Help

Modifying the OS X Mavericks Authorization Database

corbinmharris
Contributor

Posted on ‎10-25-2013 05:31 AM

We need to give our users the ability to update their password for TimeMachine backups and thought I would share this link I found this morning.

http://www.afp548.com/2013/10/22/modifying-the-os-x-mavericks-authorization-database/

Labels:
0 Kudos
2 REPLIES 2

haircut
Contributor

Posted on ‎10-25-2013 09:07 AM

Yeah I'm having a bit of trouble translating what I used to do using PlistBuddy over to the `security` commands. The man page isn't terribly explicit.

Usage: authorizationdb read <right-name>
       authorizationdb remove <right-name>
       authorizationdb write <right-name> [allow|deny|<rulename>]
If no rulename is specified, write will read a plist from stdin.
       authorizationdb merge source [destination]
If no destination path is specified, merge will merge to /etc/authorization.
       authorizationdb smartcard <enable|disable|status>
Enables/disables smartcard login support or report current status.
        Make changes to the authorization policy database.

All of the following attempts are returning "NO" error (which is comical):

security authorizationdb write system.preferences.printing allow group groupname
security authorizationdb write system.preferences.printing allow-groupname
security authorizationdb write system.preferences.printing allow groupname
security authorizationdb write system.preferences.printing groupname
security authorizationdb write system.preferences.printing group groupname

Do the developer docs outline this in more detail?

0 Kudos

haircut
Contributor

Posted on ‎10-25-2013 02:41 PM

Oh wow, never mind. You can write individual rule definitions out to a plist, modify that plist, then read it back in. That implies you can put your authorizations in version control and modify them without maintaining a monolithic script (as I'd done in the past in my firstboot script). This is seriously powerful.

Here's an example:

security authorizationdb read system.preferences.printing > /path/to/printing-definition.plist

# Modify the output plist via script or manually

security authorizationdb write system.preferences.printing < /path/to/printing-definition.plist

I'm still not aware of any documentation on what some of the rulesets mean but this is very simple for the standard use case of a limited-privilege "power users" group.

0 Kudos