Start

Advanced Configuration

Fine-tuning Rights in the Authorization Policy Database

As outlined in the chapter The First Launch of the Application, Sync Checker integrates into the security environment of macOS to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which macOS decides to ask or not to ask for user credentials whenever Sync Checker has to perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are requested.

Sync Checker itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.

Prerequisites

Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:

Authorization Services Programming Guide

Displaying and Modifying an Authorization Right

Apple’s command-line program security must be used to show or modify definitions in the authorization policy database. Information on this program is available after entering the command man security in Terminal.

The definition of each right can be retrieved or modified in form of an macOS property list, specified in XML format. An introduction to macOS property lists and the individual definition of records for authorization rights specified by Apple are beyond the scope of this manual, however. For further reference, please consult Apple’s official documentation on these topics.

To retrieve a right definition from the authorization policy database, use a command of the following pattern:

security authorizationdb read "right-identification" > "filename".plist

Here, “right-identification” must be replaced by the name of the right and “filename” must be replaced by a Unix file path of the property list to which the right definition should be saved. The identification names used by Sync Checker are specified in the next section. As an example, the command

security authorizationdb read com.bresink.syck.delete-files > ~/delete-files.plist

causes macOS to retrieve the current authorization policy for Sync Checker’s right to delete files, and writes the policy data to the property list file delete-files.plist in the user’s home folder.

To modify a right definition, edit your intended changes in the created property list file as needed, then write the definition back into the authorization policy database. This is done by a command of the pattern

sudo security authorizationdb write "right-identification" < "filename".plist

which can only be executed by an administrative user. macOS will automatically ask for your password. Assuming you have made modifications to the property list file delete-files.plist from the previous example, you would write these changes back with the command

sudo security authorizationdb write com.bresink.syck.delete-files < ~/delete-files.plist

Definition of Authorization Rights

All authorization rights possibly used by Sync Checker are prefixed with the identifier com.bresink.syck. The tables below define the names of all rights and their meanings. In initial configuration, all rights are configured to follow the authorization policy rule named default, with exception of the rights marked as always allow.

By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:

Administrative and diagnostic operations
Right Identification Meaning
com.bresink.syck.nop an empty command, just to test communication with the security subsystem (always allow)
com.bresink.syck.discard-auth discard the current authorization immediately (always allow)
com.bresink.syck.delete-files delete one or more file system objects with known path names
com.bresink.syck.prepare-uninstall prepare the system to remove the security component of Sync Checker
File system operations
Right Identification Meaning
com.bresink.syck.mount-filesystem mount or re-mount file systems
com.bresink.syck.count-objects count file system objects in a hierarchy of folders
com.bresink.syck.compare-folders compare file system objects in two hierarchies of folders