Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
Re: Programatically setting Allow all Applications to access this item
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Programatically setting Allow all Applications to access this item


Yes, it's certainly possible. That's what the APIs in <Security/SecAccess.h> are for.

They are documented here: http://developer.apple.com/documentation/Security/Reference/ keychainservices/index.html

With very few exceptions, the app creating the keychain item sets the access control list at the time of creation. (The exceptions are Keychain Access and SecurityAgent, which allow editing of ACLs on existing items.) There can be multiple access control lists on each keychain item, but the one you see and edit in Keychain Access is the ACL which lists the apps that are allowed to decrypt the item (and whether a confirmation dialog appears, and whether it additionally requires the keychain password to be entered.)

By default, the access control list for decryption operations on the item has one application in the list: the app that created the item. Some apps may wish to remove themselves from the ACL to force confirmation, or create an item that both it and some trusted helper process(es) may access. Still other apps may want to allow "any" application to access an item. That is not usually recommended for security reasons (if some malware gets onto your machine, it would be able to silently retrieve that item.)

The lower-level APIs to create keychain items have an optional SecAccessRef argument that lets you specify the access (e.g. see SecKeychainItemCreateFromContent). If an app wishes to change the access of an item later on, after the item has been created, then a dialog box will pop up to ask the user to confirm that change.

I'll try to get some sample code for you.

-ken


On Wednesday, November 17, 2004, at 09:03  AM, Garth Cummings wrote:

Hi Paul,

On Nov 16, 2004, at 10:03 PM, Paul Haddad wrote:

Is there any way to enable the Allow All Applications To Access this
Item setting for a KeyChain item?

Can you please provide more context about what you're trying to accomplish?

It seems to me that the access control lists on Keychain items are owned by the user/administrator and shouldn't be changed by random apps. The user/admin has, in theory at least, set the access to Keychain items based on their security policy.

--gc
__________________________________________________________________
Garth Cummings
Apple Developer Technical Support 	email@hidden

http://developer.apple.com/technicalsupport
<smime.p7s> _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden







References: 


 >Re: Programatically setting Allow all Applications to access this	item (From: Garth Cummings <email@hidden>)























Visit the Apple Store online or at retail locations.

1-800-MY-APPLE


Contact Apple | Terms of Use | Privacy Policy


Copyright © 2011 Apple Inc. All rights reserved.