Guidance on Authorization Plugins

From what I've gathered from the (rather old) documentation and sample projects on Authorization Plugins, I understand that those can be used to extend the macOS authorization services with custom (and possibly quite complex) requirements for privilege management.

During my testing, I found it to be technically possible to allow a normal (non-admin) user to perform some actions that they normally couldn't by leveraging plugin mechanisms. For instance, if I alter the class of system.preferences.network from user to evaluate-mechanisms I can make it so my custom plugin decides which user is actually able to make modifications to the system through the Network settings pane.

However, I've noticed that if I leave the actual authentication to the built-in authentication mechanism and perform my validations after that, the user will face a rather odd message:

Clearly, even though this seems to work like I'd expected it to, there's something strange going on here.

So my question is, what can I actually achieve with authorization plugins in terms of managing system privileges, and what should I use it for? Are there any alternatives I could consider? And if so, could they offer me the flexibility that implementing my own custom logic as a plugin does?

I'm not sure what the best practices and recommendations are in terms of both security and usability regarding these plugins, and would very much appreciate some pointers in the right direction.

If you plan to do serious work with an authorisation plug-in, I recommend that you open a DTS tech support incident so that I can allocate the time to help you properly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn, I'll probably just do that!

However, just to be sure, could you please confirm that authorization plug-ins are indeed a good approach to this kind of "advanced" privilege management in macOS?

Authorisation plug-ins aren’t a “good” way to do anything )-: The API was never great, it’s very poorly documented, and hasn’t been updated to account for changes in macOS’s overall security strategy.

Having said that, it’s the only way to achieve certain goals. I’ll dig into this more in your TSI.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Guidance on Authorization Plugins
 
 
Q