From /System/Library/Security/authorization.plist:
<key>com.apple.uninstalld.uninstall</key>
<dict>
<key>class</key>
<string>rule</string>
<key>rule</key>
<string>entitled-admin-or-authenticate-admin</string>
</dict>
So it requires you match the 'entitled-admin-or-authenticate-admin' rule:
<key>entitled-admin-or-authenticate-admin</key>
<dict>
<key>class</key>
<string>rule</string>
<key>k-of-n</key>
<integer>1</integer>
<key>rule</key>
<array>
<string>entitled-admin</string>
<string>authenticate-admin-30</string>
</array>
</dict>
This rule requires you match one of two possible rules: 'entitled-admin' or 'authenticate-admin-30'
<key>authenticate-admin-30</key>
<dict>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Like the default rule, but credentials remain valid for only
30 seconds after they've been obtained. An acquired credential
is shared by all clients.</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
</dict>
This rule isn't based on another rule - so it ends here (more explained later).
Here's the other path:
<key>entitled-admin</key>
<dict>
<key>class</key>
<string>rule</string>
<key>k-of-n</key>
<integer>2</integer>
<key>rule</key>
<array>
<string>is-admin</string>
<string>entitled</string>
</array>
</dict>
'entitled-admin' is another k-of-n, but now it's two of two - you need both of these: 'is-admin' and 'entitled'
<key>is-admin</key>
<dict>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is an administrator.</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
</dict>
This one simply just checks if you're in the admin group. Since both rules are required, it's the other one that does the heavy lifting here.
Let's look at 'entitled':
<key>entitled</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>builtin:entitled,privileged</string>
</array>
<key>tries</key>
<integer>1</integer>
</dict>
This is a new result - an 'evaluate-mechanisms' class object.
However, it is also the end of our hunt - we've terminated all paths.
Now we need to go back to the /System/Library/Security/authorization.plist again and look a little closer.
There are actually three sections to this plist:
- 'comment'
- 'rights'
- 'rules'
'com.apple.uninstalld.uninstall' is the only one that appears in 'rights'
All of the rest appear under 'rules' - meaning you can't be granted it like a right, you can only be evaluated as having that status/property by the Security framework.
For example, running something as 'sudo' gives you a True value for the 'is-root' rule ...
... but none of the paths relied on that (unfortunately) - they all relied on rules that fell into either 'authenticate-*' (already auth'd) or starting an authentication mechanism.
Basically, the way this right is written, you'll only be granted it if you've entered your password into a Security framework GUI / CLI tool.
You would have to re-write this right in the authorization database to make it work just as root / sudo.
<key>com.apple.uninstalld.uninstall</key>
<dict>
<key>class</key>
<string>rule</string>
<key>rule</key>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</dict>
This would allow granting the right if you're simply root / sudo'd, without authentication.
For information on how to make this change on Mavericks, check Sam's article here:
http://www.afp548.com/2013/10/22/modifying-the-os-x-mavericks-authorization-database/
If, however, you do not want to change the authorization database, you can instead use the command-line to enter the password (instead of a pop-up dialog) using the security tool's 'authorize' verb chained with the 'execute-with-privileges' verb (to run a command using it). I have an example of that code here: