |
Yes |
Yes |
Yes |
|
|
appserver-user |
Yes |
Yes |
Yes |
Yes |
|
|
authenticate |
Yes |
Yes |
Yes |
Yes |
|
|
authenticate-admin |
Yes |
Yes |
Yes |
Yes |
Authenticate as an administrator. |
|
authenticate-admin-30 |
Yes |
Yes |
Yes |
Yes |
Like the default rule, but credentials remain valid for only 30 seconds after they've been obtained. An acquired credential is shared by all clients. |
|
authenticate-appstore-30 |
No |
Yes |
Yes |
Yes |
|
|
authenticate-developer |
Yes |
Yes |
Yes |
Yes |
Authenticate as a developer. |
|
authenticate-session-owner |
Yes |
Yes |
Yes |
Yes |
Authenticate as the session owner. |
|
authenticate-session-owner-or-admin |
Yes |
Yes |
Yes |
Yes |
Authenticate either as the owner or as an administrator. |
|
authenticate-session-user |
Yes |
Yes |
Yes |
Yes |
Same as authenticate-session-owner. |
|
com.alf |
No |
No |
No |
Yes |
|
|
com.apple. |
Yes |
Yes |
Yes |
Yes |
|
|
com.apple.AOSNotification.FindMyMac.modify |
No |
No |
Yes |
Yes |
|
|
com.apple.AOSNotification.FindMyMac.remove |
No |
No |
No |
Yes |
|
|
com.apple.CoreRAID.admin |
Yes |
Yes |
Yes |
Yes |
Used by CoreRAID to allow access to administration functions of RAID devices |
|
com.apple.DiskManagement. |
Yes |
Yes |
Yes |
Yes |
Used by diskmanagementd to allow access to its privileged functions |
|
com.apple.DiskManagement.internal. |
No |
No |
Yes |
Yes |
Used by diskmanagementd to allow access to its privileged functions |
|
com.apple.DiskManagement.reserveKEK |
No |
Yes |
Yes |
Yes |
Used by diskmanagementd to allow use of the reserve KEK. |
|
com.apple.KerberosAgent |
No |
Yes |
Yes |
Yes |
Used to acquire Kerberos credentials. |
|
com.apple.OpenScripting.additions.send |
No |
Yes |
Yes |
Yes |
Used to send restricted scripting addition commands to processes that require authorization to handle the events. |
|
com.apple.ReportPanic.fixRight |
No |
No |
No |
Yes |
|
|
com.apple.Safari.parental-controls |
Yes |
Yes |
Yes |
Yes |
Checked when changing parental controls for Safari. |
|
com.apple.Safari.show-credit-card-numbers |
No |
No |
No |
Yes |
This right is used by Safari to show credit card numbers. |
|
com.apple.Safari.show-passwords |
No |
Yes |
Yes |
Yes |
This right is used by Safari to show passwords |
|
com.apple.ServiceManagement.blesshelper |
Yes |
Yes |
Yes |
Yes |
Used by the ServiceManagement framework to add a privileged helper tool to the system launchd. |
|
com.apple.ServiceManagement.daemons.modify |
Yes |
Yes |
Yes |
Yes |
Used by the ServiceManagement framework to make changes to the system launchd's set of daemons. |
|
com.apple.SoftwareUpdate.modify-settings |
No |
No |
Yes |
Yes |
Checked by the Admin framework when making changes to the Software Update preference pane. |
|
com.apple.SoftwareUpdate.scan |
No |
Yes |
Yes |
Yes |
Checked when user is updating software. |
|
com.apple.XType.fontmover.install |
No |
Yes |
Yes |
Yes |
|
|
com.apple.XType.fontmover.remove |
No |
Yes |
Yes |
Yes |
|
|
com.apple.XType.fontmover.restore |
No |
Yes |
Yes |
Yes |
|
|
com.apple.ZFSManager. |
Yes |
Yes |
Yes |
Yes |
Used by zfsmanager to allow access to destructive zfs functions |
|
com.apple.activitymonitor.kill |
Yes |
Yes |
Yes |
Yes |
Used by Activity Monitor to authorize killing processes not owned by the user. |
|
com.apple.appserver.privilege.admin |
Yes |
Yes |
Yes |
Yes |
For administrative access to the Application Server management tool. |
|
com.apple.appserver.privilege.user |
Yes |
Yes |
Yes |
Yes |
For user access to the Application Server management tool. |
|
com.apple.builtin.confirm-access |
Yes |
Yes |
Yes |
Yes |
|
|
com.apple.builtin.confirm-access-password |
Yes |
Yes |
Yes |
Yes |
|
|
com.apple.builtin.generic-new-passphrase |
Yes |
Yes |
Yes |
Yes |
|
|
com.apple.builtin.generic-unlock |
Yes |
Yes |
Yes |
Yes |
|
|
com.apple.container-repair |
No |
No |
Yes |
Yes |
|
|
com.apple.dashboard.advisory.allow |
Yes |
Yes |
Yes |
Yes |
|
|
com.apple.desktopservices |
Yes |
Yes |
Yes |
Yes |
For privileged file operations from within the Finder. |
|
com.apple.desktopservices.scripted |
No |
Yes |
Yes |
Yes |
For scripting-initiated privileged file operations from within the Finder. |
|
com.apple.docset.install |
Yes |
Yes |
Yes |
Yes |
Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. |
|
com.apple.dt.Xcode.LicenseAgreementXPCServiceRights |
No |
No |
No |
Yes |
Xcode FLE rights |
|
com.apple.dt.Xcode.MoveToTrashRights |
No |
Yes |
No |
No |
|
|
com.apple.familycontrols.loginwindow.override |
Yes |
No |
No |
Yes |
This right is checked when overriding a parental control restriction |
|
com.apple.familycontrols.override |
Yes |
No |
No |
Yes |
This right is checked when overriding parental controls from a user account |
|
com.apple.iBooksX.ParentalControl |
No |
No |
No |
Yes |
Checked when making changes to the Parental Controls for iBooks. |
|
com.apple.library-repair |
No |
Yes |
Yes |
Yes |
|
|
com.apple.lldb.LaunchUsingXPC |
No |
No |
Yes |
Yes |
|
|
com.apple.opendirectoryd.linkidentity |
No |
No |
Yes |
Yes |
|
|
com.apple.pcastagentconfigd. |
Yes |
Yes |
No |
No |
|
|
com.apple.pf.rule |
No |
No |
No |
Yes |
|
|
com.apple.security.assessment.update |
No |
Yes |
Yes |
Yes |
|
|
com.apple.server.admin.streaming |
Yes |
Yes |
Yes |
Yes |
For making administrative requests to the QuickTime Streaming Server. |
|
com.apple.trust-settings.admin |
Yes |
Yes |
Yes |
Yes |
For modifying Trust Settings in the Local Admin domain. |
|
com.apple.trust-settings.user |
Yes |
Yes |
Yes |
Yes |
For modifying per-user Trust Settings. |
|
com.apple.uninstalld.uninstall |
No |
Yes |
Yes |
Yes |
|
|
com.apple.wifi |
No |
No |
No |
Yes |
For restricting WiFi control |
|
com.apple.wireless-diagnostics |
No |
No |
Yes |
Yes |
Used by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the wdhelper daemon |
|
com.example.sampleright |
No |
No |
No |
Yes |
|
|
config.add. |
Yes |
Yes |
Yes |
Yes |
Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. |
|
config.config. |
Yes |
Yes |
Yes |
Yes |
Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). |
|
config.modify. |
Yes |
Yes |
Yes |
Yes |
Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. |
|
config.remove. |
Yes |
Yes |
Yes |
Yes |
Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. |
|
config.remove.system. |
Yes |
Yes |
Yes |
Yes |
Wildcard right for deleting system rights. |
|
default |
Yes |
Yes |
Yes |
Yes |
Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients. |
|
entitled |
No |
Yes |
Yes |
Yes |
|
|
entitled-admin |
No |
Yes |
Yes |
Yes |
|
|
entitled-admin-or-authenticate-admin |
No |
Yes |
Yes |
Yes |
|
|
entitled-appstore |
No |
Yes |
Yes |
Yes |
|
|
entitled-appstore-or-entitled-authenticate-appstore |
No |
Yes |
Yes |
Yes |
|
|
entitled-authenticate-admin |
No |
Yes |
Yes |
Yes |
|
|
entitled-authenticate-appstore |
No |
Yes |
Yes |
Yes |
|
|
entitled-session-owner |
No |
Yes |
Yes |
Yes |
|
|
entitled-session-owner-or-authenticate-session-owner |
No |
Yes |
Yes |
Yes |
|
|
is-admin |
Yes |
Yes |
Yes |
Yes |
Verify that the user asking for authorization is an administrator. |
|
is-appstore |
No |
Yes |
Yes |
Yes |
|
|
is-developer |
Yes |
Yes |
Yes |
Yes |
Verify that the user asking for authorization is a developer. |
|
is-lpadmin |
No |
Yes |
Yes |
Yes |
|
|
is-root |
Yes |
Yes |
Yes |
Yes |
Verify that the process that created this AuthorizationRef is running as root. |
|
is-session-owner |
No |
Yes |
Yes |
Yes |
Verify that the requesting process is running as the session owner. |
|
lpadmin |
No |
Yes |
Yes |
Yes |
|
|
on-console |
No |
Yes |
Yes |
Yes |
|
|
root-or-admin-or-authenticate-admin |
No |
Yes |
No |
No |
|
|
root-or-entitled-admin-or-admin |
No |
Yes |
Yes |
Yes |
|
|
root-or-entitled-admin-or-app-specific-admin |
No |
No |
Yes |
Yes |
|
|
root-or-entitled-admin-or-authenticate-admin |
No |
Yes |
Yes |
Yes |
|
|
root-or-lpadmin |
No |
Yes |
Yes |
Yes |
|
|
sys.openfile. |
Yes |
Yes |
Yes |
Yes |
See authopen(1) for information on the use of this right. |
|
system. |
Yes |
Yes |
Yes |
Yes |
|
|
system.burn |
Yes |
Yes |
Yes |
Yes |
For burning media. |
|
system.csfde.requestpassword |
No |
Yes |
Yes |
Yes |
Used by CoreStorage Full Disk Encryption to request the user's password. |
|
system.device.dvd.setregion.initial |
Yes |
Yes |
Yes |
Yes |
Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). |
|
system.disk.unlock |
No |
Yes |
Yes |
Yes |
Do not modify. |
|
system.global-login-items. |
Yes |
Yes |
Yes |
Yes |
|
|
system.hdd.smart |
No |
Yes |
Yes |
Yes |
For modifying SMART settings. |
|
system.identity.write. |
Yes |
Yes |
Yes |
Yes |
For creating, changing or deleting local user accounts and groups. |
|
system.identity.write.credential |
Yes |
Yes |
Yes |
Yes |
Checked when changing authentication credentials (password or certificate) for a local user account. |
|
system.identity.write.self |
Yes |
Yes |
Yes |
Yes |
Checked when changing authentication credentials (password or certificate) for the current user's account. |
|
system.install.admin.user |
Yes |
No |
No |
No |
|
|
system.install.app-store-software |
No |
Yes |
Yes |
Yes |
Checked when user is installing software from the App Store. |
|
system.install.app-store-software.standard-user |
No |
No |
No |
Yes |
Checked when user is installing new software. |
|
system.install.apple-config-data |
No |
No |
Yes |
Yes |
|
|
system.install.apple-software |
No |
Yes |
Yes |
Yes |
Checked when user is installing Apple-provided software. |
|
system.install.apple-software.standard-user |
No |
No |
No |
Yes |
Checked when user is installing new software. |
|
system.install.iap-software |
No |
No |
No |
Yes |
|
|
system.install.root.admin |
Yes |
No |
No |
No |
|
|
system.install.root.user |
Yes |
No |
No |
No |
|
|
system.install.software |
No |
Yes |
Yes |
Yes |
Checked when user is installing new software. |
|
system.keychain.create.loginkc |
Yes |
Yes |
Yes |
Yes |
Used by the Security framework when you add an item to an unconfigured default keychain. |
|
system.keychain.modify |
Yes |
Yes |
Yes |
Yes |
Used by Keychain Access when editing a system keychain. |
|
system.login.console |
Yes |
Yes |
Yes |
Yes |
Login mechanism based rule. Not for general use, yet. |
|
system.login.done |
Yes |
Yes |
Yes |
Yes |
|
|
system.login.screensaver |
Yes |
Yes |
Yes |
Yes |
The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent. |
|
system.login.tty |
Yes |
Yes |
Yes |
Yes |
|
|
system.preferences |
Yes |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to certain System Preferences. |
|
system.preferences.accessibility |
Yes |
Yes |
Yes |
Yes |
Checked when making changes to the Accessibility Preferences. |
|
system.preferences.accounts |
Yes |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Users & Groups preference pane. |
|
system.preferences.datetime |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Date & Time preference pane. |
|
system.preferences.energysaver |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Energy Saver preference pane. |
|
system.preferences.location |
No |
Yes |
Yes |
Yes |
For changing the network location from the Apple menu. |
|
system.preferences.network |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Network preference pane. |
|
system.preferences.nvram |
No |
No |
Yes |
Yes |
|
|
system.preferences.parental-controls |
Yes |
Yes |
Yes |
Yes |
Checked when making changes to the Parental Controls preference pane. |
|
system.preferences.printing |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Printing preference pane. |
|
system.preferences.security |
Yes |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Security preference pane. |
|
system.preferences.security.remotepair |
No |
Yes |
Yes |
Yes |
Used by Bezel Services to gate IR remote pairing. |
|
system.preferences.sharing |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Sharing preference pane. |
|
system.preferences.softwareupdate |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Software Update preference pane. |
|
system.preferences.startupdisk |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Startup Disk preference pane. |
|
system.preferences.timemachine |
No |
Yes |
Yes |
Yes |
Checked by the Admin framework when making changes to the Time Machine preference pane. |
|
system.preferences.version-cue |
No |
Yes |
Yes |
Yes |
For gating modifications to Adobe Version Cue preferences. |
|
system.print.admin |
Yes |
Yes |
Yes |
Yes |
|
|
system.print.operator |
Yes |
Yes |
Yes |
Yes |
|
|
system.printingmanager |
Yes |
Yes |
Yes |
Yes |
For printing to locked printers. |
|
system.privilege.admin |
Yes |
Yes |
Yes |
Yes |
Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers). |
|
system.privilege.taskport |
Yes |
Yes |
Yes |
Yes |
Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. WARNING: administrators are advised not to modify this right. |
|
system.privilege.taskport.debug |
Yes |
Yes |
Yes |
Yes |
For use by Apple. WARNING: administrators are advised not to modify this right. |
|
system.privilege.taskport.safe |
Yes |
Yes |
Yes |
Yes |
For use by Apple. |
|
system.restart |
Yes |
Yes |
Yes |
Yes |
Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. |
|
system.services.directory.configure |
Yes |
Yes |
Yes |
Yes |
For making Directory Services changes. |
|
system.services.systemconfiguration.network |
No |
No |
Yes |
Yes |
For making change to network configuration via System Configuration. |
|
system.sharepoints. |
Yes |
Yes |
Yes |
Yes |
Checked when making changes to the Sharepoints. |
|
system.shutdown |
Yes |
Yes |
Yes |
Yes |
Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. |
|
system.volume. |
No |
No |
Yes |
Yes |
system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) |
|
system.volume.external. |
No |
No |
Yes |
Yes |
system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) |
|
system.volume.external.adopt |
No |
No |
Yes |
Yes |
system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) |
|
system.volume.removable. |
No |
No |
Yes |
Yes |
system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) |
|
system.volume.removable.adopt |
No |
No |
Yes |
Yes |
system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) |
|
use-login-window-ui |
No |
No |
No |
Yes |
Authenticate either as the owner or as an administrator. |