I’m implementing a custom Authorization right with the following rule: <key>authenticate-user</key> <true/> <key>allow-root</key> <true/> <key>class</key> <string>user</string> <key>group</key> <string>admin</string> The currently logged-in user is a standard user, and I’ve created a hidden admin account, e.g. _hiddenadmin, which has UID≠0 but belongs to the admin group. From my Authorization Plug-in, I would like to programmatically satisfy this right using _hiddenadmin’s credentials, even though _hiddenadmin is not the logged-in user. My question: Is there a way to programmatically satisfy an authenticate-user right from an Authorization Plug-in using credentials of another (non-session) user?

On MacOS, I understand NSFileSystemFileNumber is an inode number. And inode can be reused by filesystem after original file is deleted. Suppose one file is never deleted, will its NSFileSystemFileNumber change? For example, reboot? OS upgrade?

Hi, I’ve developed a custom Authorization Plugin and placed it under: /Library/Security/SecurityAgentPlugins/AuthPlugin.bundle I also updated the corresponding right in the authorization database (authorizationdb) to point to my plugin’s mechanism. However, when I invoke the right, my plugin does not get loaded. The system log shows the following errors: AuthorizationHostHelper: Init: unable to load bundle executable for plugin: AuthPlugin.bundle AuthorizationHostHelper: Processing request: Failed to create agent mechanism AuthPlugin:auth.startup.authenticate, failing authentication! Here’s what I’ve verified so far: The plugin bundle and its executable are signed and notarized successfully. The executable inside the bundle is universal (arm64 + x86_64). The bundle structure looks correct (Contents/Info.plist, Contents/MacOS/..., etc.). Despite that, the plugin fails to load at runtime. Could anyone provide advice on how to debug or trace why the SecurityAgent cannot load the bundle executable? Are there any entitlements, permissions, or SIP-related restrictions that might prevent custom authorization plugins from being loaded on modern macOS versions? Thanks in advance for any insights!