Is there a spec someplace that actually documents what goes in a right?
No, alas. This has been a long-standing complaint about Authorization Services from day one. I’m pretty sure we already have a bug on file about this but you should feel free to file your own, so you can explain how this is inconveniencing you in your own words.
Please post your bug number, just for the record.
Note Some of the keys are documented in
<Security/AuthorizationDB.h>
but this is nowhere near sufficient.
The
class
and
allow-root
keys seem the most puzzling …
class
is the main control point in the right specification. You can expect to see values like:
allow-root
is for
user
class rights and indicates that a root process can satisfy the right without further authentication.
In the absence of proper documentation my recommendation is that you look through the existing rights in the authorization database to see how they’re specified. This is tricky to do because
security authorizationdb
doesn’t let you list out the rights (that’s also
bugworthy IMO). I worked around this by dumping the rights using
sqlite
:
$ echo "select name from rules;" | sudo sqlite3 /var/db/auth.db > right-names.txt
WARNING The above is for debugging purposes only. The location and format of the authorisation database is not considered API. It has changed in the past and may well change again in the future.
You can then take that output and call
security authorizationdb
on each item:
$ for i in `cat right-names.txt`; do echo "--- right '$i' ---" >> right-specifications.txt ; security authorizationdb read $i >> right-specifications.txt ; done
Finally, if you get really stuck you can take a look at
AuthorizationTagsPriv.h
in Darwin.
WARNING You have to be careful when looking at Darwin source because it’s a specification of the implementation, not of the API. In this case I think it’s reasonable to look at the comments in this file to understand the intended behaviour of authorisation database keys, but you have to be careful to avoid binding your app so tightly to the implementation that it breaks when the implementation changes.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"