Hello Jens, and thanks. 

I doubt all Apple preinstalled applications have free access to any keychain 
content (passwords), or else any Apple application would serve as a potential 
vulnerability and the whole point of encrypted key-chains wouldn’t worth much. 
I think there is some kind of trust, but it is not based on signature. Maybe it 
is the same “trust” normal apps can get when user presses “Allow” or “Always 
allow", only certain applications get this trust “preinstalled” ?

Or else, maybe all these apps use NSURLSession, which defers networking tasks 
to an external process that may have this specific trust (as a specific 
entitlement)?

All my app does, is use KeyChain APIs to read proxy user/password. I believe 
securityd agent/daemon is the one to prompt user for permission. It runs under 
user ‘root’ - much like my own daemon. 
        * How does it gain access to my Login keychain? How does it determine 
which keychain to consult for a specific connection? does it somehow 
impersonate my user (and call the key-chain APIs)?
        * If the user allows permanent permission for specific app to the 
user’s keychain (pressing “Always allow”) - how is this trust persisted, and 
where? 

have you any idea?

I verified that indeed setting the proxy from one user (my normal admin user) 
affects all other users on the machine - my code returns the same proxies. Also 
when opening system preferences/network/ethernet/proxies panel - I can see the 
same proxy settings. Hence - I’m quite sure they are stored system wide. 

Not so for the credentials...
> On 5 Sep 2016, at 22:10, Jens Alfke <j...@mooseyard.com> wrote:
> 
> 
>> On Sep 5, 2016, at 6:51 AM, Motti Shneor <motti.shn...@me.com 
>> <mailto:motti.shn...@me.com>> wrote:
>> 
>> 1. Why don’t Safari, Mail, Photos, and other standard apps trigger such 
>> dialog when they clearly use proxy settings (including credentials) to go to 
>> the internet? Is this behavior acceptable, and how is it done?
> 
> Those apps are signed by Apple, so they’re automatically trusted.
> 
> Note that the Keychain permission alert only appears _once_ for any app. You 
> may be seeing it every time you run your code, but that’s because every time 
> you change the code, it makes the app look different to the system. (You can 
> get around this by signing the app; then the signature remains the same 
> between launches.)
> 
>> 2. All proxy settings seem to be system-wide. Why do the credentials reside 
>> in the active user’s Login keychain, instead of the “System” keychain? Is 
>> there at all a way (except for manually editing the keychains) to set-up 
>> proxies for ALL users, including credentials?
> 
> Have you verified that different users inherit the same proxy settings? If 
> so, I agree that it’s odd that the credentials would be in the Login keychain.
> 
>> 3. Could I, at the time of installation of my product, ask once for this 
>> access, and have this “trust” saved for my installed daemon? That will be 
>> acceptable, as IT install our tool, and have rights for this. If this is 
>> possible - where and how could I do it?
> 
> I don’t know. It may be related to the way that app helper processes are 
> authenticated, i.e. being signed with related certs. But this isn’t something 
> I’ve ever done.
> 
> One other possibility is:
> * Installer gets the proxy settings, including getting user permission to 
> access credentials
> * Installer saves the settings & credentials into a file only accessible to 
> root
> * Daemon reads the settings from that file
> 
Can’t believe this is true, because when proxy settings change - who will 
synchronize?


>> 4. Could I avoid the whole proxy-authentication protocol, and use some OS-X 
>> API that would do it for me (in the likes of NSURLSession) Is there some 
>> official lower-level API to do this? Otherwise I need to implement all kinds 
>> of authentication schemes (kerberos, NTLM, digest etc.), which seems silly 
>> on an OS that already knows how to do it? Clearly OS implementation will be 
>> superior to mine...
> 
> I think NSURLSession is the only API that includes proxy support. For some 
> reason CFStream doesn’t, even though it can do HTTP requests.

I think I once tested CFNetwork’s CFHTTPStream/CFHTTPMessage and they did proxy 
authentication too. (There’s that CFHTTPAuthentication object) - but I’m not 
sure. What I know for sure, you can’t use only their proxy and authentication, 
then get control over the connection and stream. You must be HTTP all the way, 
and use CFHTTPMessage APIs. 

> 
> —Jens

_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to