]> git.saurik.com Git - apple/securityd.git/blob - etc/authorization.plist
projects / apple / securityd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
securityd-32661.tar.gz
[apple/securityd.git] / etc / authorization.plist
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3 <plist version="1.0">
4 <dict>
5 <key>comment</key>
6 <string>The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction.
7
8 allow rule: this is always allowed
9 &lt;key&gt;com.apple.TestApp.benign&lt;/key&gt;
10 &lt;string&gt;allow&lt;/string&gt;
11
12 deny rule: this is always denied
13 &lt;key&gt;com.apple.TestApp.dangerous&lt;/key&gt;
14 &lt;string&gt;deny&lt;/string&gt;
15
16 user rule: successful authentication as a user in the specified group(5) allows the associated right.
17
18 The shared property specifies whether a credential generated on success is shared with other apps (i.e., those in the same "session"). This property defaults to false if not specified.
19
20 The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule.
21
22 The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified.
23
24 See remaining rules for examples.
25 </string>
26 <key>rights</key>
27 <dict>
28 <key></key>
29 <dict>
30 <key>class</key>
31 <string>rule</string>
32 <key>comment</key>
33 <string>Matches otherwise unmatched rights (i.e., is a default).</string>
34 <key>rule</key>
35 <string>default</string>
36 </dict>
37 <key>config.add.</key>
38 <dict>
39 <key>class</key>
40 <string>allow</string>
41 <key>comment</key>
42 <string>Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.</string>
43 </dict>
44 <key>config.config.</key>
45 <dict>
46 <key>class</key>
47 <string>deny</string>
48 <key>comment</key>
49 <string>Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).</string>
50 </dict>
51 <key>config.modify.</key>
52 <dict>
53 <key>class</key>
54 <string>rule</string>
55 <key>comment</key>
56 <string>Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.</string>
57 <key>k-of-n</key>
58 <integer>1</integer>
59 <key>rule</key>
60 <array>
61 <string>is-root</string>
62 <string>authenticate-admin</string>
63 </array>
64 </dict>
65 <key>config.remove.</key>
66 <dict>
67 <key>class</key>
68 <string>rule</string>
69 <key>comment</key>
70 <string>Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.</string>
71 <key>k-of-n</key>
72 <integer>1</integer>
73 <key>rule</key>
74 <array>
75 <string>is-root</string>
76 <string>authenticate-admin</string>
77 </array>
78 </dict>
79 <key>config.remove.system.</key>
80 <dict>
81 <key>class</key>
82 <string>deny</string>
83 <key>comment</key>
84 <string>Wildcard right for deleting system rights.</string>
85 </dict>
86 <key>com.apple.</key>
87 <dict>
88 <key>rule</key>
89 <string>default</string>
90 </dict>
91 <key>system.</key>
92 <dict>
93 <key>rule</key>
94 <string>default</string>
95 </dict>
96 <key>sys.openfile.</key>
97 <dict>
98 <key>class</key>
99 <string>user</string>
100 <key>comment</key>
101 <string>See authopen(1) for information on the use of this right.</string>
102 <key>group</key>
103 <string>admin</string>
104 <key>shared</key>
105 <false/>
106 <key>timeout</key>
107 <integer>300</integer>
108 </dict>
109 <key>system.device.dvd.setregion.initial</key>
110 <dict>
111 <key>class</key>
112 <string>user</string>
113 <key>comment</key>
114 <string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string>
115 <key>group</key>
116 <string>admin</string>
117 <key>shared</key>
118 <true/>
119 </dict>
120 <key>system.login.console</key>
121 <dict>
122 <key>class</key>
123 <string>evaluate-mechanisms</string>
124 <key>comment</key>
125 <string>Login mechanism based rule. Not for general use, yet.</string>
126 <key>mechanisms</key>
127 <array>
128 <string>builtin:smartcard-sniffer,privileged</string>
129 <string>loginwindow:login</string>
130 <string>builtin:reset-password,privileged</string>
131 <string>builtin:auto-login,privileged</string>
132 <string>builtin:authenticate,privileged</string>
133 <string>HomeDirMechanism:login,privileged</string>
134 <string>HomeDirMechanism:status</string>
135 <string>MCXMechanism:login</string>
136 <string>loginwindow:success</string>
137 <string>loginwindow:done</string>
138 </array>
139 </dict>
140 <key>system.login.done</key>
141 <dict>
142 <key>class</key>
143 <string>evaluate-mechanisms</string>
144 <key>mechanisms</key>
145 <array>
146 </array>
147 </dict>
148 <key>system.login.screensaver</key>
149 <dict>
150 <key>class</key>
151 <string>rule</string>
152 <key>comment</key>
153 <string>The owner or any administrator can unlock the screensaver.</string>
154 <key>rule</key>
155 <string>authenticate-session-owner-or-admin</string>
156 </dict>
157 <key>system.login.tty</key>
158 <dict>
159 <key>class</key>
160 <string>evaluate-mechanisms</string>
161 <key>tries</key>
162 <integer>1</integer>
163 <key>mechanisms</key>
164 <array>
165 <string>push_hints_to_context</string>
166 <string>authinternal</string>
167 </array>
168 </dict>
169 <key>system.keychain.create.loginkc</key>
170 <dict>
171 <key>allow-root</key>
172 <false/>
173 <key>class</key>
174 <string>evaluate-mechanisms</string>
175 <key>comment</key>
176 <string>Used by the Security framework when you add an item to an unconfigured default keychain.</string>
177 <key>mechanisms</key>
178 <array>
179 <string>loginKC:queryCreate</string>
180 <string>loginKC:showPasswordUI</string>
181 <string>authinternal</string>
182 </array>
183 <key>session-owner</key>
184 <true/>
185 <key>shared</key>
186 <false/>
187 </dict>
188 <key>system.keychain.modify</key>
189 <dict>
190 <key>class</key>
191 <string>user</string>
192 <key>comment</key>
193 <string>Used by Keychain Access when editing a system keychain.</string>
194 <key>group</key>
195 <string>admin</string>
196 <key>shared</key>
197 <false/>
198 <key>timeout</key>
199 <integer>300</integer>
200 </dict>
201 <key>system.preferences</key>
202 <dict>
203 <key>allow-root</key>
204 <true/>
205 <key>class</key>
206 <string>user</string>
207 <key>comment</key>
208 <string>Checked by the Admin framework when making changes to certain System Preferences.</string>
209 <key>group</key>
210 <string>admin</string>
211 <key>shared</key>
212 <true/>
213 </dict>
214 <key>system.preferences.accounts</key>
215 <dict>
216 <key>allow-root</key>
217 <true/>
218 <key>class</key>
219 <string>user</string>
220 <key>comment</key>
221 <string>Checked by the Admin framework when making changes to the Accounts preference pane.</string>
222 <key>group</key>
223 <string>admin</string>
224 <key>shared</key>
225 <false/>
226 </dict>
227 <key>system.preferences.parental-controls</key>
228 <dict>
229 <key>class</key>
230 <string>user</string>
231 <key>comment</key>
232 <string>Checked when making changes to the Parental Controls preference pane.</string>
233 <key>group</key>
234 <string>admin</string>
235 <key>shared</key>
236 <false/>
237 </dict>
238 <key>system.preferences.accessibility</key>
239 <dict>
240 <key>allow-root</key>
241 <true/>
242 <key>class</key>
243 <string>user</string>
244 <key>comment</key>
245 <string>Checked by the Admin framework when enabling or disabling the Accessibility APIs.</string>
246 <key>group</key>
247 <string>admin</string>
248 <key>shared</key>
249 <false/>
250 <key>timeout</key>
251 <integer>0</integer>
252 </dict>
253 <key>system.printingmanager</key>
254 <dict>
255 <key>class</key>
256 <string>rule</string>
257 <key>comment</key>
258 <string>For printing to locked printers.</string>
259 <key>rule</key>
260 <string>authenticate-admin</string>
261 </dict>
262 <key>system.print.admin</key>
263 <dict>
264 <key>class</key>
265 <string>rule</string>
266 <key>k-of-n</key>
267 <integer>1</integer>
268 <key>rule</key>
269 <array>
270 <string>is-lpadmin</string>
271 <string>is-admin</string>
272 <string>default</string>
273 </array>
274 </dict>
275 <key>system.identity.write.</key>
276 <dict>
277 <key>class</key>
278 <string>rule</string>
279 <key>comment</key>
280 <string>For creating, changing or deleting local user accounts and groups.</string>
281 <key>k-of-n</key>
282 <integer>1</integer>
283 <key>rule</key>
284 <array>
285 <string>is-admin</string>
286 <string>authenticate-admin</string>
287 </array>
288 </dict>
289 <key>system.identity.write.credential</key>
290 <dict>
291 <key>class</key>
292 <string>rule</string>
293 <key>comment</key>
294 <string>Checked when changing authentication credentials (password or certificate) for a local user account.</string>
295 <key>rule</key>
296 <string>default</string>
297 </dict>
298 <key>system.identity.write.self</key>
299 <dict>
300 <key>class</key>
301 <string>user</string>
302 <key>comment</key>
303 <string>Checked when changing authentication credentials (password or certificate) for the current user's account.</string>
304 <key>authenticate-user</key>
305 <false/>
306 <key>session-owner</key>
307 <true/>
308 </dict>
309 <key>system.global-login-items.</key>
310 <dict>
311 <key>class</key>
312 <string>rule</string>
313 <key>k-of-n</key>
314 <integer>1</integer>
315 <key>rule</key>
316 <array>
317 <string>is-admin</string>
318 <string>default</string>
319 </array>
320 </dict>
321 <key>system.sharepoints.</key>
322 <dict>
323 <key>allow-root</key>
324 <true/>
325 <key>class</key>
326 <string>user</string>
327 <key>comment</key>
328 <string>Checked when making changes to the Sharepoints.</string>
329 <key>group</key>
330 <string>admin</string>
331 <key>shared</key>
332 <true/>
333 </dict>
334 <key>com.apple.activitymonitor.kill</key>
335 <dict>
336 <key>class</key>
337 <string>user</string>
338 <key>comment</key>
339 <string>Used by Activity Monitor to authorize killing processes not owned by the user.</string>
340 <key>group</key>
341 <string>admin</string>
342 <key>shared</key>
343 <false/>
344 <key>timeout</key>
345 <integer>0</integer>
346 </dict>
347 <key>com.apple.Safari.parental-controls</key>
348 <dict>
349 <key>allow-root</key>
350 <true/>
351 <key>class</key>
352 <string>user</string>
353 <key>comment</key>
354 <string>Checked when changing parental controls for Safari.</string>
355 <key>group</key>
356 <string>admin</string>
357 <key>shared</key>
358 <false/>
359 <key>timeout</key>
360 <integer>0</integer>
361 </dict>
362 <key>com.apple.docset.install</key>
363 <dict>
364 <key>class</key>
365 <string>user</string>
366 <key>comment</key>
367 <string>Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.</string>
368 <key>group</key>
369 <string>admin</string>
370 <key>shared</key>
371 <false/>
372 </dict>
373 <key>system.privilege.admin</key>
374 <dict>
375 <key>allow-root</key>
376 <true/>
377 <key>class</key>
378 <string>user</string>
379 <key>comment</key>
380 <string>Used by AuthorizationExecuteWithPrivileges(...).
381 AuthorizationExecuteWithPrivileges() is used by programs requesting
382 to run a tool as root (e.g., some installers).</string>
383 <key>group</key>
384 <string>admin</string>
385 <key>shared</key>
386 <false/>
387 <key>timeout</key>
388 <integer>300</integer>
389 </dict>
390 <key>system.privilege.taskport</key>
391 <dict>
392 <key>allow-root</key>
393 <false/>
394 <key>class</key>
395 <string>user</string>
396 <key>comment</key>
397 <string>Used by task_for_pid(...).
398 Task_for_pid is called by programs requesting full control over another program
399 for things like debugging or performance analysis. This authorization only applies
400 if the requesting and target programs are run by the same user; it will never
401 authorize access to the program of another user.</string>
402 <key>group</key>
403 <string>admin</string>
404 <key>shared</key>
405 <true/>
406 </dict>
407 <key>system.restart</key>
408 <dict>
409 <key>class</key>
410 <string>evaluate-mechanisms</string>
411 <key>comment</key>
412 <string>Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.</string>
413 <key>mechanisms</key>
414 <array>
415 <string>RestartAuthorization:restart</string>
416 <string>RestartAuthorization:authenticate</string>
417 <string>RestartAuthorization:success</string>
418 </array>
419 </dict>
420 <key>system.shutdown</key>
421 <dict>
422 <key>class</key>
423 <string>evaluate-mechanisms</string>
424 <key>comment</key>
425 <string>Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.</string>
426 <key>mechanisms</key>
427 <array>
428 <string>RestartAuthorization:shutdown</string>
429 <string>RestartAuthorization:authenticate</string>
430 <string>RestartAuthorization:success</string>
431 </array>
432 </dict>
433 <key>system.burn</key>
434 <dict>
435 <key>class</key>
436 <string>allow</string>
437 <key>comment</key>
438 <string>For burning media.</string>
439 </dict>
440 <key>system.services.directory.configure</key>
441 <dict>
442 <key>class</key>
443 <string>user</string>
444 <key>group</key>
445 <string>admin</string>
446 <key>allow-root</key>
447 <true/>
448 <key>shared</key>
449 <true/>
450 <key>timeout</key>
451 <integer>300</integer>
452 <key>comment</key>
453 <string>For making Directory Services changes.</string>
454 </dict>
455 <key>com.apple.server.admin.streaming</key>
456 <dict>
457 <key>class</key>
458 <string>user</string>
459 <key>comment</key>
460 <string>For making administrative requests to the QuickTime Streaming Server.</string>
461 <key>group</key>
462 <string>admin</string>
463 <key>shared</key>
464 <false/>
465 <key>allow-root</key>
466 <true/>
467 <key>timeout</key>
468 <integer>0</integer>
469 </dict>
470 <key>com.apple.trust-settings.admin</key>
471 <dict>
472 <key>comment</key>
473 <string>For modifying Trust Settings in the Local Admin domain.</string>
474 <key>allow-root</key>
475 <true/>
476 <key>class</key>
477 <string>user</string>
478 <key>group</key>
479 <string>admin</string>
480 </dict>
481 <key>com.apple.trust-settings.user</key>
482 <dict>
483 <key>rule</key>
484 <string>authenticate-session-owner</string>
485 <key>comment</key>
486 <string>For modifying per-user Trust Settings.</string>
487 </dict>
488 <key>system.install.admin.user</key>
489 <dict>
490 <key>class</key>
491 <string>user</string>
492 <key>comment</key>
493 <string>Checked when user is installing in admin domain (/Applications).</string>
494 <key>group</key>
495 <string>admin</string>
496 <key>shared</key>
497 <false/>
498 <key>timeout</key>
499 <integer>300</integer>
500 </dict>
501 <key>system.install.root.user</key>
502 <dict>
503 <key>class</key>
504 <string>user</string>
505 <key>comment</key>
506 <string>Checked when user is installing in root domain (/System).</string>
507 <key>group</key>
508 <string>admin</string>
509 <key>shared</key>
510 <false/>
511 <key>timeout</key>
512 <integer>300</integer>
513 </dict>
514 <key>system.install.root.admin</key>
515 <dict>
516 <key>class</key>
517 <string>user</string>
518 <key>comment</key>
519 <string>Checked when admin is installing in root domain (/System).</string>
520 <key>group</key>
521 <string>admin</string>
522 <key>shared</key>
523 <false/>
524 <key>timeout</key>
525 <integer>300</integer>
526 </dict>
527 <key>com.apple.appserver.privilege.admin</key>
528 <dict>
529 <key>class</key>
530 <string>rule</string>
531 <key>comment</key>
532 <string>For administrative access to the Application Server management tool.</string>
533 <key>rule</key>
534 <string>appserver-admin</string>
535 </dict>
536 <key>com.apple.appserver.privilege.user</key>
537 <dict>
538 <key>class</key>
539 <string>rule</string>
540 <key>comment</key>
541 <string>For user access to the Application Server management tool.</string>
542 <key>k-of-n</key>
543 <integer>1</integer>
544 <key>rule</key>
545 <array>
546 <string>appserver-admin</string>
547 <string>appserver-user</string>
548 </array>
549 </dict>
550 <key>com.apple.dashboard.advisory.allow</key>
551 <dict>
552 <key>class</key>
553 <string>user</string>
554 <key>group</key>
555 <string>admin</string>
556 <key>shared</key>
557 <false/>
558 <key>timeout</key>
559 <integer>300</integer>
560 </dict>
561 <key>com.apple.desktopservices</key>
562 <dict>
563 <key>class</key>
564 <string>user</string>
565 <key>comment</key>
566 <string>For privileged file operations from within the Finder.</string>
567 <key>group</key>
568 <string>admin</string>
569 <key>shared</key>
570 <false/>
571 <key>timeout</key>
572 <integer>0</integer>
573 </dict>
574 <key>com.apple.builtin.generic-new-passphrase</key>
575 <dict>
576 <key>class</key>
577 <string>evaluate-mechanisms</string>
578 <key>mechanisms</key>
579 <array>
580 <string>builtin:generic-new-passphrase</string>
581 </array>
582 </dict>
583 <key>com.apple.builtin.generic-unlock</key>
584 <dict>
585 <key>class</key>
586 <string>evaluate-mechanisms</string>
587 <key>mechanisms</key>
588 <array>
589 <string>builtin:generic-unlock</string>
590 </array>
591 </dict>
592 <key>com.apple.builtin.confirm-access</key>
593 <dict>
594 <key>class</key>
595 <string>evaluate-mechanisms</string>
596 <key>tries</key>
597 <integer>1</integer>
598 <key>mechanisms</key>
599 <array>
600 <string>builtin:confirm-access</string>
601 </array>
602 </dict>
603 <key>com.apple.builtin.confirm-access-password</key>
604 <dict>
605 <key>class</key>
606 <string>evaluate-mechanisms</string>
607 <key>mechanisms</key>
608 <array>
609 <string>builtin:confirm-access-password</string>
610 </array>
611 </dict>
612 </dict>
613 <key>rules</key>
614 <dict>
615 <key>allow</key>
616 <dict>
617 <key>class</key>
618 <string>allow</string>
619 <key>comment</key>
620 <string>Allow anyone.</string>
621 </dict>
622 <key>authenticate-admin</key>
623 <dict>
624 <key>class</key>
625 <string>user</string>
626 <key>comment</key>
627 <string>Authenticate as an administrator.</string>
628 <key>group</key>
629 <string>admin</string>
630 <key>shared</key>
631 <true/>
632 <key>timeout</key>
633 <integer>0</integer>
634 </dict>
635 <key>authenticate-session-owner</key>
636 <dict>
637 <key>class</key>
638 <string>user</string>
639 <key>comment</key>
640 <string>Authenticate as the session owner.</string>
641 <key>session-owner</key>
642 <true/>
643 </dict>
644 <key>authenticate-session-owner-or-admin</key>
645 <dict>
646 <key>allow-root</key>
647 <false/>
648 <key>class</key>
649 <string>user</string>
650 <key>comment</key>
651 <string>Authenticate either as the owner or as an administrator.</string>
652 <key>group</key>
653 <string>admin</string>
654 <key>session-owner</key>
655 <true/>
656 <key>shared</key>
657 <false/>
658 </dict>
659 <key>is-admin</key>
660 <dict>
661 <key>class</key>
662 <string>user</string>
663 <key>comment</key>
664 <string>Verify that the user asking for authorization is an administrator.</string>
665 <key>group</key>
666 <string>admin</string>
667 <key>authenticate-user</key>
668 <false/>
669 <key>shared</key>
670 <string>true</string>
671 </dict>
672 <key>is-lpadmin</key>
673 <dict>
674 <key>class</key>
675 <string>user</string>
676 <key>comment</key>
677 <string>Verify that the user asking for authorization is an lp administrator.</string>
678 <key>group</key>
679 <string>lpadmin</string>
680 <key>authenticate-user</key>
681 <false/>
682 </dict>
683 <key>is-root</key>
684 <dict>
685 <key>allow-root</key>
686 <true/>
687 <key>class</key>
688 <string>user</string>
689 <key>authenticate-user</key>
690 <false/>
691 <key>comment</key>
692 <string>Verify that the process that created this AuthorizationRef is running as root.</string>
693 </dict>
694 <key>appserver-user</key>
695 <dict>
696 <key>class</key>
697 <string>user</string>
698 <key>group</key>
699 <string>appserverusr</string>
700 </dict>
701 <key>appserver-admin</key>
702 <dict>
703 <key>class</key>
704 <string>user</string>
705 <key>group</key>
706 <string>appserveradm</string>
707 </dict>
708 <key>default</key>
709 <dict>
710 <key>class</key>
711 <string>user</string>
712 <key>comment</key>
713 <string>Default rule.
714 Credentials remain valid for 5 minutes after they've been obtained.
715 An acquired credential is shared by all clients.
716 </string>
717 <key>group</key>
718 <string>admin</string>
719 <key>shared</key>
720 <true/>
721 <key>timeout</key>
722 <integer>300</integer>
723 </dict>
724 <key>authenticate</key>
725 <dict>
726 <key>class</key>
727 <string>evaluate-mechanisms</string>
728 <key>mechanisms</key>
729 <array>
730 <string>builtin:smartcard-sniffer,privileged</string>
731 <string>builtin:authenticate</string>
732 <string>builtin:authenticate,privileged</string>
733 </array>
734 </dict>
735 </dict>
736 </dict>
737 </plist>
mirror of securityd