Advanced Configuration

Fine-tuning Rights in the Authorization Policy Database

As outlined in the chapter The First Launch of the Application, TinkerTool System integrates into the security environment of Mac OS X to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which Mac OS X decides to ask or not to ask for user credentials whenever TinkerTool System has to be perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are being requested.

TinkerTool System itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.


Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:

These documents are available via Apple’s support and developer web pages.

Displaying and Modifying an Authorization Right

With an operating system prior to OS X 10.9 Mavericks, system administrators can use a standard text editor to modify the authorization definitions in the file /etc/authorization directly. The file is owned by the system authority root, so it should be opened with extended privileges via the command line.

When using OS X 10.9 Mavericks, Apple’s command-line program security must be used to show or modify definitions in the authorization policy database. Information on this program is available after entering the command man security in Terminal.

The definition of each right can be retrieved or modified in form of an OS X property list, specified in XML format. An introduction to OS X property lists and the individual definition of records for authorization rights specified by Apple are beyond the scope of this manual, however. For further reference, please consult Apple’s official documentation on these topics.

To retrieve a right definition from the authorization policy database, use a command of the following pattern:

security authorizationdb read "right-identification" > "filename".plist

Here, “right-identification” must be replaced by the name of right and “filename” must be replaced by a Unix file path of the property list to which the right definition should be saved. The identification names used by TinkerTool System are specified in the next section. As an example, the command

security authorizationdb read > ~/create-link.plist

causes OS X to retrieve the current authorization policy for TinkerTool System’s right to create file system links, and writes the policy data to the property list file create-link.plist in the user’s home folder.

To modify a right definition, edit your intended changes in the created property list file as needed, then write the definition back into the authorization policy database. This is done by a command of the pattern

sudo security authorizationdb write "right-identification" < "filename".plist

which can only be executed by an administrative user. OS X will automatically ask for your password. Assuming you have made modifications to the property list file create-link.plist from the previous example, you would write these changes back with the command

sudo security authorizationdb write < ~/create-link.plist

Definition of Authorization Rights

All authorization rights possibly used by applications of Marcel Bresink Software-Systeme are prefixed with the identifier com.bresink. The tables below define the names of all rights and their meanings. Note that the tables might include rights not in active use by TinkerTool System but by other applications of Marcel Bresink Software-Systeme. In initial configuration, all rights are configured to follow the authorization policy rule named default.

By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:

File system operations
Right Identification Meaning Comparing the contents of file system folders.
com.bresink.count.file-objects Counting objects in file systems.
com.bresink.create.file-object Creating a new file system object owned by the system administrator. Creating a file system link.
com.bresink.delete.file-objects Deleting one or more file system objects.
com.bresink.delete.file-subtree Deleting one or more file system objects recursively.
com.bresink.delete.folder-contents Deleting the contents of one or more folders.
com.bresink.delete.hibernation-file Deleting the power management hibernation file. Computing the storage size of a subtree of file system objects.
com.bresink.inspect.file-object Verifying if a file system object exists at a certain location.
com.bresink.modify.protect-attribute Changing the protection attributes of file systems objects.
com.bresink.rename.file-object Renaming a file system object.
com.bresink.remove.system-protection Removing the system protection of file systems objects.
com.bresink.touch.file-object Updating the modification time of a file system object.
Operations directly related to OS X commands
Right Identification Meaning
com.bresink.execute.atsutil Executing the atsutil command to maintain Apple Type Services.
com.bresink.execute.cupsctl Executing the cupsctl command to interact with the printing subsystem.
com.bresink.execute.diskutil Executing the diskutil command for disk maintenance.
com.bresink.execute.ditto Executing the ditto command to copy file system objects.
com.bresink.execute.dotclean Executing the dot_clean command to process AppleDouble files.
com.bresink.execute.launchctl Executing the launchctl command to interact with the launch service.
com.bresink.execute.lipo Executing the lipo command to modify fat executables.
com.bresink.execute.mdutil Executing the mdutil command for Spotlight-related maintenance.
com.bresink.execute.package_repair Executing the repair command to reset file permissions.
com.bresink.execute.periodic Executing the operating system’s periodic jobs.
com.bresink.execute.tmutil Executing the tmutil command for maintenance tasks related to Time Machine.
com.bresink.execute.umount Executing commands to unmount file systems.
Other operations
Right Identification Meaning
com.bresink.enable.mbs-evaluation Enabling evaluation mode of Marcel Bresink software products.
com.bresink.flush.lookup-cache Clearing the cache of Directory Services.
com.bresink.manage.acl-support Managing the support of Access Control Lists in file systems.
com.bresink.modify.acl-permissions Modifying the ACL permission settings of a file system object.
com.bresink.modify.file-content Modifying contents of a system-related file.
com.bresink.modify.ownership Modifying the ownership of a file system object.
com.bresink.modify.posix-permissions Modifying the POSIX permission settings of a file system object.
com.bresink.modify.power-management Enabling or disabling features of the power management.
com.bresink.mount.file-system Mounting a file system.
com.bresink.prepuninst.mbs-security-tool Preparing removal of the security component.
com.bresink.propagate.permissions Propagating permission settings of a folder to objects it contains.
com.bresink.refresh.automounter Letting the automounter update the mount configuration.
com.bresink.restart.nfs-server Restarting the NFS file server. Searching file system objects of a certain age. Searching file system objects without a known owner. Searching file system objects having names of a certain pattern. Searching file system objects matching multiple name patterns.
com.bresink.set.disk-spindown Setting the system’s spindown time for hard drives.
com.bresink.set.hfs-attributes Setting HFS attributes of file system objects.
com.bresink.set.kernel-value Modifying a live setting of the operating system kernel. Modifying the maximum transfer unit of a network interface.
com.bresink.set.nvram Modifying a computer setting stored in non-volatile memory.
com.bresink.set.system-config Changing a system configuration value.
com.bresink.set.system-preference Changing a system-wide preference setting.
com.bresink.shutdown.mbs-security-tool Shutting down the security component of MBS software products.
com.bresink.stop.process Stopping a running process.
com.bresink.stop.startsound-control Shutting down management software for the startup sound.
com.bresink.update.dyld-cache Updating shared cache information for dynamic linking in programs.
com.bresink.whoami.diagnostic Performing diagnostic functions with the security component.