MacOS – Add command to sudo in OS X – or how to fix a major security inconsistency in OS X

keychainmacosSecurityterminal

OS X provides Keychain Access, which is a great way to save passwords of varying apps and websites. When you want to view a password via the Keychain Access GUI, you are asked the admin password. However, OS X also provides a command to export all Keychain Access passwords to a text file, unencrypted:

security dump-keychain -d login.keychain > keychain.txt

This command does not require sudo privileges.

So I have two questions:

  • How can I add the sudo privilege requirement to the security command.
  • Is this behaviour intended or is it a major inconsistency with regards to security concerns at Apple ?

Best Answer

The security command is working as expected, and is following the same keychain access policies that any other program would follow.

  • Accessing a user's keychain is not an admin function -- the user's keychain belongs to them, so admin access is irrelevant. On the other hand, the System keychain (/Library/Keychains//System.keychain) is "owned by" the system, so admin access might be needed for it and/or its items.

  • To gain access to the user's keychain, it must first be unlocked. login.keychain is normally encrypted with the user's login password, and is automatically unlocked when they log in. If it weren't already unlocked, security would trigger a prompt for the password to unlock it.

  • Each item in the keychain has its own access policy. You can see these in the Keychain Access utility by double-clicking the keychain item, then selecting the Access Control tab. security obeys these access controls: if it's set to "Allow all applications to access this item", security will dump the item without prompting for anything; if it's set to "Confirm before allowing access" (and security isn't in the "Always allow..." list), security will trigger a prompt for access to the item (and if "Ask for keychain password" is selected as well, the prompt will require the keychain password).

It might be possible to require admin rights to run security, but I wouldn't recommend it. Firstly, it might break any parts of the OS that depend on running security (though I don't know of any), and secondly it wouldn't prevent any other program from dumping out the keychain, since other programs are subject to the same access policies.

Related Question