When you launch NFS Manager for the first time, it will automatically integrate into the security model of OS X. This is necessary because the application can be used to perform critical operations in OS X, for example to share and publish files of several users to the network. Only responsible system administrators which manage the computer's installation should be allowed to perform such actions.
For this reason, NFS Manager contains a safeguard which communicates with the security features of OS X. Under normal circumstances, NFS Manager is restricted to behave like a normal user program and does not have any extended privileges. For example it cannot use any system features which could affect more than the current user. However, certain maintenance functions require that NFS Manager is allowed to act for the whole computer and all users. In this case, the built-in safeguard of NFS Manager requests permission from OS X to temporarily use a system feature which needs extended privileges. As response to this request, OS X will completely “freeze” NFS Manager and open a password entry panel in which you'll have to enter a valid password for one of the system's administrators. If the password is correct, OS X will allow NFS Manager to continue and to execute the requested action. If the password was wrong, NFS Manager will also continue, but will additionally receive the response that the permission was not granted and the current request is rejected. In that case, NFS Manager cannot perform the action currently selected. With this design it becomes impossible that an unauthorized person could misuse an application like NFS Manager.
This policy strictly complies with Apple's software guidelines for system utilities. Note that NFS Manager doesn't even “see” the administrator password when it is being entered. All security-related interactions are directly handled and monitored by OS X. So even in the unlikely case a computer virus would attack NFS Manager, trying to “eavesdrop” on your password entry in an attempt to store and steal the password, it would have no success, because only the specially protected core of OS X actually receives and checks the entered password information.
The first password entry is requested by OS X when you start NFS Manager for the first time. This allows the tool to form the aforementioned trust relationship and protection mechanisms. Other password requests will follow as soon as you start an operation which needs extended privileges.
All mentioned security features are exclusively controlled by OS X. They have nothing to do with the registration or licensing of the software, but they are needed to avoid security holes in the operating system.
Note: OS X automatically ensures that the user doesn't need to enter the password too often. After a password has been entered, OS X will “trust” all applications started by the same user for an interval of 5 minutes.
The paragraphs below contain information for experienced system administrators. You can skip them during first reading.
The security component will be installed into the folder /Library/PrivilegedHelperTools which is Apple's recommended folder to be used for such utility programs. The name of the component is com.bresink.system.securityagent3. OS X will automatically launch and quit this program as needed, avoiding to let it run as a background service for an extended period of time.
The security tool might be shared by different applications from Marcel Bresink Software-Systeme. For this reason, NFS Manager might not reinstall the component during first launch of NFS Manager if it detects that an acceptable version is already available, e.g. from a previous software version or from another application which also needs to perform privileged operations.
You can choose to remove the security tool at any time without any traces. In this case NFS Manager will lose its capability to access privileged system areas, so the program will be forced to shut down either. Perform the following steps to remove the component:
Just authenticating against the user credentials of an administrator might not be enough for the situation in some large organizations. Perhaps the user should be member of another group of specially trusted staff in order to be able to perform a certain operation, or maybe some security rules should be relaxed, so that non-administrative users get access to privileged operations, too. NFS Manager follows Apple's guidelines to internally work with named rights for each class of operations and to register these names with the Authorization Policy Database of OS X. This way, advanced administrators can fine-tune rights in the policy database as needed, connecting rights to specified authentication mechanisms. Details can be found in a separate chapter.