+ <key>admin</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <true/>
+ </dict>
+ <key>allow</key>
+ <dict>
+ <key>class</key>
+ <string>allow</string>
+ <key>comment</key>
+ <string>Allow anyone.</string>
+ </dict>
+ <key>appserver-admin</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>appserveradm</string>
+ </dict>
+ <key>appserver-user</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>appserverusr</string>
+ </dict>
+ <key>authenticate</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>mechanisms</key>
+ <array>
+ <string>builtin:authenticate</string>
+ <string>builtin:reset-password,privileged</string>
+ <string>builtin:authenticate,privileged</string>
+ <string>PKINITMechanism:auth,privileged</string>
+ </array>
+ </dict>
+ <key>authenticate-admin</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Authenticate as an administrator.</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>0</integer>
+ </dict>
+ <key>authenticate-admin-30</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Like the default rule, but
+ credentials remain valid for only 30 seconds after they've
+ been obtained. An acquired credential is shared by all clients.
+ </string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>30</integer>
+ </dict>
+ <key>authenticate-appstore-30</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>_appstore</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>30</integer>
+ </dict>
+ <key>authenticate-developer</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Authenticate as a developer.</string>
+ <key>group</key>
+ <string>_developer</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>36000</integer>
+ </dict>
+ <key>authenticate-session-owner</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Authenticate as the session owner.</string>
+ <key>session-owner</key>
+ <true/>
+ </dict>
+ <key>authenticate-session-owner-or-admin</key>
+ <dict>
+ <key>allow-root</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Authenticate either as the owner or as an administrator.</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>session-owner</key>
+ <true/>
+ <key>shared</key>
+ <false/>
+ </dict>
+ <key>authenticate-session-user</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Same as authenticate-session-owner.</string>
+ <key>session-owner</key>
+ <true/>
+ </dict>
+ <key>default</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Default rule.
+ Credentials remain valid for 5 minutes after they've been obtained.
+ An acquired credential is shared by all clients.
+ </string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>300</integer>
+ </dict>
+ <key>entitled</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>mechanisms</key>
+ <array>
+ <string>builtin:entitled,privileged</string>
+ </array>
+ <key>tries</key>
+ <integer>1</integer>
+ </dict>
+ <key>entitled-admin</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>is-admin</string>
+ <string>entitled</string>
+ </array>
+ </dict>
+ <key>entitled-admin-or-authenticate-admin</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>entitled-admin</string>
+ <string>authenticate-admin-30</string>
+ </array>
+ </dict>
+ <key>entitled-appstore</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>is-appstore</string>
+ <string>entitled</string>
+ </array>
+ </dict>
+ <key>entitled-appstore-or-entitled-authenticate-appstore</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>entitled-appstore</string>
+ <string>entitled-authenticate-appstore</string>
+ </array>
+ </dict>
+ <key>entitled-authenticate-admin</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>entitled</string>
+ <string>authenticate-admin-30</string>
+ </array>
+ </dict>
+ <key>entitled-authenticate-appstore</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>entitled</string>
+ <string>authenticate-appstore-30</string>
+ </array>
+ </dict>
+ <key>entitled-session-owner</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>is-session-owner</string>
+ <string>entitled</string>
+ </array>
+ </dict>
+ <key>entitled-session-owner-or-authenticate-session-owner</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>entitled-session-owner</string>
+ <string>authenticate-session-owner</string>
+ </array>
+ </dict>
+ <key>is-admin</key>
+ <dict>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Verify that the user asking for authorization is an administrator.</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <string>true</string>
+ </dict>
+ <key>is-appstore</key>
+ <dict>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>_appstore</string>
+ <key>shared</key>
+ <string>true</string>
+ </dict>
+ <key>is-developer</key>
+ <dict>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Verify that the user asking for authorization is a developer.</string>
+ <key>group</key>
+ <string>_developer</string>
+ </dict>
+ <key>is-lpadmin</key>
+ <dict>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>_lpadmin</string>
+ </dict>
+ <key>is-root</key>
+ <dict>
+ <key>allow-root</key>
+ <true/>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Verify that the process that created this AuthorizationRef is running as root.</string>
+ </dict>
+ <key>is-session-owner</key>
+ <dict>
+ <key>allow-root</key>
+ <false/>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Verify that the requesting process is running as the session owner.</string>
+ <key>session-owner</key>
+ <true/>
+ </dict>
+ <key>lpadmin</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>_lpadmin</string>
+ <key>shared</key>
+ <true/>
+ </dict>
+ <key>on-console</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>mechanisms</key>
+ <array>
+ <string>builtin:on-console</string>
+ </array>
+ <key>tries</key>
+ <integer>1</integer>
+ </dict>
+ <key>root-or-admin-or-authenticate-admin</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>is-root</string>
+ <string>is-admin</string>
+ <string>authenticate-admin-30</string>
+ </array>
+ </dict>
+ <key>root-or-entitled-admin-or-admin</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>is-root</string>
+ <string>entitled-admin</string>
+ <string>admin</string>
+ </array>
+ </dict>
projects / apple / securityd.git / commitdiff
