]> git.saurik.com Git - apple/securityd.git/blob - etc/authorization.plist
securityd-30557.tar.gz
[apple/securityd.git] / etc / authorization.plist
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3 <plist version="1.0">
4 <dict>
5 <key>comment</key>
6 <string>The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction.
7
8 allow rule: this is always allowed
9 &lt;key&gt;com.apple.TestApp.benign&lt;/key&gt;
10 &lt;string&gt;allow&lt;/string&gt;
11
12 deny rule: this is always denied
13 &lt;key&gt;com.apple.TestApp.dangerous&lt;/key&gt;
14 &lt;string&gt;deny&lt;/string&gt;
15
16 user rule: successful authentication as a user in the specified group(5) allows the associated right.
17
18 The shared property specifies whether a credential generated on success is shared with other apps (same "session"). This property defaults to false if not specified.
19
20 The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule.
21
22 The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified.
23
24 See remaining rules for examples.
25 </string>
26 <key>rights</key>
27 <dict>
28 <key></key>
29 <dict>
30 <key>class</key>
31 <string>rule</string>
32 <key>comment</key>
33 <string>All other rights will be matched by this rule.</string>
34 <key>rule</key>
35 <string>default</string>
36 </dict>
37 <key>config.add.</key>
38 <dict>
39 <key>class</key>
40 <string>allow</string>
41 <key>comment</key>
42 <string>wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights</string>
43 </dict>
44 <key>config.config.</key>
45 <dict>
46 <key>class</key>
47 <string>deny</string>
48 <key>comment</key>
49 <string>wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file)</string>
50 </dict>
51 <key>config.modify.</key>
52 <dict>
53 <key>class</key>
54 <string>rule</string>
55 <key>comment</key>
56 <string>wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.</string>
57 <key>k-of-n</key>
58 <integer>1</integer>
59 <key>rule</key>
60 <array>
61 <string>is-root</string>
62 <string>authenticate-admin</string>
63 </array>
64 </dict>
65 <key>config.remove.</key>
66 <dict>
67 <key>class</key>
68 <string>rule</string>
69 <key>comment</key>
70 <string>wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.</string>
71 <key>k-of-n</key>
72 <integer>1</integer>
73 <key>rule</key>
74 <array>
75 <string>is-root</string>
76 <string>authenticate-admin</string>
77 </array>
78 </dict>
79 <key>config.remove.system.</key>
80 <dict>
81 <key>class</key>
82 <string>deny</string>
83 <key>comment</key>
84 <string>wildcard right for deleting system rights.</string>
85 </dict>
86 <key>com.apple.</key>
87 <dict>
88 <key>rule</key>
89 <string>default</string>
90 </dict>
91 <key>system.</key>
92 <dict>
93 <key>rule</key>
94 <string>default</string>
95 </dict>
96 <key>sys.openfile.</key>
97 <dict>
98 <key>class</key>
99 <string>user</string>
100 <key>comment</key>
101 <string>See authopen(1) for information on the use of this right.</string>
102 <key>group</key>
103 <string>admin</string>
104 <key>shared</key>
105 <false/>
106 <key>timeout</key>
107 <integer>300</integer>
108 </dict>
109 <key>system.device.dvd.setregion.initial</key>
110 <dict>
111 <key>class</key>
112 <string>user</string>
113 <key>comment</key>
114 <string>Used by the dvd player to set the regioncode the first time. Note that changed the region code after it has been set requires a different right (system.device.dvd.setregion.change)
115 Credentials remain valid indefinitely after they've been obtained.
116 An acquired credential is shared amongst all clients.</string>
117 <key>group</key>
118 <string>admin</string>
119 <key>shared</key>
120 <true/>
121 </dict>
122 <key>system.login.console</key>
123 <dict>
124 <key>class</key>
125 <string>evaluate-mechanisms</string>
126 <key>comment</key>
127 <string>Login mechanism based rule. Not for general use, yet.
128 builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification.
129 builtin:krb5authnoverify skips the kdc verification. Both fall back on local authentication.</string>
130 <key>mechanisms</key>
131 <array>
132 <string>builtin:auto-login,privileged</string>
133 <string>loginwindow_builtin:login</string>
134 <string>builtin:reset-password,privileged</string>
135 <string>authinternal</string>
136 <string>builtin:getuserinfo,privileged</string>
137 <string>builtin:sso,privileged</string>
138 <string>HomeDirMechanism:login,privileged</string>
139 <string>HomeDirMechanism:status</string>
140 <string>MCXMechanism:login</string>
141 <string>loginwindow_builtin:success</string>
142 <string>loginwindow_builtin:done</string>
143 </array>
144 </dict>
145 <key>system.login.done</key>
146 <dict>
147 <key>class</key>
148 <string>evaluate-mechanisms</string>
149 <key>comment</key>
150 <string>builtin:krb5login can be used to do kerberos authentication as a side-effect of logging in. Local username/password will be used.</string>
151 <key>mechanisms</key>
152 <array>
153 </array>
154 </dict>
155 <key>system.login.pam</key>
156 <dict>
157 <key>class</key>
158 <string>evaluate-mechanisms</string>
159 <key>tries</key>
160 <integer>1</integer>
161 <key>mechanisms</key>
162 <array>
163 <string>push_hints_to_context</string>
164 <string>authinternal</string>
165 </array>
166 </dict>
167 <key>system.login.screensaver</key>
168 <dict>
169 <key>class</key>
170 <string>rule</string>
171 <key>comment</key>
172 <string>the owner as well as any admin can unlock the screensaver;modify the group key to change this.</string>
173 <key>rule</key>
174 <string>authenticate-session-owner-or-admin</string>
175 </dict>
176 <key>system.login.tty</key>
177 <dict>
178 <key>class</key>
179 <string>evaluate-mechanisms</string>
180 <key>tries</key>
181 <integer>1</integer>
182 <key>mechanisms</key>
183 <array>
184 <string>push_hints_to_context</string>
185 <string>authinternal</string>
186 </array>
187 </dict>
188 <key>system.keychain.create.loginkc</key>
189 <dict>
190 <key>allow-root</key>
191 <false/>
192 <key>class</key>
193 <string>evaluate-mechanisms</string>
194 <key>comment</key>
195 <string>Used by Security framework when you add an item to a unconfigured default keychain</string>
196 <key>mechanisms</key>
197 <array>
198 <string>loginKC:queryCreate</string>
199 <string>loginKC:showPasswordUI</string>
200 <string>authinternal</string>
201 </array>
202 <key>session-owner</key>
203 <true/>
204 <key>shared</key>
205 <false/>
206 </dict>
207 <key>system.keychain.modify</key>
208 <dict>
209 <key>class</key>
210 <string>user</string>
211 <key>comment</key>
212 <string>Used by Keychain Access when editing a system keychain.</string>
213 <key>group</key>
214 <string>admin</string>
215 <key>shared</key>
216 <false/>
217 <key>timeout</key>
218 <integer>300</integer>
219 </dict>
220 <key>system.preferences</key>
221 <dict>
222 <key>allow-root</key>
223 <true/>
224 <key>class</key>
225 <string>user</string>
226 <key>comment</key>
227 <string>This right is checked by the Admin framework when making changes to the system preferences.</string>
228 <key>group</key>
229 <string>admin</string>
230 <key>shared</key>
231 <true/>
232 </dict>
233 <key>system.preferences.accounts</key>
234 <dict>
235 <key>allow-root</key>
236 <true/>
237 <key>class</key>
238 <string>user</string>
239 <key>comment</key>
240 <string>This right is checked by the Admin framework when making changes to the accounts preference pane</string>
241 <key>group</key>
242 <string>admin</string>
243 <key>shared</key>
244 <false/>
245 </dict>
246 <key>system.printingmanager</key>
247 <dict>
248 <key>class</key>
249 <string>rule</string>
250 <key>comment</key>
251 <string>The following right is checked for printing to locked printers.</string>
252 <key>rule</key>
253 <string>authenticate-admin</string>
254 </dict>
255 <key>system.preferences.accessibility</key>
256 <dict>
257 <key>allow-root</key>
258 <true/>
259 <key>class</key>
260 <string>user</string>
261 <key>comment</key>
262 <string>This right is checked by the Admin framework when enabling or disabling the Accessibility APIs</string>
263 <key>group</key>
264 <string>admin</string>
265 <key>shared</key>
266 <false/>
267 <key>timeout</key>
268 <integer>0</integer>
269 </dict>
270 <key>com.apple.activitymonitor.kill</key>
271 <dict>
272 <key>class</key>
273 <string>user</string>
274 <key>comment</key>
275 <string>Used by Activity Monitor to authorize killing processes not owned by the user</string>
276 <key>group</key>
277 <string>admin</string>
278 <key>shared</key>
279 <false/>
280 <key>timeout</key>
281 <integer>0</integer>
282 </dict>
283 <key>com.apple.Safari.parental-controls</key>
284 <dict>
285 <key>allow-root</key>
286 <true/>
287 <key>class</key>
288 <string>user</string>
289 <key>comment</key>
290 <string>This right is checked when changing parental controls for Safari</string>
291 <key>group</key>
292 <string>admin</string>
293 <key>shared</key>
294 <false/>
295 <key>timeout</key>
296 <integer>0</integer>
297 </dict>
298 <key>system.privilege.admin</key>
299 <dict>
300 <key>allow-root</key>
301 <true/>
302 <key>class</key>
303 <string>user</string>
304 <key>comment</key>
305 <string>Used by AuthorizationExecuteWithPrivileges(...)
306 AuthorizationExecuteWithPrivileges is used by programs requesting
307 to run a tool as root (ie. some installers).
308 Credentials remain valid 5 minutes after they've been obtained.
309 An acquired credential isn't shared with other clients.
310 Clients running as root will be granted this right automatically.
311 </string>
312 <key>group</key>
313 <string>admin</string>
314 <key>shared</key>
315 <false/>
316 <key>timeout</key>
317 <integer>300</integer>
318 </dict>
319 <key>system.restart</key>
320 <dict>
321 <key>class</key>
322 <string>evaluate-mechanisms</string>
323 <key>comment</key>
324 <string>Multisession restart mechanisms</string>
325 <key>mechanisms</key>
326 <array>
327 <string>RestartAuthorization:restart</string>
328 <string>RestartAuthorization:authenticate</string>
329 <string>RestartAuthorization:success</string>
330 </array>
331 </dict>
332 <key>system.shutdown</key>
333 <dict>
334 <key>class</key>
335 <string>evaluate-mechanisms</string>
336 <key>comment</key>
337 <string>Multisession shutdown mechanisms</string>
338 <key>mechanisms</key>
339 <array>
340 <string>RestartAuthorization:shutdown</string>
341 <string>RestartAuthorization:authenticate</string>
342 <string>RestartAuthorization:success</string>
343 </array>
344 </dict>
345 <key>system.burn</key>
346 <dict>
347 <key>class</key>
348 <string>allow</string>
349 <key>comment</key>
350 <string>authorization to burn media</string>
351 </dict>
352 <key>system.services.directory.configure</key>
353 <dict>
354 <key>class</key>
355 <string>user</string>
356 <key>group</key>
357 <string>admin</string>
358 <key>allow-root</key>
359 <true/>
360 <key>shared</key>
361 <true/>
362 <key>timeout</key>
363 <integer>300</integer>
364 <key>comment</key>
365 <string>authorization to make directory service changes</string>
366 </dict>
367 <key>com.apple.server.admin.streaming</key>
368 <dict>
369 <key>class</key>
370 <string>user</string>
371 <key>comment</key>
372 <string>Used for admin requests with the QuickTime Streaming Server.</string>
373 <key>group</key>
374 <string>admin</string>
375 <key>shared</key>
376 <false/>
377 <key>allow-root</key>
378 <true/>
379 <key>timeout</key>
380 <integer>0</integer>
381 </dict>
382 <key>system.install.admin.user</key>
383 <dict>
384 <key>class</key>
385 <string>user</string>
386 <key>comment</key>
387 <string>Used by installer tool: user installling in admin domain (/Applications)</string>
388 <key>group</key>
389 <string>admin</string>
390 <key>shared</key>
391 <false/>
392 <key>timeout</key>
393 <integer>300</integer>
394 </dict>
395 <key>system.install.root.user</key>
396 <dict>
397 <key>class</key>
398 <string>user</string>
399 <key>comment</key>
400 <string>Used by installer tool: user installling in root domain (/System)</string>
401 <key>group</key>
402 <string>admin</string>
403 <key>shared</key>
404 <false/>
405 <key>timeout</key>
406 <integer>300</integer>
407 </dict>
408 <key>system.install.root.admin</key>
409 <dict>
410 <key>class</key>
411 <string>user</string>
412 <key>comment</key>
413 <string>Used by installer tool: admin installling in root domain (/System)</string>
414 <key>group</key>
415 <string>admin</string>
416 <key>shared</key>
417 <false/>
418 <key>timeout</key>
419 <integer>300</integer>
420 </dict>
421 <key>com.apple.appserver.privilege.admin</key>
422 <dict>
423 <key>class</key>
424 <string>rule</string>
425 <key>comment</key>
426 <string>Used to determine administrative access to the Application Server management tool.</string>
427 <key>rule</key>
428 <string>appserver-admin</string>
429 </dict>
430 <key>com.apple.appserver.privilege.user</key>
431 <dict>
432 <key>class</key>
433 <string>rule</string>
434 <key>comment</key>
435 <string>Used to determine user access to the Application Server management tool.</string>
436 <key>k-of-n</key>
437 <integer>1</integer>
438 <key>rule</key>
439 <array>
440 <string>appserver-admin</string>
441 <string>appserver-user</string>
442 </array>
443 </dict>
444 <key>com.apple.desktopservices</key>
445 <dict>
446 <key>class</key>
447 <string>user</string>
448 <key>comment</key>
449 <string>authorize privileged file operations from the finder</string>
450 <key>group</key>
451 <string>admin</string>
452 <key>shared</key>
453 <false/>
454 <key>timeout</key>
455 <integer>0</integer>
456 </dict>
457 <key>com.apple.builtin.generic-new-passphrase</key>
458 <dict>
459 <key>class</key>
460 <string>evaluate-mechanisms</string>
461 <key>mechanisms</key>
462 <array>
463 <string>builtin:generic-new-passphrase</string>
464 </array>
465 </dict>
466 <key>com.apple.builtin.generic-unlock</key>
467 <dict>
468 <key>class</key>
469 <string>evaluate-mechanisms</string>
470 <key>mechanisms</key>
471 <array>
472 <string>builtin:generic-unlock</string>
473 </array>
474 </dict>
475 <key>com.apple.builtin.confirm-access</key>
476 <dict>
477 <key>class</key>
478 <string>evaluate-mechanisms</string>
479 <key>mechanisms</key>
480 <array>
481 <string>builtin:confirm-access</string>
482 </array>
483 </dict>
484 <key>com.apple.builtin.confirm-access-password</key>
485 <dict>
486 <key>class</key>
487 <string>evaluate-mechanisms</string>
488 <key>mechanisms</key>
489 <array>
490 <string>builtin:confirm-access-password</string>
491 </array>
492 </dict>
493 </dict>
494 <key>rules</key>
495 <dict>
496 <key>allow</key>
497 <dict>
498 <key>class</key>
499 <string>allow</string>
500 <key>comment</key>
501 <string>allow anyone</string>
502 </dict>
503 <key>authenticate-admin</key>
504 <dict>
505 <key>class</key>
506 <string>user</string>
507 <key>comment</key>
508 <string>require the user asking for authorization to authenticate as an admin</string>
509 <key>group</key>
510 <string>admin</string>
511 <key>shared</key>
512 <true/>
513 <key>timeout</key>
514 <integer>0</integer>
515 </dict>
516 <key>authenticate-session-user</key>
517 <dict>
518 <key>class</key>
519 <string>user</string>
520 <key>comment</key>
521 <string>authenticate session owner</string>
522 <key>session-owner</key>
523 <true/>
524 </dict>
525 <key>authenticate-session-owner</key>
526 <dict>
527 <key>class</key>
528 <string>user</string>
529 <key>comment</key>
530 <string>authenticate session owner</string>
531 <key>session-owner</key>
532 <true/>
533 </dict>
534 <key>authenticate-session-owner-or-admin</key>
535 <dict>
536 <key>allow-root</key>
537 <false/>
538 <key>class</key>
539 <string>user</string>
540 <key>comment</key>
541 <string>the owner as well as any admin can authorize</string>
542 <key>group</key>
543 <string>admin</string>
544 <key>session-owner</key>
545 <true/>
546 <key>shared</key>
547 <false/>
548 </dict>
549 <key>is-admin</key>
550 <dict>
551 <key>class</key>
552 <string>user</string>
553 <key>comment</key>
554 <string>verify the user asking for authorization is an admin</string>
555 <key>group</key>
556 <string>admin</string>
557 <key>authenticate-user</key>
558 <false/>
559 <key>shared</key>
560 <string>true</string>
561 </dict>
562 <key>is-root</key>
563 <dict>
564 <key>allow-root</key>
565 <true/>
566 <key>class</key>
567 <string>user</string>
568 <key>authenticate-user</key>
569 <false/>
570 <key>comment</key>
571 <string>verify the process that created this authref is root</string>
572 </dict>
573 <key>appserver-user</key>
574 <dict>
575 <key>class</key>
576 <string>user</string>
577 <key>group</key>
578 <string>appserverusr</string>
579 </dict>
580 <key>appserver-admin</key>
581 <dict>
582 <key>class</key>
583 <string>user</string>
584 <key>group</key>
585 <string>appserveradm</string>
586 </dict>
587 <key>default</key>
588 <dict>
589 <key>class</key>
590 <string>user</string>
591 <key>comment</key>
592 <string>All other rights will be matched by this rule. Credentials remain valid 5 minutes after they've been obtained.
593 An acquired credential is shared amongst all clients.
594 </string>
595 <key>group</key>
596 <string>admin</string>
597 <key>shared</key>
598 <true/>
599 <key>timeout</key>
600 <integer>300</integer>
601 </dict>
602 <key>authenticate</key>
603 <dict>
604 <key>class</key>
605 <string>evaluate-mechanisms</string>
606 <key>mechanisms</key>
607 <array>
608 <string>builtin:authenticate</string>
609 <string>authinternal</string>
610 </array>
611 </dict>
612 </dict>
613 </dict>
614 </plist>