Modifying CCC's Security Configuration

This documentation is for an older version of CCC. You can find the latest version here.
Last updated on 22 febbraio 2022

Rather than requiring you to enter admin credentials every time you want to run a task or make changes to a task, CCC only requires users with administrative privileges to authenticate once when CCC is initially installed. While this configuration is easier to use, there are situations where this configuration is not appropriate. If you leave your system unattended with an admin user logged in, someone with physical access to your system can modify or run your CCC backup tasks. If you cannot rely upon the physical security of your Mac to prevent someone from using your Mac, you can use the information below to apply a stricter security policy to CCC.

Require administrator authorization to make changes to tasks and to run or stop tasks

CCC identifies a subset of activity that causes changes to CCC tasks and preferences or that require access to privileged data (e.g. CCC's private keychain). Performing these tasks requires that the user is authorized for the "com.bombich.ccc.helper" privilege. The default rules for this privilege require that the requesting user is either an admin user, or can provide administrator credentials. Once the authorization is obtained, the user is allowed to perform the privileged tasks without additional authorization until the login session ends.

You can modify these rules in several ways. Most commonly, you may want to require the logged-in user to explicitly provide admin credentials to gain this authorization (vs. having the privileged granted simply because the user is an administrator). Additionally, you may want this authorization to expire after a specific amount of time, e.g. 5 minutes (vs. "when the user logs out"). To apply these stricter rules, paste the following into the Terminal application:

security authorizationdb read com.bombich.ccc.helper > /tmp/ccc.plist
defaults delete /tmp/ccc "authenticate-user"
defaults write /tmp/ccc "authenticate-admin" -bool YES
defaults write /tmp/ccc timeout -int 300
defaults write /tmp/ccc shared -bool NO
plutil -convert xml1 /tmp/ccc.plist
security authorizationdb write com.bombich.ccc.helper < /tmp/ccc.plist
security authorize -ud com.bombich.ccc.helper

Immediately revoking authorization to modify CCC tasks

If you have decided to apply a liberal timeout value to the "com.bombich.ccc.helper" privilege, you may occasionally want to revoke that authorization immediately. To immediately revoke that authorization, paste the following line into the Terminal application:

security authorize -ud com.bombich.ccc.helper

Resetting CCC's authorization rules back to default values

To reset CCC's authorization rules back to the default values, paste the following into the Terminal application:

security authorizationdb remove com.bombich.ccc.helper
security authorize -ud com.bombich.ccc.helper

The next time you attempt to modify or run a CCC backup task, CCC will re--apply its default rule set in macOS's Authorization database.