Issue with Password and SharedSecretKey Store in SYSTEM Keychain

[malavagile]

Hello,

I am using your VPNKeychain Class to Store Password and SharedSecretKey in SYSTEM Keychain but to store password and sharedsecretkey in System Keychain we need root access. Currently it's showing "Write Permission Error" in my MAC Application.

Can you guide me how can I use your VPNKeychain Class with root access.

[halo]

Well, first of all, you're not alone. Some people say that it's not possible at all to gain superuser privileges from a process which does not have these privileges already in itself.

The mostly useless documentation doesn't say anything at all about this very issue.

I have a vague memory that I could just run macosvpn in a terminal in Mountain Lion and it would ask me for the password and then create the VPNs. And I think it stopped working in Yosemite. But I could be wrong.

My best guess is that this list changed in Yosemite. Indeed, when I run

security dump-keychain -a /Library/Keychains/System.keychain

I can see these entries:

/usr/libexec/nehelper
/usr/libexec/nesessionmanager
/usr/libexec/neagent
/usr/sbin/racoon
/usr/sbin/pppd
/System/Library/PreferencePanes/Network.prefPane/Contents/XPCServices/com.apple.preference.network.remoteservice.xpc
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper

What's new is the nehelper etc. So maybe you need to add them. However, I believe the XPC service or the SCHelper to be the one to create the item and thus it should work as long as these are authorized. Indeed, there is hardly any documentation at all and the entire code I wrote was more of a trial and error :)

If worse comes to worse, you might have to create a separate HelperTool yourself (I did that before in another, unrelated project).

Let me know if updating the paths worked out for you. Also, do you have a Mountain Lion at hand to try to execute macosvpn without sudo? I'm just running macosvpn directly with sudo so I don't have that problem. But I can totally understand that you want it to work directly from some custom process.

You could also investigate what SecAccessCopyACLList is supposed to mean. I never really got a grip of that.

[malavagile]

I used the EvenBetterAuthorizationSample code to use helper tool but helper tool gives autorization as NSData and in VPNKeychain class for access you used SecAccessRef class. Can you tell me how can use NSData instead of SecAccessRef class in VPNKeychain Class. Thanks for help.

[halo]

but helper tool gives autorization as NSData

Could you elaborate on what you mean?

This is how I think it should work:

1. You have a Cocoa app and start it with normal privileges
2. That Cocoa app authorizes the helper tool
3. The helper tool gets installed by the operating system
4. The Cocoa app makes an internal XPC call to the helper tool
5. The operating system starts the helper tool with superuser privileges
6. The helper tool executes whatever it wants, it has superpowers

The helper tool should be able to use the VPNKeychain class just as it is. I believe this to be so, because if I run sudo macosvpn it works as it is. I could be wrong, but I imagine a helper tool being executed in a conceptually similar way.

[malavagile]

Thanks for Reply, You were right VPNKeychainClass is work as it is. Right now I am facing issue with Helper Tool Installation. Whenever I tried to install helper using SMJobBless if always fails to install with error : error CFErrorDomainLaunchd / 4 I have sign application using my Developer ID. Do you have any idea what else could be the problem?

[halo]

Hard to debug without seeing your code.

I bet that the Bundle Identifier or the Developer ID do not match between your main application and the Helper Tool.

This in the main app has to match this in the Helper. And this in the Helper has to match this in the main app. Also the Developer ID needs to be identical (in my example it's called "halo").

[malavagile]

Thanks for reply. I check both and both are correctly placed as per your code in Brick. It may be some other issue.

[halo]

Might seem obvious, but

• make sure you clean your temporary builds
• delete previously existing Helper Tools
• the password is correct ;)
• Your code actually gets signed in the Xcode project settings

Good luck. I will close this issue for now, feel free to ask if you run into problems.

[malavagile]

Ok. Thanks for your support.