We write a system-level daemon that runs as root for security monitoring, maintained by launched.
We use C++ boost asyncio for cross-platform networking (Win/Linux/OS-X). Hence, on OS-X, can’t use higher-level APIs (such as NSURLSession and friends. Also, we use proprietary binary protocol to our server, but in certain client site deployments, we need to pass it through HTTP Proxy. We use the “HTTP Connect” command to create a secure tunnel through the proxy. This works fine when we provide proxy configuration of our own.
Now I’m trying to integrate with the OS-X system-configuration proxy settings. Found the great (if little old) CFProxySupportTool code-sample, read lots of documentation, and was able to neatly read and support HTTP, HTTPS, Auto-Configured and PAC based settings.
This breaks when Proxy is authenticated, i.e. you must handshake using username and password with the proxy.
The credential keys (username and password) received from CFNetworkCopyProxiesForURL()are normally empty, as they are stored in OS-X’s secure storage - the KeyChain.
I wrote a simple tool to read the credentials using KeyChain APIs, and found the following:
1. The credentials are stored in the current user’s login keychain. (the user who set the credentials in the system-preferences network panel).
2. Calling key-chain APIs in test tool triggers a dialog, asking from the user permission to allow it access to the key-chain. Expected for an App, not so much for a system-level daemon.
3. When the tool is run as root, it finds nothing - because it doesn’t reach the user’s Login keychain.
My questions:
1. How do other system daemons connect to network web servers silently, using authenticated proxy settings? I never got any dialog for them, asking permission to read the keychain… Also, what keychain they use? not the System keychain? and when I set authentication parameters for, say, the admin user - how do they read it? via some kind of impersonation?
2. How do preinstalled Safari, Mail, Photos, and other apps connect silently to the web, and avoid triggering the key-chain access permission dialog? They clearly use proxy settings (including credentials) to go to the internet, and run under the current user. If such behavior is acceptable - how is it done?
3. All proxy settings seem to be system-wide (actually per network-interface). Why do the credentials reside in the active user’s Login keychain, instead of the “System” keychain? Is there at all a way (except for manually editing the keychains) to set-up proxies for ALL users, including credentials?
4. Could I, at the time of installation of my product, ask once for this access, and have this “trust” saved for my installed daemon? That will be acceptable, as IT installs our too on all users machinesl, and have rights for this. If this is possible - where and how could I do it?