Advanced Configuration

Fine-tuning Rights in the Authorization Policy Database

As outlined in the chapter The First Launch of the Application, TinkerTool System integrates into the security environment of OS X to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which OS X decides to ask or not to ask for user credentials whenever TinkerTool System has to perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are requested.

TinkerTool System itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.


Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:

Authorization Services Programming Guide

Displaying and Modifying an Authorization Right

Apple’s command-line program security must be used to show or modify definitions in the authorization policy database. Information on this program is available after entering the command man security in Terminal.

The definition of each right can be retrieved or modified in form of an OS X property list, specified in XML format. An introduction to OS X property lists and the individual definition of records for authorization rights specified by Apple are beyond the scope of this manual, however. For further reference, please consult Apple’s official documentation on these topics.

To retrieve a right definition from the authorization policy database, use a command of the following pattern:

security authorizationdb read "right-identification" > "filename".plist

Here, “right-identification” must be replaced by the name of the right and “filename” must be replaced by a Unix file path of the property list to which the right definition should be saved. The identification names used by TinkerTool System are specified in the next section. As an example, the command

security authorizationdb read com.bresink.tts.delete-files > ~/delete-files.plist

causes OS X to retrieve the current authorization policy for TinkerTool System’s right to delete files, and writes the policy data to the property list file delete-files.plist in the user’s home folder.

To modify a right definition, edit your intended changes in the created property list file as needed, then write the definition back into the authorization policy database. This is done by a command of the pattern

sudo security authorizationdb write "right-identification" < "filename".plist

which can only be executed by an administrative user. OS X will automatically ask for your password. Assuming you have made modifications to the property list file delete-files.plist from the previous example, you would write these changes back with the command

sudo security authorizationdb write com.bresink.tts.delete-files < ~/delete-files.plist

Definition of Authorization Rights

All authorization rights possibly used by TinkerTool System are prefixed with the identifier com.bresink.tts. The tables below define the names of all rights and their meanings. In initial configuration, all rights are configured to follow the authorization policy rule named default, with exception of the rights marked as always allow.

By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:

Administrative and diagnostic operations
Right Identification Meaning
com.bresink.tts.nop an empty command, just to test communication with the security subsystem (always allow)
com.bresink.tts.discard-auth discard the current authorization immediately (always allow)
com.bresink.tts.delete-files delete one or more file system objects with known path names
com.bresink.tts.prepare-uninstall prepare the system to remove the security component of TinkerTool System
File system operations
Right Identification Meaning
com.bresink.tts.modify-systemfile modify the content of a file
com.bresink.tts.create-fileobject create a new file system object
com.bresink.tts.rename-fileobject rename a file system object
com.bresink.tts.delete-fileobjects delete a list of file system objects
com.bresink.tts.delete-foldercontents delete the contents of one or more folders
com.bresink.tts.inspect-fileobject get the metadata of a file system object
com.bresink.tts.touch-fileobject set the modification time of a file system object
com.bresink.tts.modify-protection change the protection (user change) flag of a file system object
com.bresink.tts.modify-hfsattr change the HFS attributes of a file system object
com.bresink.tts.create-link create a file system link search for file system objects of a certain age in a folder hierarchy search for file system objects with specified names in a folder hierarchy search for file system objects with name patterns in a folder hierarchy search for file system objects with undefined ownership attributes
com.bresink.tts.inspect-storagesize determine the storage size of a folder hierarchy
Other operations
Right Identification Meaning
com.bresink.tts.modify-powersetting modify a power management setting of the operating system
com.bresink.tts.modify-diskspindown modify the sleep mode setting for disk drives
com.bresink.tts.modify-kernelsetting modify a setting of the operating system kernel
com.bresink.tts.modify-nvram modify settings stored in the non-volatile RAM
com.bresink.tts.modify-preferences modify a preference setting
com.bresink.tts.modify-sysconf modify a system configuration setting
com.bresink.tts.signal-process send a signal to a running process
com.bresink.tts.modify-acl modify the Access Control List of a file system object
com.bresink.tts.prop-permissions propagate permission settings within a hierarchy of folders
com.bresink.tts.execute-utility run a trusted utility program of the operating system
com.bresink.tts.enable-ipvsix modify a network setting to control IPv6 support on active interfaces
com.bresink.tts.rename-stashfolder move a folder, ensuring integrity of all its attributes