Blog Archives

Authorization File Change Log (of sorts) & Archive

I’ve been playing with VMWare Fusion Snapshots and OS builds and have compiled a repository of original etc/authorization files incase you mess yours up.  Authorization File Archive.

And the correct permissions are: permissions

A few have asked if these posts are still valid for 10.8.x & I’d like to confirm Yes they are.  I decided to go back and look at each & compare them to find the changes throughout the OS builds in the etc/authorization files.

10.7.2 to 10.7.3  Just some new strings added in to support multiple new languages.

.

10.7.3 to 10.7.4 – A couple of new Keys were added, brief description below:

<key>com.apple.Safari.show-passwords</key> (Probably allows you to set who can see passwords in Safari)

<string>This right is used by Safari to show passwords </string>

<key>com.apple.library-repair</key>  (Probably allows you to set who can repair libraries)

<string>__APPNAME__ is trying to repair your photo library.</string>

<key>com.apple.security.assessment.update</key> (Not too sure)

<string>Modify Settings</string>

 

10.7.4 to 10.7.5 – No Changes

 

10.7.5 to 10.8 – Lots of Changes, Notes below.

<key>com.apple.AOSNotification.FindMyMac.modify</key> (To investigate) 

<key>com.apple.DiskManagement.internal.</key>

<string>Used by diskmanagementd to allow access to its privileged functions</string> (To investigate) 

<key>com.apple.SoftwareUpdate.modify-settings</key>  appears to be exactly the same as <key>system.preferences.softwareupdate</key>  but new rule of   <string>root-or-entitled-admin-or-app-specific-admin</string>  (app-specific-admin seems to be new as well)

<key>com.apple.lldb.LaunchUsingXPC</key> (This replaced a Podcast Producer key, to investigate)

<key>com.apple.opendirectoryd.linkidentity</key> (To investigate) 

<key>system.install.apple-config-data</key> (To investigate) 

<key>system.preferences.nvram</key> (To investigate) 

<key>system.services.directory.configure</key> (Is now a USER rule)

—-

New Keys (abbreviated)

<key>system.services.systemconfiguration.network</key> (Appears the same, To investigate) 

<string>For making change to network configuration via System Configuration.</string>

<key>system.volume.</key> (Not sure about this lot of volume related keys) 

<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>

<key>system.volume.external.</key>

<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>

<key>system.volume.external.adopt</key>

<key>system.volume.removable.</key>

<key>system.volume.removable.adopt</key>

<key>app-specific-admin</key> (New Rule type, To investigate) 

<dict>

<key>class</key>

<string>user</string>

<key>group</key>

<string>admin</string>

</dict>

 

10.8 to 10.8.1 – No Changes

 

10.8.1 to 10.8.2 - Some Changes.

<key>system.login.console</key>

<dict>

<key>class</key>

<string>evaluate-mechanisms</string>

<key>comment</key>

<string>Login mechanism based rule.  Not for general use, yet.</string>

<key>mechanisms</key>

<array>

<string>builtin:policy-banner</string>

<string>loginwindow:login</string>

<string>builtin:login-begin</string> (NEW, not sure of use)

 &

<string>builtin:login-success</string> (NEW, not sure of use)

 

———  Updated : 22 July 2013  ———-

 

10.8.2 to 10.8.4 - A few new entries

 

<key>com.apple.container-repair</key>  (Described as: __APPNAME__ needs to repair your Library to run applications)

<dict>
<key>class</key>
<string>user</string>

 

A couple of New Wifi Strings that look very useful

<key>com.apple.wifi</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For restricting WiFi control</string>
<key>k-of-n</key>
<integer>1</integer>
<key>rule</key>
<array>
<string>is-admin</string>
<string>is-root</string>
<string>default</string>
</array>
</dict>
<key>com.apple.wireless-diagnostics</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the wdhelper daemon</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<false/>
</dict>

Mac OS X 10.7 / Lion – First look at /etc/authorization usage

The /etc/authorization file in Mac OS X / 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only admins could otherwise unlock.  It can also be used in the reverse to lock down panes you don’t want users messing with. An example by Apple was Allowing non-admin users to change the time zone setting – http://support.apple.com/kb/TA23576 (Note this still works under Lion, tested on 10.7.4). Often the panes can’t be controlled to the exact level you may want via MCX (Local or Managed) or defaults write / plists.  Nor do you want to give users admin rights in a large business / university.

With 10.6 and now 10.7 the following Preference Panes are locked by default.  Meaning you need an admin username and password to unlock them: Security & Privacy, Energy Saver, Print & Scan, Network, Sharing, Users & Groups, Parental Controls, Date & Time, Software Update, Time Machine and Startup Disk.  As a ‘Standard User’ you can’t unlock these panes.

SysPrefs-Locked

In 10.6 we could do the following to the /etc/authorization file, to give a standard user semi-admin access to the Preference Panes.

<key>system.preferences</key>
 <dict>
 <key>allow-root</key>
 <true/>
 <key>class</key>
 <string>user</string>
 <key>comment</key>
 <string>Checked by the Admin framework when making changes to certain System Preferences.</string>
 <key>group</key>
   <string>everyone</string>  * Changing this from 'admin', to another local group. i.e. staff, everyone, or a custom group you created yourself.
 <key>shared</key>
 <true/>
 </dict>

This unlocks the majority of the preference panes above, the downside being you probably don’t want them all unlocked. (i.e Startup Disk) For some this was acceptable and used.  Some of us however just wanted a few unlocked, i.e. Date & Time for laptop users who travel a lot. Time Machine, so staff could connect to a Time Capsule or USB Hard Drive at home.  Energy Saver so they could adjust the settings to their liking. etc…

With 10.7 / Lion the /etc/authorization has undergone some changes and has much more granular control available in it. Making locking or unlocking individual Preference Panes possible!  (Yes TimeMachine)

Before you start make a copy of the authorization file.  If you make a wrong edit your machine will get stuck and the spinning cog on boot.  You can restore from your backup by booting into Single User mode (Command + S on boot) & trashing the messed file and renaming your backup. You can also edit the file from this mode, use ‘sudo mount -auw’ then, cd etc, ‘sudo pico authorization’ at the command line.  Find the bit you messed up fix it and save and reboot.

So open up the /etc/authorization file (Finder, Go to Folder, /etc), I’d recommend using TextWrangler to edit it.  In general you are going to be searching for a <key> key-name </key> and then editing the very end section of the key / dict entry. From this, to this:

	<string>__APPNAME__ 正在嘗試解鎖“安全性與隱私”偏好設定。</string>
</dict>
<key>group</key>
<string>admin</string>  ** Change admin to another local group that your user is in.
i.e. staff, everyone etc...
<key>shared</key>
<false/>

* Standard Users when created are automatically put into the “staff” group. “Admin” users are in the “staff” and “admin” groups

Save the file.   Update: You don’t actually need to reboot your Mac.  Sys Prefs re-reads from the file at the time of credential checking.

*

To unlock the Systems Preferences in General so all changes below will actually work you first need to edit this top level key.  <key>system.preferences</key>   adjust it as above changing it to a local group, i.e. staff or everyone.  Save & Close.

*

I certainly don’t recommend unlocking all the Prefs panes, as it may give users more access than you want or have unintended side effects.  But I will document them all incase needed.

To Unlock the Security & Privacy Pane – search for the following key  <key>system.preferences.security</key> & adjust it as above,  save & reboot.  This alone will unlock the pane, but you still won’t be able to get into it. Try logging in as a Standard user & unlocking it, it will work the first time but you’ll be prompted again at which point it won’t accept your password.  This is because it’s actually trying to unlock the FileVault tab, if you cancel out of the 2nd credential prompt and go back in you’ll get this slightly different prompt 2nd time round.

First time round it was ‘is trying to unlock Sharing preferences’, 2nd time its ‘modify an encrypted disk’.  So go back to the etc/authorization file and search for this <key>com.apple.DiskManagement.reserveKEK</key> 

	<dict>
		<key>en</key>
		<string>__APPNAME__ is trying to modify an encrypted disk.</string>
	</dict>
	<key>group</key>
	<string>admin</string> *Change this to another local group: staff, everyone
	<key>shared</key>

save and reboot.  Login as your standard user, you can now get into the Security & Privacy pane.

Energy Saver – Unlockable by editing – <key>system.preferences.energysaver</key> (as above)
Print & Scan – Unlockable by editing – <key>system.preferences.printing</key> note this unlocks the pane but you need to be in the lpadmin group to add a printer.
Network – Unlockable by editing – <key>system.preferences.network</key>
Sharing – Unlockable by editing – <key>system.preferences.sharing</key> this alone won’t unlock sharing as the “File Sharing” component is still blocking your access You need to adjust <key>system.sharepoints.</key> as well.

Users & Groups – Unlockable by editing -> <key>system.preferences.accounts</key> again this alone won’t unlock the Pane, you will be prompted for credentials twice, it will fail on attempt two. you need to adjust <key>system.services.directory.configure</key> as well.  This key is slightly different and uses a rule key, rather than a group key. edit it as follows to allow the current ‘session user’ access.

  </dict>
	<key>rule</key>
	<string>root-or-admin-or-authenticate-admin</string>
        *Change it to authenticate-session-owner-or-admin
</dict>

Parental Controls – Unlockable by editing <key>system.preferences.parental-controls</key>
Date & Time – Unlockable by editing <key>system.preferences.datetime</key> &  you can manually add in <key>system.preferences.dateandtime.changetimezone</key>  as per this old article – http://support.apple.com/kb/TA23576 (Tested it under 10.7.4)
Software Update – Unlockable by editing <key>system.preferences.softwareupdate</key>
Time Machine – Unlockable by editing <key>system.preferences.timemachine</key>
Startup Disk – Unlockable by editing <key>system.preferences.startupdisk</key> 

and then there’s some new Keys of interest in Lion

<key>system.install.app-store-software</key>
<key>com.apple.SoftwareUpdate.scan</key>

That’s my wrap up of the authorization file in Lion.  Happy to try and answer any queries.