How to get rights in Authorization Plug-in

Question

Created Sep ’20

Replies 8

Boosts 0

Participants 2

I made an Authorization plug-in and I will use it to evaluate several rights.
So, I need to get a right that is requested by a client in a plug-in.

Usually, I can get a right by calling 'GetHintValue' callback function with 'authorize-right'.
However, sometimes there is no 'authorize-right' in hints.(calling AuthorizationCopyRights with flags kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights [without kAuthorizationFlagInteractionAllowed])

logs for SecurityAgentHelper

Code Block With hints: {
    "client-path" = "name: ... 
    "client-pid" = "name: ...
    "client-type" = "name: ...
    "client-uid" = "name: ... 
    "creator-audit-token" = "name: ...
    "creator-pid" = "name: ...
    reason = "name: ... 
    tries = "name: ... 
}

I Also tested 'GetArguments' callback function, but it always returns errAuthorizationInternal.

Is there any way to get a right in a plug-in?

Answered by cobaltic in 654577022

I got a response about FB864396

Please verify this issue with macOS Big Sur 11.2 Beta 1 and update your bug report with your results by logging into https://feedbackassistant.apple.com/ or by using the Feedback Assistant app.

I have tested it, and the plug-in can get an 'authorize-right'.
They asked me to test in macOS Big Sir 11.2 Beta, but this issue is also resolved in macOS 11.1.

Thank you for your support

PS, I found that the aa(Authentication and authorization) events in openBSM could be a workaround in macOS Catalina.

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’20

It’s hard to say what’s going on here without more context. What right are you working with? What does the right specification look like? Is your auth plug-in running privileged?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

cobaltic OP

Sep ’20

Thanks for your reply.

One example is Startup Disk in the System Preferences.

Users can enter without any authentication UI.
We show our custom authentication UI.
We use the default authorization service(authd).

To implement the requirements above, we made an authorization plug-in.
We need to get a right to properly evaluate a user's requesting.
My plug-in currently runs non-privileged, but it could be acceptable to run as privileged.

system.preferences.startupdisk

Code Block xml<key>class</key>
<string>rule</string>
<key>k-of-n</key>
<integer>1</integer>
<key>rule</key>
<array>
	<string>plug-in</string>
	<string>preferences-startupdisk</string>
</array>
...

plug-in

Code Block xml<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
	<string>extAP:Evaluate</string>
</array>
...

prefereces-startupdisk

Code Block xml<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>group</key>
<string>admin</string>
... original system.preferences.startupdisk

0

Answer 3

DTS Engineer OP

Apple

Sep ’20

So from your first post I get the impression that you were the one calling AuthorizationCopyRights (based on the fact that you know exactly what flags are being passed in). However, your latest post suggests that you’re actually working with the Startup Disk preferences. How do you know how it’s calling AuthorizationCopyRights? If you write a small test app that calls AuthorizationCopyRights in the same way, does it exhibit the same problem?

ps I noticed this in your earlier post:

I Also tested GetArguments callback function, but it always returns
errAuthorizationInternal.

Indeed. Auth arguments were never implemented.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

cobaltic OP

Sep ’20

How do you know how it’s calling AuthorizationCopyRights?

Actually, I don't know how it's calling AuthorizatonCopyRight

If you write a small test app that calls AuthorizationCopyRights in the same way,
does it exhibit the same problem?

Yes, I was wondering what causes this problem and I made a simple test problem that just calls AuthorizationCopyRights API.
There is no 'authorize-rights' in hints if flags don't have kAuthorizationFlagInteractionAllowed.

0

Answer 5

DTS Engineer OP

Apple

Sep ’20

There is no authorize-rights in hints if flags don't have
kAuthorizationFlagInteractionAllowed.

Well, that’s interesting. It seems that this behaviour is deliberate. You can see this in the Darwin open source. Consider the comment in line 1462 of Security/OSX/authd/engine.c.auto.html

Code Block  // only need the hints & mechanisms if we are going to show ui

I can’t think of any other way to get this info. If you open a DTS tech support incident I can allocate more time to dig into this but, just to set expectations, I’m skeptical of there being a supportable solution.

Regardless, you should file a bug about this. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

cobaltic OP

Sep ’20

Regardless, you should file a bug about this. Please post your bug number, just for the record.

bug number: FB8643695

Thank you for your support.

I gonna open a DTS even though this issue is not likely to be solved.

Is there anything I have to do when I submit the DTS? (For example, adding this link in the description.)

0

Answer 7

DTS Engineer OP

Apple

Sep ’20

I gonna open a DTS …

That’s cool. I’d kinda like the opportunity to dig into this some more.

Is there anything I have to do when I submit the DTS?

As long as you reference this thread it’ll land in my queue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 8

cobaltic OP

Dec ’20

Accepted Answer

I got a response about FB864396

Please verify this issue with macOS Big Sur 11.2 Beta 1 and update your bug report with your results by logging into https://feedbackassistant.apple.com/ or by using the Feedback Assistant app.

I have tested it, and the plug-in can get an 'authorize-right'.
They asked me to test in macOS Big Sir 11.2 Beta, but this issue is also resolved in macOS 11.1.

Thank you for your support

PS, I found that the aa(Authentication and authorization) events in openBSM could be a workaround in macOS Catalina.

0