tags:

views:

192

answers:

2
+2  Q: 

Secure password storage for a launchd daemon

In a normal Cocoa application it's typical to store any saved passwords in the Keychain and thus avoid many pitfalls. Now I'm writing a launchd daemon that needs to store a password and will run before any user has logged in. This means I cannot use the keychain like I normally do.

I see in Keychain Access there is a "system" keychain, but I have been unable to find any documentation whatsoever on how to use it (or if this is the correct use for it).

What is the best practice for storing passwords used by launchd daemons?

+1  A: 

keychains are tightly tied to the concept of User context. therefore if you need a background process that deals with a user's keychain, then you should be using the UserAgent model. because deamons are typically (if not always) root:wheel priveleged, a typical scenario where a daemon would require some kind of credentials would be covered by kerberos (file sharing on a web server, XGrid agents, things like this). by no means should a root:wheel daemon be using the credentials of a user.

kent  2009-09-29 15:15:18
It specifically does not care at all about users, but it still needs to store a credential. In this case, a secret API passcode for a remote web service. The process needs to have this credential even when you're at the login screen, before any user has signed in.
Ian Levesque  2009-09-30 15:10:16
if you have a look in /private/etc you will find that many of the daemons running on your machine refer to .conf files in that folder. however on a read-only basis AFAIK. maybe you can have your installer place a .conf file there and MD5 your creds into it or so...
kent  2009-10-01 08:33:30
+3  A: 

You can create your own Keychains and use them willy-nilly. For example, you could have one inside your app bundle, if you have an app bundle.

Or you could run the daemon as a particular user (the guy who installed it) and put the key in his keychain, then just reach into his home folder when you need it.

Or you could run the daemon as root and put your key in the System keychain.

-Wil

Wil Shipley  2009-10-02 09:52:58
Any idea where the System keychain is documented? I was unable to find out how to put something in the System keychain.
Ian Levesque  2009-10-02 14:14:29
You can use the open keychain function (don't know it offhand) and just pass in the path to the system keychain. Done and done.
Wil Shipley  2009-10-03 05:12:28
Sounds good, I'll give it a shot.
Ian Levesque  2009-10-03 17:42:21
This works. I used SecKeychainOpen("/Library/Keychains/System.keychain") from my daemon running as root. The big caveat is that you MUST use code signing or any code change will make it impossible to read your stored password(s).
Ian Levesque  2009-10-14 08:26:20

related questions

How do you set your Cocoa application as the default web browser?
When to create Interface Builder plug-in for custom view?
How can I use Core Animation to interpolate property values over time on my own classes?
Opening a non-standard URL in a Cocoa app
How to take screenshot in Mac OS X using Cocoa or C++
Error Code Reference for OSX/Cocoa
What's a good way to write a Cocoa front-end to an Erlang application?
Cocoa tips for PHP developers?
What is the best way to unit test Objective-C code?
Best way to export a QTMovie with a fade-in and fade-out in the audio
NSEnumerator performance vs for loop in Cocoa
Objective-C: Passing around sets of data
InputManager on OS X
Can you use CruiseControl to build Cocoa/Objective-C projects?
Height of NSTextView with one line?
Developer Setup for Starting Out with Cocoa/Mac Programming
Objective-C/Cocoa: How do I accept a bad server certificate?
Drawing a view hierachy into a specific context in Cocoa
Why is the PyObjC documentation so bad?
In Cocoa do I need to remove an Object from receiving KVO notifications when deallocating it?
In Cocoa do you prefer NSInteger or just regular int, and why?
Cocoa - best way to capture key events in NSTextView?
How do you name your instance/param values?
Cocoa and Objective-C resources?
Understanding reference counting with Cocoa / Objective C