Start

Advanced Configuration

Fine-tuning Rights in the Authorization Policy Database

As outlined in the chapter The First Launch of the Application, NFS Manager integrates into the security environment of macOS to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which macOS decides to ask or not to ask for user credentials whenever NFS Manager has to perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are requested.

NFS Manager itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.

Prerequisites

Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:

Authorization Services Programming Guide

Displaying and Modifying an Authorization Right

Apple’s command-line program security must be used to show or modify definitions in the authorization policy database. Information on this program is available after entering the command man security in Terminal.

The definition of each right can be retrieved or modified in form of an macOS property list, specified in XML format. An introduction to macOS property lists and the individual definition of records for authorization rights specified by Apple are beyond the scope of this manual, however. For further reference, please consult Apple’s official documentation on these topics.

To retrieve a right definition from the authorization policy database, use a command of the following pattern:

security authorizationdb read "right-identification" > "filename".plist

Here, “right-identification” must be replaced by the name of the right and “filename” must be replaced by a Unix file path of the property list to which the right definition should be saved. The identification names used by NFS Manager are specified in the next section. As an example, the command

security authorizationdb read com.bresink.nfs.modify-systemfile > ~/modify-systemfile.plist

causes macOS to retrieve the current authorization policy for NFS Manager’s right to modify system files, and writes the policy data to the property list file modify-systemfile.plist in the user’s home folder.

To modify a right definition, edit your intended changes in the created property list file as needed, then write the definition back into the authorization policy database. This is done by a command of the pattern

sudo security authorizationdb write "right-identification" < "filename".plist

which can only be executed by an administrative user. macOS will automatically ask for your password. Assuming you have made modifications to the property list file modify-systemfile.plist from the previous example, you would write these changes back with the command

sudo security authorizationdb write com.bresink.nfs.modify-systemfile < ~/modify-systemfile.plist

Definition of Authorization Rights

All authorization rights possibly used by NFS Manager are prefixed with the identifier com.bresink.nfs. The tables below define the names of all rights and their meanings. In initial configuration, all rights are configured to follow the authorization policy rule named default, with exception of the rights marked as always allow.

By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:

Administrative and diagnostic operations
Right Identification Meaning
com.bresink.nfs.nop an empty command, just to test communication with the security subsystem (always allow)
com.bresink.nfs.discard-auth discard the current authorization immediately (always allow)
com.bresink.nfs.delete-files delete one or more file system objects with known path names
com.bresink.nfs.prepare-uninstall prepare the system to remove the security component of NFS Manager
Other operations
Right Identification Meaning
com.bresink.nfs.modify-systemfile modify the content of a file
com.bresink.nfs.create-fileobject create a new file system object
com.bresink.nfs.rename-fileobject rename a file system object
com.bresink.nfs.delete-fileobjects delete a list of file system objects
com.bresink.nfs.signal-process send a signal to a running process
com.bresink.nfs.execute-utility run a trusted utility program of the operating system