Glossary
- administrator
A user in the admin group. The user who installs OS X is automatically assigned to the admin group. An administrator has fewer privileges than root, but more privileges than a normal user. An administrator cannot create, delete, or move files in the system domain.
- authentication
The act of verifying identity with something the user has, knows, or is. For example, a user knows information such as a name and password. The user may have something physical such as a smart card. The identity can be something the user is—a physical feature such as a fingerprint or retinal scan. Authentication may require two or more forms of identification.
- authorization
The act of granting a right. For example, a user asks for the right to perform an operation. The Security Server grants authorization after the user fulfills the rules specified in the policy database—such as providing a credential or authenticating.
- authorization option
A parameter or field that instructs the Security Server how to proceed with a request. Options include requesting preauthorization, requesting partial authorization, appending rights, and interacting with the user.
- authorization reference
The Security Server uses the authorization reference to access an authorization session associated with a process.
- Authorization Services
An API that facilitates fine-grain control of privileged operations, such as accessing restricted areas of the operating system and self-restricted parts of your Mac app. The Security Server uses policy-based decisions to authorize rights for users.
- biometric identifier
A measurement of biological matter used for identification—for example, fingerprints, retinal scans, and face recognition.
- credential
Proof of user authentication. used by the Security Server. When the Security Server authenticates a user, it creates a credential as part of the authorization session.
- factored application
An application that uses a helper tool to perform specific tasks. Interprocess communication mechanisms are used to communicate between processes. In a factored application that uses Authorization Services, factor the code that performs privileged operations is factored into a separate helper tool.
- helper tool
A tool that executes some of an application’s functions as a separate process. In the case of security, a helper tool performs privileged operations for the application. See also setuid tool.
- key
The name of a rule. The Security Server uses a rule’s key to match a right with a rule.
- permissions
In BSD, a set of attributes governing who can read, write, and execute resources in the file system. The output of the
ls -l
command represents permissions as a nine-position code segmented into three binary three-character subcodes; the first subcode gives the permissions for the owner of the file, the second for the group that the file belongs to, and the last for everyone else. For example,-rwsr-xr--
means that the owner of the file has read, write, execute permissions (rwx); the group has read and execute permissions (r-x); all others have only read permissions. (The left-most position is reserved for a special character that says if this is a regular file (-), a directory (d), a symbolic link (l), or a special pseudo file device.) The execute bit has a different semantic for directories, meaning they are searchable. - policy-based system
A system that requires authorization to perform a privileged operations.
- policy database
A database containing the set of rules the Security Server uses to determine authorization.
- preauthorization
A form of authorization used before performing the actual authorization. Preauthorization is used to determine if a user has the possibility of authorizing later.
- privileged operation
An operation that requires special rights or permissions. For example, all operations a user performs as root are privileged.
- right
A named privilege. The Security Server authorizes rights for a user to perform a privileged operation.
- rule
A set of attributes used to set security policies for applications and for the system. See also policy database.
- root
(1) The user with unlimited system privileges. Also called the superuser. (2) The top directory in a BSD-style directory hierarchy. Written as a slash (/), it is the first element in every absolute pathname.
- Security Server
A Core Services application in OS X that deals with authorization and authentication through interaction with the policy database and Pluggable Authentication Modules (PAM).
- self-restricted application
An application that restricts part of its features to specific users.
- setuid bit
The fourth bit in a resource’s permissions code. When this bit is set to
s
, the system allows the process running it to masquerade as another user. For example,-r-sr-xr-x 1 root wheel traceroute
allows the process running thetraceroute
utility to run as root. - setuid tool
A tool that has its setuid bit set.
- system-restricted application
An application that has a portion of its features restricted to specific users because of the BSD permissions system.
Copyright © 2002, 2011 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2011-10-19