How to modify system settings with Obj C (without code signing)?

My project (github.com/spieglt/flyingcarpet) is written in Go, is cross-platform (Mac/Win/Linux), and uses cgo/Objective-C for certain network functions on macOS. It needs to perform 3 privileged actions: Add a wireless network to the top of the preferred networks list, later remove that network from the preferred networks list, and remove that network's password from all Keychains. I wouldn't need to touch the Keychain at all except that CWInterface's associateToNetwork method adds Keychain entries automatically, but let me know if there's a way to prevent this.


For the preferred network operations, I can use SFAuthorization's obtainWithRight method, which leads to my first question: What are the possible values for obtainWithRight's rightNames parameter, and where are they documented? rightNames' type is AuthorizationString, which is just an alias for a UTF-8 char pointer, and I know that "system.preferences" is a vaild value. But I don't know how to find what others might be, and my search of Apple's docs has turned up nothing.


My second question: How is one supposed to remove a wireless network password from all Keychains? There is a CWKeychainDeleteWiFiPassword function in CoreWLAN, but it can't remove a password from the System Keychain unless running as root, and I don't want or need to run my whole application as root. I see many people use AuthorizationExecuteWithPrivileges for this purpose, but this has been deprecated since 10.7. Apple seems to only recommend SMJobBless as its replacement, but it requires code signing, which I can't use because this is a Go project (thus not compiled with XCode). I don't want to pay for an Apple Developer ID just to change a setting anyway, and this method also requires a privileged helper daemon (which I wouldn't want as my program is intended to be a standalone utility, not an installed application).


To summarize, I need to prompt the user for their password a maximum of one time, and use that authorization to perform the three privileged actions I mentioned at the top. Thanks to anyone who can help!


Functions mentioned:

https://developer.apple.com/documentation/corewlan/cwinterface/1426455-associatetonetwork?language=objc

https://developer.apple.com/documentation/securityfoundation/sfauthorization/1417652-obtainwithright

https://developer.apple.com/documentation/corewlan/1512242-cwkeychaindeletewifipassword?language=objc

https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg

https://developer.apple.com/library/content/samplecode/SMJobBless/Introduction/Intro.html

Up vote post of tspiegl Down vote post of tspiegl
809 views
Posted by
tspiegl
Reply
Add a Comment

Replies

I've somewhat answered my first question. It seems that the magic "system.preferences" string comes from the Policy Database. According to the only doc from Apple I could find on the subject (https://developer.apple.com/library/content/technotes/tn2095/_index.html#//apple_ref/doc/uid/DTS10003110-CH1-SECTION5), it used to be a plist file located at /etc/authorization. It seems it's now a SQLite database at /var/db/auth.db.


Still no leads on how to remove an Airport network password from all keychains, however. I thought of just making a menu option that the user could select manually that would just prompt them for their password, find the SSIDs I need to delete, and run `networksetup -removepreferredwirelessnetwork` for each. That will not work because by this point, the SSID has already left the preferred networks list, it's just stuck in the Keychains.

Posted by
tspiegl
Up vote reply of tspiegl Down vote reply of tspiegl
Add a Comment