1 <?xml version=
"1.0" encoding=
"UTF-8"?>
2 <!DOCTYPE plist SYSTEM
"file://localhost/System/Library/DTDs/PropertyList.dtd">
5 <!-- NOTICE: this file will be replaced by a system facility in
6 forthcoming releases. It is provided purely for your
7 convenience using this release.
9 The name of the requested right is matched against the keys.
10 An exact match has priority, otherwise the longest match from
11 the start is used. Note that the right will only match wildcard
12 rules (ending in a ".") during this reduction.
14 Rules are specified as a string or a dict. The latter being a
17 allow rule: this is always allowed
18 <key>com.apple.TestApp.benign</key>
19 <string>allow</string>
21 deny rule: this is always denied
22 <key>com.apple.TestApp.dangerous</key>
25 user-in-group rule: successful authentication as a user in the
26 specified group(5) allows the associated right.
28 The shared property specifies whether a credential generated on
29 success is shared with other apps (same "session"). This property
30 defaults to false if not specified.
32 The timeout property specifies the maximum age of a (cached/shared)
33 credential accepted for this rule.
35 The allow-root property specifies whether a right should be allowed
36 automatically if the requesting process is running with uid == 0.
37 This defaults to false if not specified.
39 See remaining rules for examples.
41 Successful login produces a credential.
44 <!-- Used by AuthorizationExecuteWithPrivileges(...)
45 AuthorizationExecuteWithPrivileges is used by programs requesting
46 to run a tool as root (ie. some installers).
47 Credentials remain valid 5 minutes after they've been obtained.
48 An acquired credential isn't shared with other clients.
49 Clients running as root will be granted this right automatically.
51 <key>system.privilege.admin
</key>
54 <string>admin
</string>
60 <integer>300</integer>
63 <!-- Used by the dvd player to set the regioncode the first time
64 Note that changed the region code after it has been set requires a
65 different right (system.device.dvd.setregion.change)
66 Credentials remain valid indefinitely after they've been obtained.
67 An acquired credential is shared amongst all clients.
69 <key>system.device.dvd.setregion.initial
</key>
72 <string>admin
</string>
77 <!-- Login mechanism based rule. Not for general use, yet.
79 <key>system.login.console
</key>
82 <string>loginwindow_builtin:login,authinternal,loginwindow_builtin:success
</string>
83 <!-- krb5auth:authenticate can be used to hinge local authentication
84 on a successful kerberos authentication.
87 <key>system.login.pam
</key>
90 <string>push_hints_to_context,authinternal
</string>
92 <key>system.login.tty
</key>
95 <string>push_hints_to_context,authinternal
</string>
97 <key>system.login.done
</key>
100 <string>switch_to_user
</string>
102 <!-- krb5auth:login can be used to do kerberos authentication as a
103 side-effect of logging in. Local username/password will be used.
106 <!-- This right is checked by the Admin framework when making changes to
107 the system preferences.
108 Credentials remain valid forever.
109 An acquired credential is shared amongst all clients.
110 If the proccess that created the AuthorizationRef has uid = 0 this right
111 will automatically be granted.
113 <key>system.preferences
</key>
116 <string>admin
</string>
119 <key>allow-root
</key>
123 <!-- The following right is checked for printing to locked printers. -->
124 <key>system.printingmanager
</key>
127 <string>admin
</string>
134 <!-- See authopen(1) for information on the use of this right. -->
135 <key>sys.openfile.
</key>
138 <string>admin
</string>
142 <integer>300</integer>
145 <!-- All other rights will be matched by this rule.
146 Credentials remain valid 5 minutes after they've been obtained.
147 An acquired credential is shared amongst all clients.
152 <string>admin
</string>
156 <integer>300</integer>
projects / apple / security.git / blob