CoreAudio server plugin gaining write access with SystemConfiguration.framework functions

Media Technologies Audio
hagen OP
Created Apr ’25
Replies 2
Boosts 0
Views 82
Participants 2

Hi, our CourAudio server plugin utilizes the SystemConfiguration.framework to store and restore specific shared system wide settings.

While our application can authenticate to utilize the SystemConfiguration.framework to gain write access to the shared configuration settings the CoreAudio server plugin obviously can't have any user interaction and therefor does not authenticate.

Is it possible to authenticate the CoreAudio server plugin to gain write permissions? Are there any entitlements or other means that would allow this?

Thanks!

Answered by DTS Engineer in 836388022

I’m going to tackle the System Configuration side of this. There’s a bigger picture question here, namely how a Core Audio server plug-in should manage preferences, that I’ll leave to folks who have expertise in that technology.

Is it possible to authenticate the CoreAudio server plugin to gain write permissions?

I presume we’re talking SCPreferences here. If so, its authorisation model is pretty straightforward:

  • You can connect using SCPreferencesCreate, in which case you’ll have write permission if you’re running as root.

  • You can connect using SCPreferencesCreateWithAuthorization, in which case you’ll have write permission if the supplied AuthorizationRef has been, or can be, authorised appropriately [1].

Are there any entitlements … that would allow this?

No [2].

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I’m not sure if the actual rights are documented anyway, but you can see this in the authorisation database:

% security authorizationdb read system.preferences.location | plutil -p -  
YES (0)
{
  "class" => "rule"
  "comment" => "For changing the network location from the Apple menu."
  "created" => 723599790.4667161
  "k-of-n" => 1
  "modified" => 723599790.4667161
  "rule" => [
    0 => "on-console"
    1 => "is-admin"
    2 => "is-root"
  ]
  "version" => 0
}
% security authorizationdb read system.services.systemconfiguration.network | plutil -p -
YES (0)
{
  "class" => "rule"
  "comment" => "For making change to network configuration via System Configuration."
  "created" => 723599790.4667161
  "k-of-n" => 1
  "modified" => 723599790.4667161
  "rule" => [
    0 => "is-root"
    1 => "entitled"
    2 => "_mbsetupuser-nonshared"
    3 => "authenticate-admin-nonshared"
  ]
  "version" => 2
}

[2] If you rummage around in Darwin you’ll find that SCPreferences does support authorisation via entitlements, but those entitlements are not available for third-party use.

Replies  2
Boosts  0
Views  82
Participants  2
DTS Engineer OP
Apple
Apr ’25
Accepted Answer

I’m going to tackle the System Configuration side of this. There’s a bigger picture question here, namely how a Core Audio server plug-in should manage preferences, that I’ll leave to folks who have expertise in that technology.

Is it possible to authenticate the CoreAudio server plugin to gain write permissions?

I presume we’re talking SCPreferences here. If so, its authorisation model is pretty straightforward:

  • You can connect using SCPreferencesCreate, in which case you’ll have write permission if you’re running as root.

  • You can connect using SCPreferencesCreateWithAuthorization, in which case you’ll have write permission if the supplied AuthorizationRef has been, or can be, authorised appropriately [1].

Are there any entitlements … that would allow this?

No [2].

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I’m not sure if the actual rights are documented anyway, but you can see this in the authorisation database:

% security authorizationdb read system.preferences.location | plutil -p -  
YES (0)
{
  "class" => "rule"
  "comment" => "For changing the network location from the Apple menu."
  "created" => 723599790.4667161
  "k-of-n" => 1
  "modified" => 723599790.4667161
  "rule" => [
    0 => "on-console"
    1 => "is-admin"
    2 => "is-root"
  ]
  "version" => 0
}
% security authorizationdb read system.services.systemconfiguration.network | plutil -p -
YES (0)
{
  "class" => "rule"
  "comment" => "For making change to network configuration via System Configuration."
  "created" => 723599790.4667161
  "k-of-n" => 1
  "modified" => 723599790.4667161
  "rule" => [
    0 => "is-root"
    1 => "entitled"
    2 => "_mbsetupuser-nonshared"
    3 => "authenticate-admin-nonshared"
  ]
  "version" => 2
}

[2] If you rummage around in Darwin you’ll find that SCPreferences does support authorisation via entitlements, but those entitlements are not available for third-party use.

1
hagen OP
Apr ’25

Dear Quinn, thank you very much for your - as always - very detailed and helpful answer!

Just a note, we use the CoreAudio preferences to store CoreAudio server plugin preferences. What the plugin tries to achieve is to share some settings across various components. I see now that the SCPreferences are not the right option to do this. Using the CoreAudio preferences from other components probably is not a good idea either because this would imply knowledge about the storage for these components. Probably the correct way to do this is via CoreAudio custom properties.

Thanks, Hagen

0
CoreAudio server plugin gaining write access with SystemConfiguration.framework functions
First post date Last post date
 
 
Q