As outlined in the chapter The First Launch of the Application, NFS Manager integrates into the security environment of macOS to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which macOS decides to ask or not to ask for user credentials whenever NFS Manager has to perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are requested.
NFS Manager itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.
Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:
Apple’s command-line program security must be used to show or modify definitions in the authorization policy database. Information on this program is available after entering the command man security in Terminal.
The definition of each right can be retrieved or modified in form of an macOS property list, specified in XML format. An introduction to macOS property lists and the individual definition of records for authorization rights specified by Apple are beyond the scope of this manual, however. For further reference, please consult Apple’s official documentation on these topics.
To retrieve a right definition from the authorization policy database, use a command of the following pattern:
security authorizationdb read "right-identification" > "filename".plist
Here, “right-identification” must be replaced by the name of the right and “filename” must be replaced by a Unix file path of the property list to which the right definition should be saved. The identification names used by NFS Manager are specified in the next section. As an example, the command
security authorizationdb read com.bresink.nfs.modify-systemfile > ~/modify-systemfile.plist
causes macOS to retrieve the current authorization policy for NFS Manager’s right to modify system files, and writes the policy data to the property list file modify-systemfile.plist in the user’s home folder.
To modify a right definition, edit your intended changes in the created property list file as needed, then write the definition back into the authorization policy database. This is done by a command of the pattern
sudo security authorizationdb write "right-identification" < "filename".plist
which can only be executed by an administrative user. macOS will automatically ask for your password. Assuming you have made modifications to the property list file modify-systemfile.plist from the previous example, you would write these changes back with the command
sudo security authorizationdb write com.bresink.nfs.modify-systemfile < ~/modify-systemfile.plist
All authorization rights possibly used by NFS Manager are prefixed with the identifier com.bresink.nfs. The tables below define the names of all rights and their meanings. In initial configuration, all rights are configured to follow the authorization policy rule named default, with exception of the rights marked as always allow.
By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:
|com.bresink.nfs.nop||an empty command, just to test communication with the security subsystem (always allow)|
|com.bresink.nfs.discard-auth||discard the current authorization immediately (always allow)|
|com.bresink.nfs.delete-files||delete one or more file system objects with known path names|
|com.bresink.nfs.prepare-uninstall||prepare the system to remove the security component of NFS Manager|
|com.bresink.nfs.modify-systemfile||modify the content of a file|
|com.bresink.nfs.create-fileobject||create a new file system object|
|com.bresink.nfs.rename-fileobject||rename a file system object|
|com.bresink.nfs.delete-fileobjects||delete a list of file system objects|
|com.bresink.nfs.signal-process||send a signal to a running process|
|com.bresink.nfs.execute-utility||run a trusted utility program of the operating system|