I would like to be able to store a secret in the keychain and make it accessible to a process running as root without any prompting of the user. So far I've only got this working if I opt for "Allow all applications to access this item." But if I do that, any process whether root or not has access to the item.
On the other hand, if I choose "confirm before allowing access," the user is prompted for a root password. Unfortunately, "Always allow access by these applications" isn't an option because I need the secret in the context of an Authorization Plugin and so it's not a "normal" application that I can list.
I'm wondering if maybe there's a way to set some sort of ACL from the command line. I've looked at the man page for security
and not seen any obvious solution.
My goal is to have my Authorization Plugin process "authenticate" itself to an XPC Service using a shared secret that both read from the keychain. If I can't get the keychain to work, I may do the same thing by using a shared secret in a file readable only by root.
Any suggestions welcome.
Thanks, Francis