• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Proxy credentials usage from my root daemon.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proxy credentials usage from my root daemon.

  • Subject: Re: Proxy credentials usage from my root daemon.
  • From: "Quinn \"The Eskimo!\"" <email@hidden>
  • Date: Tue, 20 Sep 2016 09:05:30 +0100
On 20 Sep 2016, at 07:45, Motti Shneor <email@hidden> wrote:

> 1. How do other system daemons connect to network web servers silently, using authenticated proxy settings?

If they use NSURL{Session,Connection} then the proxy ‘heavy lifting’ is done by another daemon, `networkd`, that contains a bunch of smarts.

> Also, what keychain they use? not the System keychain?

Credentials like this are usually stored in the System keychain, although that’s clearly not the case here.  Beyond that, I haven’t looked at how proxies work at this level in a while.

> and when I set authentication parameters for, say, the admin user - how do they read it? via some kind of impersonation?

That won’t work because, when a user logs out, their keychain is locked and no one, not even root, can unlock it.

This is in stark contrast to the System keychain, which can be unlocked by any root process.

> 2. How do preinstalled Safari, Mail, Photos, and other apps  connect silently to the web, and avoid triggering the key-chain access permission dialog?

These apps use NSURLSession and, as such, the proxy work goes via `networkd`.

> 3. All proxy settings seem to be system-wide (actually per network-interface). Why do the credentials reside in the active user’s Login keychain, instead of the “System” keychain?

It’s hard to answer “why” questions.

> Is there at all a way (except for manually editing the keychains) to set-up proxies for ALL users, including credentials?
>
> 4. Could I, at the time of installation of my product, ask once for this access, and have this “trust” saved for my installed daemon? That will be acceptable, as IT installs our [tool] on all users machinesl, and have rights for this. If this is possible - where and how could I do it?

If you’re deploying to managed environments then you need to look at configuration profiles.

> If the wonderful code within NSURLSession and CFNetwork that negotiates proxies would be exposed via proper APIS - that would be a real blessing.

You should file an enhancement request that describes what you’d like to see here.

<https://developer.apple.com/bug-reporting/>

Please post your bug number, just for the record.

Share and Enjoy
--
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Proxy credentials usage from my root daemon.
      • From: "Quinn \"The Eskimo!\"" <email@hidden>
References: 
 >Proxy credentials usage from my root daemon. (From: Motti Shneor <email@hidden>)

  • Prev by Date: Proxy credentials usage from my root daemon.
  • Next by Date: Re: Proxy credentials usage from my root daemon.
  • Previous by thread: Proxy credentials usage from my root daemon.
  • Next by thread: Re: Proxy credentials usage from my root daemon.
  • Index(es):
    • Date
    • Thread