Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

Take a Stroll with Xfile Part Two

What do you have on your HDD today?


Get It

Try It

What do you have on your HDD today? Want to find out more? Put down those blasted Finder crayons and follow along.

We'll start in where we left off last time - private.

/private

/private is a latter day attempt to keep /etc out of view. The classic directory /etc is now a symbolic link leading to /private/etc. And the Unix temporary directory /tmp is today a symbolic link ('symlink') to /private/etc.

They're obviously very crucial OS files as they have such low inodes: On HFS the 'inode representation' - the HFS 'CNID' - gets bumped up continually and vacated indexes can't be reused until HFS works through all ~4,294,967,296+ on the first round.

/etc has some interesting files. They're mostly administrative in nature.

authorization has the rules for privilege escalation on your machine. It's used by Activity Monitor, Safari, System Preferences, Xcode - everyone.

You'll also see if you look through it that some settings must be altered by direct edit. [Good luck.]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>comment</key>
    <string>The name of the requested right is matched against the keys.
            An exact match has priority, otherwise the longest match from the start is used.
            Note that the right will only match wildcard rules (ending in a ".") during this reduction.

            allow rule: this is always allowed
            &lt;key&gt;com.apple.TestApp.benign&lt;/key&gt;
            &lt;string&gt;allow&lt;/string&gt;

            deny rule: this is always denied
            &lt;key&gt;com.apple.TestApp.dangerous&lt;/key&gt;
            &lt;string&gt;deny&lt;/string&gt;

            user rule: successful authentication as a user in the specified group(5)
            allows the associated right.

            The shared property specifies whether a credential generated on success is shared with
            other apps (same "session"). This property defaults to false if not specified.

            The timeout property specifies the maximum age of a (cached/shared) credential accepted
            for this rule.

            The allow-root property specifies whether a right should be allowed
            automatically if the requesting process is running with uid == 0. This
            defaults to false if not specified.

            See remaining rules for examples.
    </string>
    <key>rights</key>
    <dict>
        <key></key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>All other rights will be matched by this rule.</string>
            <key>rule</key>
            <string>default</string>
        </dict>
        <key>com.apple.</key>
        <dict>
            <key>rule</key>
            <string>default</string>
        </dict>
        <key>com.apple.Safari.parental-controls</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>This right is checked when changing parental controls for Safari</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>0</integer>
        </dict>
        <key>com.apple.Xcode.distcc.admin</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>This right is used by Xcode to invoke a setuid tool to run launchctl as root to
                    change distcc sharing on this machine</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <true/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>com.apple.activitymonitor.kill</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by Activity Monitor to authorize killing processes not owned by
                    the user</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>0</integer>
        </dict>
        <key>com.apple.airport.allow.computer-to-computer</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>Whether AirPort interactions are allowed or not</string>
            <key>k-of-n</key>
            <integer>1</integer>
            <key>rule</key>
            <array>
                <string>is-admin</string>
                <string>allow</string>
            </array>
        </dict>
        <key>com.apple.airport.allow.network.change</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>Whether AirPort interactions are allowed or not</string>
            <key>k-of-n</key>
            <integer>1</integer>
            <key>rule</key>
            <array>
                <string>is-admin</string>
                <string>allow</string>
            </array>
        </dict>
        <key>com.apple.appserver.privilege.admin</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>Used to determine administrative access to the Application Server management
                    tool.</string>
            <key>rule</key>
            <string>appserver-admin</string>
        </dict>
        <key>com.apple.appserver.privilege.user</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>Used to determine user access to the Application Server management tool.</string>
            <key>k-of-n</key>
            <integer>1</integer>
            <key>rule</key>
            <array>
                <string>appserver-admin</string>
                <string>appserver-user</string>
            </array>
        </dict>
        <key>com.apple.builtin.confirm-access</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:confirm-access</string>
            </array>
        </dict>
        <key>com.apple.builtin.confirm-access-password</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:confirm-access-password</string>
            </array>
        </dict>
        <key>com.apple.builtin.generic-new-passphrase</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:generic-new-passphrase</string>
            </array>
        </dict>
        <key>com.apple.builtin.generic-unlock</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:generic-unlock</string>
            </array>
        </dict>
        <key>com.apple.desktopservices</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>authorize privileged file operations from the finder</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>0</integer>
        </dict>
        <key>com.apple.server.admin.streaming</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used for admin requests with the QuickTime Streaming Server.</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>0</integer>
        </dict>
        <key>config.add.</key>
        <dict>
            <key>class</key>
            <string>allow</string>
            <key>comment</key>
            <string>wildcard right for adding rights.
                    Anyone is allowed to add any (non-wildcard) rights</string>
        </dict>
        <key>config.config.</key>
        <dict>
            <key>class</key>
            <string>deny</string>
            <key>comment</key>
            <string>wildcard right for any change to meta-rights for db modification.
                    Not allowed programmatically (just edit this file)</string>
        </dict>
        <key>config.modify.</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard)
                    rights. Root does not require authentication.</string>
            <key>k-of-n</key>
            <integer>1</integer>
            <key>rule</key>
            <array>
                <string>is-root</string>
                <string>authenticate-admin</string>
            </array>
        </dict>
        <key>config.remove.</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard)
                    rights. Root does not require authentication.</string>
            <key>k-of-n</key>
            <integer>1</integer>
            <key>rule</key>
            <array>
                <string>is-root</string>
                <string>authenticate-admin</string>
            </array>
        </dict>
        <key>config.remove.system.</key>
        <dict>
            <key>class</key>
            <string>deny</string>
            <key>comment</key>
            <string>wildcard right for deleting system rights.</string>
        </dict>
        <key>sys.openfile.</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>See authopen(1) for information on the use of this right.</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.</key>
        <dict>
            <key>rule</key>
            <string>default</string>
        </dict>
        <key>system.burn</key>
        <dict>
            <key>class</key>
            <string>allow</string>
            <key>comment</key>
            <string>authorization to burn media</string>
        </dict>
        <key>system.device.dvd.setregion.initial</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by the dvd player to set the regioncode the first time.
                    Note that changed the region code after it has been set requires a different right
                    (system.device.dvd.setregion.change) Credentials remain valid indefinitely after
                    they've been obtained. An acquired credential is shared amongst all clients.</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <true/>
        </dict>
        <key>system.install.admin.user</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by installer tool: user installling in admin domain (/Applications)</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.install.root.admin</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by installer tool: admin installling in root domain (/System)</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.install.root.user</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by installer tool: user installling in root domain (/System)</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.keychain.create.loginkc</key>
        <dict>
            <key>allow-root</key>
            <false/>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>comment</key>
            <string>Used by Security framework when you add an item to a unconfigured default
                    keychain</string>
            <key>mechanisms</key>
            <array>
                <string>loginKC:queryCreate</string>
                <string>loginKC:showPasswordUI</string>
                <string>authinternal</string>
            </array>
            <key>session-owner</key>
            <true/>
            <key>shared</key>
            <false/>
        </dict>
        <key>system.keychain.modify</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by Keychain Access when editing a system keychain.</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.login.console</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>comment</key>
            <string>Login mechanism based rule. Not for general use, yet. builtin:krb5authenticate
                    can be used to hinge local authentication on a successful kerberos authentication
                    and kdc verification. builtin:krb5authnoverify skips the kdc verification. Both
                    fall back on local authentication.</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:auto-login,privileged</string>
                <string>loginwindow_builtin:login</string>
                <string>builtin:reset-password,privileged</string>
                <string>authinternal</string>
                <string>builtin:getuserinfo,privileged</string>
                <string>builtin:sso,privileged</string>
                <string>HomeDirMechanism:login,privileged</string>
                <string>HomeDirMechanism:status</string>
                <string>MCXMechanism:login</string>
                <string>loginwindow_builtin:success</string>
                <string>loginwindow_builtin:done</string>
            </array>
        </dict>
        <key>system.login.done</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>comment</key>
            <string>builtin:krb5login can be used to do kerberos authentication as a side-effect
                    of logging in. Local username/password will be used.</string>
            <key>mechanisms</key>
            <array/>
        </dict>
        <key>system.login.pam</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>push_hints_to_context</string>
                <string>authinternal</string>
            </array>
            <key>tries</key>
            <integer>1</integer>
        </dict>
        <key>system.login.screensaver</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>the owner as well as any admin can unlock the screensaver;modify the group key to
                    change this.</string>
            <key>rule</key>
            <string>authenticate-session-owner-or-admin</string>
        </dict>
        <key>system.login.tty</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>push_hints_to_context</string>
                <string>authinternal</string>
            </array>
            <key>tries</key>
            <integer>1</integer>
        </dict>
        <key>system.preferences</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>This right is checked by the Admin framework when making changes to the
                    system preferences.</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <true/>
        </dict>
        <key>system.preferences.accessibility</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>This right is checked by the Admin framework when enabling or disabling the
                    Accessibility APIs</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>0</integer>
        </dict>
        <key>system.preferences.accounts</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>This right is checked by the Admin framework when making changes to the
                    accounts preference pane</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
        </dict>
        <key>system.printingmanager</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>The following right is checked for printing to locked printers.</string>
            <key>rule</key>
            <string>authenticate-admin</string>
        </dict>
        <key>system.privilege.admin</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>Used by AuthorizationExecuteWithPrivileges(...) AuthorizationExecuteWithPrivileges is
                    used by programs requesting to run a tool as root (ie. some installers). Credentials
                    remain valid 5 minutes after they've been obtained. An acquired credential isn't
                    shared with other clients. Clients running as root will be granted this right
                    automatically.
            </string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <false/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.restart</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>comment</key>
            <string>Multisession restart mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>RestartAuthorization:restart</string>
                <string>RestartAuthorization:authenticate</string>
                <string>RestartAuthorization:success</string>
            </array>
        </dict>
        <key>system.services.directory.configure</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>authorization to make directory service changes</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <true/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>system.shutdown</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>comment</key>
            <string>Multisession shutdown mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>RestartAuthorization:shutdown</string>
                <string>RestartAuthorization:authenticate</string>
                <string>RestartAuthorization:success</string>
            </array>
        </dict>
    </dict>
    <key>rules</key>
    <dict>
        <key>allow</key>
        <dict>
            <key>class</key>
            <string>allow</string>
            <key>comment</key>
            <string>allow anyone</string>
        </dict>
        <key>appserver-admin</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>group</key>
            <string>appserveradm</string>
        </dict>
        <key>appserver-user</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>group</key>
            <string>appserverusr</string>
        </dict>
        <key>authenticate</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:authenticate</string>
                <string>authinternal</string>
            </array>
        </dict>
        <key>authenticate-admin</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>require the user asking for authorization to authenticate as an admin</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <true/>
            <key>timeout</key>
            <integer>0</integer>
        </dict>
        <key>authenticate-session-owner</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>authenticate session owner</string>
            <key>session-owner</key>
            <true/>
        </dict>
        <key>authenticate-session-owner-or-admin</key>
        <dict>
            <key>allow-root</key>
            <false/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>the owner as well as any admin can authorize</string>
            <key>group</key>
            <string>admin</string>
            <key>session-owner</key>
            <true/>
            <key>shared</key>
            <false/>
        </dict>
        <key>authenticate-session-user</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>authenticate session owner</string>
            <key>session-owner</key>
            <true/>
        </dict>
        <key>default</key>
        <dict>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>All other rights will be matched by this rule. Credentials remain valid 5 minutes
                    after they've been obtained. An acquired credential is shared amongst all clients.
                    </string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <true/>
            <key>timeout</key>
            <integer>300</integer>
        </dict>
        <key>is-admin</key>
        <dict>
            <key>authenticate-user</key>
            <false/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>verify the user asking for authorization is an admin</string>
            <key>group</key>
            <string>admin</string>
            <key>shared</key>
            <string>true</string>
        </dict>
        <key>is-root</key>
        <dict>
            <key>allow-root</key>
            <true/>
            <key>authenticate-user</key>
            <false/>
            <key>class</key>
            <string>user</string>
            <key>comment</key>
            <string>verify the process that created this authref is root</string>
        </dict>
    </dict>
</dict>
</plist>

crontab used to have all your synchronised chores. They've moved to /System/Library/LaunchDaemons.

They're now in PLIST format. Here are the standard periodicals with their 'factory defaults'.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.periodic-daily</string>
    <key>LowPriorityIO</key>
    <true/>
    <key>Nice</key>
    <integer>1</integer>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/periodic</string>
        <string>daily</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Hour</key>
        <integer>3</integer>
        <key>Minute</key>
        <integer>15</integer>
    </dict>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.periodic-weekly</string>
    <key>LowPriorityIO</key>
    <true/>
    <key>Nice</key>
    <integer>1</integer>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/periodic</string>
        <string>weekly</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Hour</key>
        <integer>3</integer>
        <key>Minute</key>
        <integer>15</integer>
        <key>Weekday</key>
        <integer>6</integer>
    </dict>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.periodic-monthly</string>
    <key>LowPriorityIO</key>
    <true/>
    <key>Nice</key>
    <integer>1</integer>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/periodic</string>
        <string>monthly</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Day</key>
        <integer>1</integer>
        <key>Hour</key>
        <integer>5</integer>
        <key>Minute</key>
        <integer>30</integer>
    </dict>
</dict>
</plist>

/tmp is used for the login account; the system otherwise uses /var/tmp where /var too is a (hidden) symbolic link leading to /private/var.

See Also
Xfile: 'Every Other Day'
Xfile: Überfast File Manager for OS X

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.