Secure password storage for launchd daemon

Question

Secure password storage for launchd daemon

In a typical Cocoa application, it is typical for storing any stored passwords in Keychain, and thus avoids many errors. Now I am writing the launchd daemon, which must store the password and run before any user logs in. This means that I cannot use the keychain as usual.

I see that there is a “systemic” keychain in Keychain Access, but I have not been able to find any documentation on how to use it (or if it is right for it).

What is the best practice for storing passwords used by launchd daemons?

+4

cocoa

Ian levesque Sep 29 '09 at 4:00

source share

2 answers

trinkets are closely related to the concept of user context. therefore, if you need a background process associated with a custom keychain, then you should use the UserAgent model. because deamon usually (if not always) root: wheel priveleged, a typical scenario in which demons need some credentials will be covered by keberos (file sharing on a web server, XGrid agents, things like that). In no case should I use root: wheel daemon to use user credentials.

+1

kent Sep 29 '09 at 15:15

source share

Wil shipley · Accepted Answer · 2009-10-02T09:52:58+0000

You can create your own key chains and use them willy-nilly. For example, you may have one inside your application package if you have an application package.

Or you can run the daemon as a specific user (the guy who installed it) and put the key in your keychain, and then just get to its home folder when you need it.

Or you can run the daemon as root and put your key in the system keychain.

-Wil

Secure password storage for launchd daemon

More articles: