Clone programs such as SuperDuper and Carbon Copy Cloner need to run with heightened (root) privileges because they need to copy "everything," and some items on a startup disk have restricted permissions such that a normal admin account can't access them. So its normal for such backup programs to require password authentication to gain "root" privileges. Carbon Copy Cloner asks you for your admin password each time you run it; SuperDuper offers an option to "remember" the authentication between runs via "opening the padlock".
I had assumed that SuperDuper does this by storing the password somewhere, which would raise security concerns, but I then found this interesting thread in the SuperDuper support forum. Dave Nanian is the developer of SuperDuper. The thread is several years old, but is likely still valid. Here are its contents:
------------------
Timmy
10-16-2006, 07:01 AM
Where/how does SD! store our admin password when we have the 'padlock' unlocked?
I has assumed that it was kept in the Keychain, but I was surprised to see that SD! stays unlocked no matter which account we are logged in to.
dnanian
10-16-2006, 10:36 AM
We authenticate our copying tool the same way the system does (with "suid").
Timmy
10-16-2006, 10:50 AM
I have no idea what that means Dave.
I guess I will re-lock the padlock and hope that my admin password wasn't ever written to disk...
dnanian
10-16-2006, 10:54 AM
Your password was not written to disk, nor was it ever recorded or seen by SuperDuper!, actually.
Instead, a single application on the drive was given System permissions. Your password is only used to *authorize* this action: it's just like unlocking a preference pane (like Sharing).
Timmy
10-16-2006, 11:17 AM
I wasn't really worried that SD! was stealing my admin password, just that by leaving the padlock open that SD! might be tossing my password around in clear text.
After some googling, I think I understand the suid concept...
Thanks.
dnanian
10-16-2006, 11:21 AM
No, we definitely aren't. As I said, we never even really know what it is, since it's all handled by the authentication framework in OSX itself.
---------------