Access to a keychain item for process running as root

Question

Created Sep ’23

Replies 2

Boosts 0

Participants 2

I would like to be able to store a secret in the keychain and make it accessible to a process running as root without any prompting of the user. So far I've only got this working if I opt for "Allow all applications to access this item." But if I do that, any process whether root or not has access to the item.

On the other hand, if I choose "confirm before allowing access," the user is prompted for a root password. Unfortunately, "Always allow access by these applications" isn't an option because I need the secret in the context of an Authorization Plugin and so it's not a "normal" application that I can list.

I'm wondering if maybe there's a way to set some sort of ACL from the command line. I've looked at the man page for security and not seen any obvious solution.

My goal is to have my Authorization Plugin process "authenticate" itself to an XPC Service using a shared secret that both read from the keychain. If I can't get the keychain to work, I may do the same thing by using a shared secret in a file readable only by root.

Any suggestions welcome.

Thanks, Francis

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’23

My goal is to have my Authorization Plugin process "authenticate" itself to an XPC Service using a shared secret that both read from the keychain.

Thanks for including this. It always speeds things when I don’t have to ask “What are you really trying to do?”

The keychain isn’t really intended to be used for this task, and you’ll definitely run into issues trying to use it for that. A better option would be for your XPC service to authenticate the code at the other end of the connection. See this post.

The wrinkle here being that your auth plug-in is being hosted by a system process and macOS enforces permissions based on process boundaries. So, your service won’t be able to distinguish your requests from requests made by other auth plug-ins. However, that probably doesn’t change things. If an attacker has managed to load a malicious auth plug-in then the game is basically over. And the other approaches you mentioned, the keychain and a root-readable file, won’t protect you from that either.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

fxk510 OP

Sep ’23

Thanks a lot for the quick response! I will follow-up using the guidelines in that post.

0