SecurityServer/Authorization/authorization.plist

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
   3 <plist version="0.9">
   4 <dict>
   5 <!-- NOTICE: this file will be replaced by a system facility in
   6              forthcoming releases.  It is provided purely for your
   7              convenience using this release.
   8
   9      The name of the requested right is matched against the keys.
  10      An exact match has priority, otherwise the longest match from
  11      the start is used.  Note that the right will only match wildcard
  12      rules (ending in a ".") during this reduction.
  13
  14      Rules are specified as a string or a dict.  The latter being a
  15      user-in-group rule.
  16
  17      allow rule: this is always allowed
  18      <key>com.apple.TestApp.benign</key>
  19          <string>allow</string>
  20
  21      deny rule: this is always denied
  22      <key>com.apple.TestApp.dangerous</key>
  23          <string>deny</string>
  24
  25      user-in-group rule: successful authentication as a user in the
  26      specified group(5) allows the associated right.
  27
  28      The shared property specifies whether a credential generated on
  29      success is shared with other apps (same "session"). This property
  30      defaults to false if not specified.
  31
  32      The timeout property specifies the maximum age of a (cached/shared)
  33      credential accepted for this rule.
  34
  35      The allow-root property specifies whether a right should be allowed
  36      automatically if the requesting process is running with uid == 0.
  37      This defaults to false if not specified.
  38
  39           See remaining rules for examples.
  40
  41      Successful login produces a credential.
  42   -->
  43
  44 <!-- Used by AuthorizationExecuteWithPrivileges(...)
  45      AuthorizationExecuteWithPrivileges is used by programs requesting
  46      to run a tool as root (ie. some installers).
  47      Credentials remain valid 5 minutes after they've been obtained.
  48      An acquired credential isn't shared with other clients.
  49      Clients running as root will be granted this right automatically.
  50   -->
  51         <key>system.privilege.admin</key>
  52         <dict>
  53                 <key>group</key>
  54                 <string>admin</string>
  55                 <key>shared</key>
  56                 <false/>
  57                 <key>allow-root</key>
  58                 <true/>
  59                 <key>timeout</key>
  60                 <integer>300</integer>
  61         </dict>
  62
  63 <!-- Used by the dvd player to set the regioncode the first time
  64      Note that changed the region code after it has been set requires a
  65          different right (system.device.dvd.setregion.change)
  66      Credentials remain valid indefinitely after they've been obtained.
  67      An acquired credential is shared amongst all clients.
  68   -->
  69         <key>system.device.dvd.setregion.initial</key>
  70         <dict>
  71                 <key>group</key>
  72                 <string>admin</string>
  73                 <key>shared</key>
  74                 <true/>
  75         </dict>
  76
  77 <!-- All other rights will be matched by this rule.
  78      Credentials remain valid 5 minutes after they've been obtained.
  79      An acquired credential is shared amongst all clients.
  80   -->
  81         <key/>
  82         <dict>
  83                 <key>group</key>
  84                 <string>admin</string>
  85                 <key>shared</key>
  86                 <true/>
  87                 <key>timeout</key>
  88                 <integer>300</integer>
  89         </dict>
  90 </dict>
  91 </plist>