As outlined in the chapter The First Launch of the Application, TinkerTool System integrates into the security environment of OS X to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which OS X decides to ask or not to ask for user credentials whenever TinkerTool System has to perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are requested.
TinkerTool System itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.
Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:
Apple’s command-line program security must be used to show or modify definitions in the authorization policy database. Information on this program is available after entering the command man security in Terminal.
The definition of each right can be retrieved or modified in form of an OS X property list, specified in XML format. An introduction to OS X property lists and the individual definition of records for authorization rights specified by Apple are beyond the scope of this manual, however. For further reference, please consult Apple’s official documentation on these topics.
To retrieve a right definition from the authorization policy database, use a command of the following pattern:
security authorizationdb read "right-identification" > "filename".plist
Here, “right-identification” must be replaced by the name of the right and “filename” must be replaced by a Unix file path of the property list to which the right definition should be saved. The identification names used by TinkerTool System are specified in the next section. As an example, the command
security authorizationdb read com.bresink.tts.delete-files > ~/delete-files.plist
causes OS X to retrieve the current authorization policy for TinkerTool System’s right to delete files, and writes the policy data to the property list file delete-files.plist in the user’s home folder.
To modify a right definition, edit your intended changes in the created property list file as needed, then write the definition back into the authorization policy database. This is done by a command of the pattern
sudo security authorizationdb write "right-identification" < "filename".plist
which can only be executed by an administrative user. OS X will automatically ask for your password. Assuming you have made modifications to the property list file delete-files.plist from the previous example, you would write these changes back with the command
sudo security authorizationdb write com.bresink.tts.delete-files < ~/delete-files.plist
All authorization rights possibly used by TinkerTool System are prefixed with the identifier com.bresink.tts. The tables below define the names of all rights and their meanings. In initial configuration, all rights are configured to follow the authorization policy rule named default, with exception of the rights marked as always allow.
By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:
|com.bresink.tts.nop||an empty command, just to test communication with the security subsystem (always allow)|
|com.bresink.tts.discard-auth||discard the current authorization immediately (always allow)|
|com.bresink.tts.delete-files||delete one or more file system objects with known path names|
|com.bresink.tts.prepare-uninstall||prepare the system to remove the security component of TinkerTool System|
|com.bresink.tts.modify-systemfile||modify the content of a file|
|com.bresink.tts.create-fileobject||create a new file system object|
|com.bresink.tts.rename-fileobject||rename a file system object|
|com.bresink.tts.delete-fileobjects||delete a list of file system objects|
|com.bresink.tts.delete-foldercontents||delete the contents of one or more folders|
|com.bresink.tts.inspect-fileobject||get the metadata of a file system object|
|com.bresink.tts.touch-fileobject||set the modification time of a file system object|
|com.bresink.tts.modify-protection||change the protection (user change) flag of a file system object|
|com.bresink.tts.modify-hfsattr||change the HFS attributes of a file system object|
|com.bresink.tts.create-link||create a file system link|
|com.bresink.tts.search-agedfiles||search for file system objects of a certain age in a folder hierarchy|
|com.bresink.tts.search-filenames||search for file system objects with specified names in a folder hierarchy|
|com.bresink.tts.search-patterns||search for file system objects with name patterns in a folder hierarchy|
|com.bresink.tts.search-fileorphans||search for file system objects with undefined ownership attributes|
|com.bresink.tts.inspect-storagesize||determine the storage size of a folder hierarchy|
|com.bresink.tts.modify-powersetting||modify a power management setting of the operating system|
|com.bresink.tts.modify-diskspindown||modify the sleep mode setting for disk drives|
|com.bresink.tts.modify-kernelsetting||modify a setting of the operating system kernel|
|com.bresink.tts.modify-nvram||modify settings stored in the non-volatile RAM|
|com.bresink.tts.modify-preferences||modify a preference setting|
|com.bresink.tts.modify-sysconf||modify a system configuration setting|
|com.bresink.tts.signal-process||send a signal to a running process|
|com.bresink.tts.modify-acl||modify the Access Control List of a file system object|
|com.bresink.tts.prop-permissions||propagate permission settings within a hierarchy of folders|
|com.bresink.tts.execute-utility||run a trusted utility program of the operating system|
|com.bresink.tts.enable-ipvsix||modify a network setting to control IPv6 support on active interfaces|
|com.bresink.tts.rename-stashfolder||move a folder, ensuring integrity of all its attributes|