SlideShare une entreprise Scribd logo

Command Line Interface for macOS Security Framework

T
takuya Mori

The security command provides a command line interface to administer keychains and interact with the Security framework. It allows managing keys, certificates and passwords. Some main commands are help, list-keychains, create-keychain, add-generic-password, find-certificate, and delete-certificate. The command supports interactive mode and has options for verbosity and debugging leaks.

IngénierieTechnologieActualités & Politique
1  sur  14
Télécharger pour lire hors ligne
security (1) BSD General Commands Manual security (1) NAME security — Command line interface to keychains and Security framework SYNOPSIS security [ −hilqv] [ −p prompt] [command] [command_options] [command_args] DESCRIPTION A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line. By default security will execute the command supplied and report if anything went wrong. If the −i or −p options are provided, security will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin security will exit. Here is a complete list of the options available: −h If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the help com- mand. −i Run security in interactive mode. A prompt ( security> by default ) will be displayed and the user will be able to type commands on stdin until an EOF is encountered. −l Before security exits, run /usr/bin/leaks -nocontext on itself to see if the command(s) you executed had any leaks. −p prompt This option implies the −i option but changes the default prompt to the argument specified instead. −q Will make security less verbose. −v Will make security more verbose. SECURITY COMMAND SUMMARY security provides a rich variety of commands ( command in the SYNOPSIS ) , each of which often has a wealth of options, to allow access to the broad functionality provided by the Security framework. However, you don’t have to master every detail for security to be useful to you. Here are brief descriptions of all the security commands: help Show all commands, or show usage for a command. list-keychains Display or manipulate the keychain search list. default-keychain Display or set the default keychain. login-keychain Display or set the login keychain. create-keychain Create keychains. delete-keychain Delete keychains and remove them from the search list. lock-keychain Lock the specified keychain. unlock-keychain Unlock the specified keychain. set-keychain-settings Set settings for a keychain. set-keychain-password Set password for a keychain. show-keychain-info Show the settings for keychain. dump-keychain Dump the contents of one or more keychains. Darwin March 1, 2012 1
security (1) BSD General Commands Manual security (1) create-keypair Create an asymmetric key pair. add-generic-password Add a generic password item. add-internet-password Add an internet password item. add-certificates Add certificates to a keychain. find-generic-password Find a generic password item. delete-generic-password Delete a generic password item. find-internet-password Find an internet password item. delete-internet-password Delete an internet password item. find-certificate Find a certificate item. find-identity Find an identity (certificate + private key). delete-certificate Delete a certificate from a keychain. set-identity-preference Set the preferred identity to use for a service. get-identity-preference Get the preferred identity to use for a service. create-db Create a db using the DL. export Export items from a keychain. import Import items into a keychain. cms Encode or decode CMS messages. install-mds Install (or re-install) the MDS database. add-trusted-cert Add trusted certificate(s). remove-trusted-cert Remove trusted certificate(s). dump-trust-settings Display contents of trust settings. user-trust-settings-enable Display or manipulate user-level trust settings. trust-settings-export Export trust settings. trust-settings-import Import trust settings. verify-cert Verify certificate(s). authorize Perform authorization operations. authorizationdb Make changes to the authorization policy database. execute-with-privileges Execute tool with privileges. leaks Run /usr/bin/leaks on this process. error Display a descriptive message for the given error code(s). COMMON COMMAND OPTIONS This section describes the command_options that are available across all security commands. −h Show a usage message for the specified command. This option is essentially the same as the help command. SECURITY COMMANDS Here (finally) are details on all the security commands and the options each accepts. help [ −h] Show all commands, or show usage for a command. list-keychains [ −h] [ −d user|system|common|dynamic] [ −s [keychain...]] Display or manipulate the keychain search list. −d user|system|common|dynamic Use the specified preference domain. −s Set the search list to the specified keychains. default-keychain [ −h] [ −d user|system|common|dynamic] [ −s [keychain]] Display or set the default keychain. Darwin March 1, 2012 2
security (1) BSD General Commands Manual security (1) −d user|system|common|dynamic Use the specified preference domain. −s Set the default keychain to the specified keychain. Unset it if no keychain is speci- fied. login-keychain [ −h] [ −d user|system|common|dynamic] [ −s [keychain]] Display or set the login keychain. −d user|system|common|dynamic Use the specified preference domain. −s Set the login keychain to the specified keychain. Unset it if no keychain is speci- fied. create-keychain [ −hP] [ −p password] [keychain...] Create keychains. −P Prompt the user for a password using the SecurityAgent. −p password Use password as the password for the keychains being created. If neither −P or −p password are specified, the user is prompted for a password on the com- mand line. delete-keychain [ −h] [keychain...] Delete keychains and remove them from the search list. lock-keychain [ −h] [ −a|keychain] Lock keychain, or the default keychain if none is specified. If the −a option is specified, all keychains are locked. unlock-keychain [ −hu] [ −p password] [keychain] Unlock keychain, or the default keychain if none is specified. set-keychain-settings [ −hlu] [ −t timeout] [keychain] Set settings for keychain, or the default keychain if none is specified. −l Lock keychain when the system sleeps. −u Lock keychain after timeout interval. −t timeout Specify timeout interval in seconds (omitting this option specifies "no timeout"). set-keychain-password [ −h] [ −o oldPassword] [ −p newPassword] [keychain] Set password for keychain, or the default keychain if none is specified. −o oldPassword Old keychain password (if not provided, will prompt) −p newPassword New keychain password (if not provided, will prompt) show-keychain-info [ −h] [keychain] Show the settings for keychain. dump-keychain [ −adhir] Dump the contents of one or more keychains. −a Dump access control list of items −d Dump (decrypted) data of items −i Interactive access control list editing mode Darwin March 1, 2012 3
security (1) BSD General Commands Manual security (1) −r Dump raw (encrypted) data of items create-keypair [ −h] [ −a alg] [ −s size] [ −f date] [ −t date] [ −d days] [ −k keychain] [ −A| −T appPath] [name] Create an asymmetric key pair. −a alg Use alg as the algorithm, can be rsa, dh, dsa or fee (default rsa) −s size Specify the keysize in bits (default 512) −f date Make a key valid from the specified date −t date Make a key valid to the specified date −d days Make a key valid for the number of days specified from today −k keychain Use the specified keychain rather than the default −A Allow any application to access this key without warning (insecure, not rec- ommended!) −T appPath Specify an application which may access this key (multiple −T options are allowed) add-generic-password [ −h] [ −a account] [ −s service] [ −w password] [options...] [keychain] Add a generic password item. −a account Specify account name (required) −c creator Specify item creator (optional four-character code) −C type Specify item type (optional four-character code) −D kind Specify kind (default is "application password") −G value Specify generic attribute value (optional) −j comment Specify comment string (optional) −l label Specify label (if omitted, service name is used as default label) −s service Specify service name (required) −p password Specify password to be added (legacy option, equivalent to −w) −w password Specify password to be added −A Allow any application to access this item without warning (insecure, not recommended!) −T appPath Specify an application which may access this item (multiple −T options are allowed) −U Update item if it already exists (if omitted, the item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: −T "". If no key- chain is specified, the password is added to the default keychain. add-internet-password [ −h] [ −a account] [ −s server] [ −w password] [options...] [keychain] Add an internet password item. −a account Specify account name (required) −c creator Specify item creator (optional four-character code) −C type Specify item type (optional four-character code) −d domain Specify security domain string (optional) −D kind Specify kind (default is "application password") −j comment Specify comment string (optional) −l label Specify label (if omitted, service name is used as default label) −p path Specify path string (optional) Darwin March 1, 2012 4
security (1) BSD General Commands Manual security (1) −P port Specify port number (optional) −r protocol Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ") −s server Specify server name (required) −t authenticationType Specify authentication type (as a four-character SecAuthenticationType, default is "dflt") −w password Specify password to be added −A Allow any application to access this item without warning (insecure, not recommended!) −T appPath Specify an application which may access this item (multiple −T options are allowed) −U Update item if it already exists (if omitted, the item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: −T "". If no key- chain is specified, the password is added to the default keychain. add-certificates [ −h] [ −k keychain] file... Add certficates contained in the specified files to the default keychain. The files must contain one DER encoded X509 certificate each. −k keychain Use keychain rather than the default keychain. find-generic-password [ −h] [ −a account] [ −s service] [ −options...] [ −g] [ −keychain...] Find a generic password item. −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −D kind Match kind string −G value Match value string (generic attribute) −j comment Match comment string −l label Match label string −s service Match service string −g Display the password for the item found −w Display the password(only) for the item found delete-generic-password [ −h] [ −a account] [ −s service] [ −options...] [ −keychain...] Delete a generic password item. −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −D kind Match kind string −G value Match value string (generic attribute) −j comment Match comment string −l label Match label string −s service Match service string delete-internet-password [ −h] [ −a account] [ −s server] [options...] [keychain...] Delete an internet password item. Darwin March 1, 2012 5
security (1) BSD General Commands Manual security (1) −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −d securityDomain Match securityDomain string −D kind Match kind string −j comment Match comment string −l label Match label string −p path Match path string −P port Match port number −r protocol Match protocol (four-character code) −s server Match server string −t authenticationType Match authenticationType (four-character code) find-internet-password [ −h] [ −a account] [ −s server] [options...] [ −g] [keychain...] Find an internet password item. −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −d securityDomain Match securityDomain string −D kind Match kind string −j comment Match comment string −l label Match label string −p path Match path string −P port Match port number −r protocol Match protocol (four-character code) −s server Match server string −t authenticationType Match authenticationType (four-character code) −g Display the password for the item found −w Display the password(only) for the item found find-certificate [ −h] [ −a] [ −c name] [ −e emailAddress] [ −m] [ −p] [ −Z] [keychain...] Find a certificate item. If no keychain arguments are provided, the default search list is used. Options: −a Find all matching certificates, not just the first one −c name Match on name when searching (optional) −e emailAddress Match on emailAddress when searching (optional) −m Show the email addresses in the certificate −p Output certificate in pem format. Default is to dump the attributes and key- chain the cert is in. −Z Print SHA-1 hash of the certificate Examples security> find-certificate -a -p > allcerts.pem Exports all certificates from all keychains into a pem file called allcerts.pem. Darwin March 1, 2012 6
security (1) BSD General Commands Manual security (1) security> find-certificate -a -e me@foo.com -p > certs.pem Exports all certificates from all keychains with the email address me@foo.com into a pem file called certs.pem. security> find-certificate -a -c MyName -Z login.keychain | grep ˆSHA-1 Print the SHA-1 hash of every certificate in ’login.keychain’ whose common name includes ’MyName’ find-identity [ −h] [ −p policy] [ −s string] [ −v] [keychain...] Find an identity (certificate + private key) satisfying a given policy. If no policy arguments are provided, the X.509 basic policy is assumed. If no keychain arguments are provided, the default search list is used. Options: −p policy Specify policy to evaluate (multiple -p options are allowed). Supported policies: basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning, sys-default, sys-kerberos-kdc −s string Specify optional policy-specific string (e.g. a DNS hostname for SSL, or RFC822 email address for S/MIME) −v Show valid identities only (default is to show all identities) Examples security> find-identity -v -p ssl-client Display valid identities that can be used for SSL client authentication security> find-identity -p ssl-server -s www.domain.com Display identities for a SSL server running on the host ’www.domain.com’ security> find-identity -p smime -s user@domain.com Display identities that can be used to sign a message from ’user@domain.com’ delete-certificate [ −h] [ −c name] [ −Z hash] [ −t] [keychain...] Delete a certificate from a keychain. If no keychain arguments are provided, the default search list is used. −c name Specify certificate to delete by its common name −Z hash Specify certificate to delete by its SHA-1 hash −t Also delete user trust settings for this certificate The certificate to be deleted must be uniquely specified either by a string found in its common name, or by its SHA-1 hash. set-identity-preference [ −h] [ −n] [ −c identity] [ −s service] [ −u keyUsage] [ −Z hash] [keychain...] Set the preferred identity to use for a service. −n Specify no identity (clears existing preference for the given service) −c identity Specify identity by common name of the certificate −s service Specify service (may be a URL, RFC822 email address, DNS host, or other name) for which this identity is to be preferred −u keyUsage Specify key usage (optional) −Z hash Specify identity by SHA-1 hash of certificate (optional) The identity is located by searching the specified keychain(s) for a certificate whose common name contains the given identity string. If no keychains are specified to search, the default search list is used. Different identity preferences can be set for individual key usages. You can differenti- ate between two identities which contain the same string by providing a SHA-1 hash of the certifi- Darwin March 1, 2012 7
security (1) BSD General Commands Manual security (1) cate (in addition to, or instead of, the name.) PARTIAL PATHS AND WILDCARDS Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per- URL basis. The URL being visited had to match the service name exactly for the preference to be in effect. In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using a ser- vice name with a partial path URL to match more specific paths on the same server. For example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect for "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must end with a trailing slash character. Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wildcard character ’∗’ as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity prefer- ence for the name "∗.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdo- main2.army.mil". Likewise, a preference for "∗.mil" will match both "server.army.mil" and "server.navy.mil". KEY USAGE CODES 0 - preference is in effect for all possible key usages (default) 1 - encryption only 2 - decryption only 4 - signing only 8 - signature verification only 16 - signing with message recovery only 32 - signature verification with message recovery only 64 - key wrapping only 128 - key unwrapping only 256 - key derivation only To specify more than one usage, add values together. get-identity-preference [ −h] [ −s service] [ −u keyUsage] [ −p] [ −c] [ −Z] Get the preferred identity to use for a service. −s service Specify service (may be a URL, RFC822 email address, DNS host, or other name) −u keyUsage Specify key usage (optional) −p Output identity certificate in pem format −c Print common name of the preferred identity certificate −Z Print SHA-1 hash of the preferred identity certificate create-db [ −aho0] [ −g dl|cspdl] [ −m mode] [name] Create a db using the DL. If name isn’t provided security will prompt the user to type a name. Options: −a Turn off autocommit −g dl|cspdl Use the AppleDL (default) or AppleCspDL −m mode Set the file permissions to mode. −o Force using openparams argument Darwin March 1, 2012 8
security (1) BSD General Commands Manual security (1) −0 Force using version 0 openparams Examples security> create-db -m 0644 test.db security> create-db -g cspdl -a test2.db export [ −k keychain] [ −t type] [ −f format] [ −w] [ −p format] [ −P passphrase] [ −o outfile] Export one or more items from a keychain to one of a number of external representations. If keychain isn’t provided, items will be exported from the user’s default keychain. Options: −k keychain Specify keychain from which item(s) will be exported. −t type Specify the type of items to export. Possible types are certs, allKeys, pub- Keys, privKeys, identities, and all. The default is all. An identity consists of both a certificate and the corresponding provate key. −f format Specify the format of the exported data. Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported. −w Specifies that private keys are to be wrapped on export. −p Specifies that PEM armour is to be applied to the output data. −P passphrase Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI. −o outfile Write the output data to outfile. Default is to write data to stdout. Examples security> export -k login.keychain -t certs -o /tmp/certs.pem security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12 import inputfile [ −k keychain] [ −t type] [ −f format] [ −w] [ −P passphrase] [options...] Import one or more items from inputfile into a keychain. If keychain isn’t provided, items will be imported into the user’s default keychain. Options: −k keychain Specify keychain into which item(s) will be imported. −t type Specify the type of items to import. Possible types are cert, pub, priv, ses- sion, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what item_type an item contains based in the filename and/or item_for- mat. −f format Specify the format of the exported data. Possible formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the file- name and/or item_type. −w Specify that private keys are wrapped and must be unwrapped on import. −x Specify that private keys are non-extractable after being imported. −P passphrase Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI. Darwin March 1, 2012 9
security (1) BSD General Commands Manual security (1) −a attrName attrValue Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys. −A Allow any application to access the imported key without warning (insecure, not recommended!) −T appPath Specify an application which may access the imported key (multiple −T options are allowed) Examples security> import /tmp/certs.pem -k security> import /tmp/mycerts.p12 -t agg -k newcert.keychain security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain cms [ −C| −D| −E| −S] [options...] Encode or decode CMS messages. −C create a CMS encrypted message −D decode a CMS message −E create a CMS enveloped message −S create a CMS signed message Decoding options: −c content use this detached content file −h level generate email headers with info about CMS message (output level >= 0) −n suppress output of content Encoding options: −r id,... create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address −G include a signing time attribute −H hash hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1) −N nick use certificate named "nick" for signing −P include a SMIMECapabilities attribute −T do not include content in CMS message −Y nick include an EncryptionKeyPreference attribute with certificate (use "NONE" to omit) −Z hash find a certificate by subject key ID Common options: −e envelope specify envelope file (valid with −D or −E) −k keychain specify keychain to use −i infile use infile as source of data (default: stdin) −o outfile use outfile as destination of data (default: stdout) −p password use password as key db password (default: prompt) −s pass data a single byte at a time to CMS −u certusage set type of certificate usage (default: certUsageEmailSigner) −v print debugging information Cert usage codes: 0 - certUsageSSLClient 1 - certUsageSSLServer 2 - certUsageSSLServerWithStepUp 3 - certUsageSSLCA 4 - certUsageEmailSigner Darwin March 1, 2012 10
security (1) BSD General Commands Manual security (1) 5 - certUsageEmailRecipient 6 - certUsageObjectSigner 7 - certUsageUserCertImport 8 - certUsageVerifyCA 9 - certUsageProtectedObjectSigner 10 - certUsageStatusResponder 11 - certUsageAnyCA install-mds Install (or re-install) the Module Directory Services (MDS) database. This is a system tool which is not normally used by users. There are no options. add-trusted-cert [ −d] [ −r resultType] [ −p policy] [ −a appPath] [ −s policyString] [ −e allowedError] [ −u keyUsage] [ −k keychain] [ −i settingsFileIn] [ −o settingsFileOut] [ −D] certFile Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Set- tings. When modifying per-user Trust Settings, user authentication is required via an authentica- tion dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options: −d Add to admin cert store; default is user. −r resultType resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot. −p policy Specify policy constraint (ssl, smime, codeSign, IPSec, iChat, basic, swUp- date, pkgSign, pkinitClient, pkinitServer, eap). −r resultType resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot. −a appPath Specify application constraint. −s policyString Specify policy-specific string. −e allowedError Specify allowed error (an integer value, or one of: certExpired, host- nameMismatch) −u keyUsage Specify key usage, an integer. −k keychain Specify keychain to which cert is added. −i settingsFileIn Input trust settings file; default is user domain. −o settingsFileOut Output trust settings file; default is user domain. −D Add default setting instead of per-cert setting. No certFile is specified when using this option Examples security> add-trusted-cert /tmp/cert.der security> add-trusted-cert -d .tmp/cert.der remove-trusted-cert [ −d] [ −D] certFile Remove certificate (in DER or PEM format) in certFile from per-user or local Admin Trust Set- tings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options: Darwin March 1, 2012 11
security (1) BSD General Commands Manual security (1) −d Remove from admin cert store; default is user. −D Remove Default Root Cert setting instead of an actual cert setting. No cert- File is specified when using this option. dump-trust-settings [ −s] [ −d] Display Trust Settings. Options: −s Display trusted system certs; default is user. −d Display trusted admin certs; default is user. user-trust-settings-enable [ −d] [ −e] Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings. Options: −d Disable user-level Trust Settings. −e Enable user-level Trust Settings. trust-settings-export [ −s] [ −d] settings_file Export Trust Settings to the specified file. Options: −s Export system Trust Settings; default is user. −d Export admin Trust Settings; default is user. trust-settings-import [ −d] settings_file Import Trust Settings from the specified file. When modifying per-user Trust Settings, user authen- tication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options: −d Import admin Trust Settings; default is user. verify-cert [ −c certFile] [ −r rootCertFile] [ −p policy] [ −k keychain] [ −n] [ −L] [ −l] [ −e emailAddress] [ −s sslHost] [ −q] Verify one or more certificates. Options: −c certFile Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first. −r rootCertFile Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself. −p policy Specify verification policy (ssl, smime, codeSign, IPSec, iChat, basic, swUp- date, pkgSign, pkinitClient, pkinitServer, eap, appleID, macappstore, times- tamping). Default is basic. −k keychain Keychain to search for intermediate certs. Can be specified multiple times. Default is the current user’s keychain search list. −n Avoid searching any keychains. −L Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it. Darwin March 1, 2012 12
security (1) BSD General Commands Manual security (1) −l Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification. −e emailAddress Specify email address for the smime policy. −s sslHost Specify SSL host name for the ssl policy. −q Quiet, no stdout or stderr. Examples security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -s store.apple.com security> verify-cert -r serverbasic.crt authorize [ −updPiew] [right...] Authorize requested right(s). The extend-rights flag will be passed by default. Options: −u Allow user interaction. −p Allow returning partial rights. −d Destroy acquired rights. −P Pre-authorize rights only. −l Operate authorization in least privileged mode. −i Internalize authref passed on stdin. −e Externalize authref to stdout −w Wait while holding AuthorizationRef until stdout is closed. This will allow client to read externalized AuthorizationRef from pipe. Examples security> security authorize -ud my-right Basic authorization of my-right. security> security -q authorize -uew my-right | security -q authorize -i my-right Authorizing a right and passing it to another command as a way to add authorization to shell scripts. authorizationdb read <right-name> authorizationdb write <right-name> [allow|deny|<rulename>] authorizationdb remove <right-name> Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin. Examples security> security authorizationdb read system.privilege.admin > /tmp/aewp-def Read definition of system.privilege.admin right. security> security authorizationdb write system.preferences < /tmp/aewp-def Set system.preferences to definition of system.privilege.admin right. security> security authorizationdb write system.preferences authenticate-admin Every change to preferences requires an Admin user to authenticate. execute-with-privileges <program> [args...] Execute tool with privileges. On success stdin will be read and forwarded to the tool. Darwin March 1, 2012 13
security (1) BSD General Commands Manual security (1) leaks [ −h] [ −cycles] [ −nocontext] [ −nostacks] [ −exclude symbol] Run /usr/bin/leaks on this process. This can help find memory leaks after running certain commands. Options: −cycles Use a stricter algorithm (See leaks(1) for details). −nocontext Withhold the hex dumps of the leaked memory. −nostacks Don’t show stack traces of leaked memory. −exclude symbol Ignore leaks called from symbol. error [ −h] [<error code(s)...>] Display an error string for the given security-related error code. The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple errors can be separated by spaces. ENVIRONMENT MallocStackLogging When using the leaks command or the −l option it’s probably a good idea to set this environ- ment variable before security is started. Doing so will allow leaks to display symbolic back- traces. FILES ˜/Library/Preferences/com.apple.security.plist Property list file containing the current user’s default keychain and keychain search list. /Library/Preferences/com.apple.security.plist Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as sys- tem daemons. /Library/Preferences/com.apple.security-common.plist Property list file containing the common keychain search list, which is appended to every user’s search list and to the system search list. SEE ALSO certtool(1), leaks(1) HISTORY security was first introduced in Mac OS X version 10.3. BUGS security still needs more commands before it can be considered complete. In particular, it should some- day supersede both the certtool and systemkeychain commands. Darwin March 1, 2012 14

Recommandé

Codeware
CodewareCodeware
CodewareUri Nativ
 
Play image
Play imagePlay image
Play imageFardian Syah
 
Introduction to Twig
Introduction to TwigIntroduction to Twig
Introduction to Twigmarkstory
 
初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話
初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話
初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話賢治 田中
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
L04 Software Design Examples
L04 Software Design ExamplesL04 Software Design Examples
L04 Software Design ExamplesÓlafur Andri Ragnarsson
 

Recommandé

Codeware
CodewareCodeware
CodewareUri Nativ
 
Play image
Play imagePlay image
Play imageFardian Syah
 
Introduction to Twig
Introduction to TwigIntroduction to Twig
Introduction to Twigmarkstory
 
初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話
初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話
初めての自作ライブラリを
案件に導入して
脳汁ブシャーした話賢治 田中
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
L04 Software Design Examples
L04 Software Design ExamplesL04 Software Design Examples
L04 Software Design ExamplesÓlafur Andri Ragnarsson
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Triggerjathanism
 
Basic Security in Routing and Switching
Basic Security in Routing and SwitchingBasic Security in Routing and Switching
Basic Security in Routing and SwitchingReza Farahani
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESDrupalCamp Kyiv
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.pptveracru1
 
Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Puppet
 
I Love APIs 2015: Continuous Integration the Virtuous Cycle
I Love APIs 2015: Continuous Integration the Virtuous CycleI Love APIs 2015: Continuous Integration the Virtuous Cycle
I Love APIs 2015: Continuous Integration the Virtuous CycleApigee | Google Cloud
 
Mico: A monkey in the cloud
Mico: A monkey in the cloudMico: A monkey in the cloud
Mico: A monkey in the cloudAndrés J. Díaz
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentScyllaDB
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
NIIT ISAS Q5 Report - Windows PowerShell
NIIT ISAS Q5 Report - Windows PowerShellNIIT ISAS Q5 Report - Windows PowerShell
NIIT ISAS Q5 Report - Windows PowerShellPhan Hien
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
A Brief Introduction to Writing and Understanding Puppet Modules
A Brief Introduction to Writing and Understanding Puppet ModulesA Brief Introduction to Writing and Understanding Puppet Modules
A Brief Introduction to Writing and Understanding Puppet ModulesDavid Phillips
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxVelmuruganTECE
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 

Contenu connexe

Similaire à Command Line Interface for macOS Security Framework

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Triggerjathanism
 
Basic Security in Routing and Switching
Basic Security in Routing and SwitchingBasic Security in Routing and Switching
Basic Security in Routing and SwitchingReza Farahani
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESDrupalCamp Kyiv
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.pptveracru1
 
Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Puppet
 
I Love APIs 2015: Continuous Integration the Virtuous Cycle
I Love APIs 2015: Continuous Integration the Virtuous CycleI Love APIs 2015: Continuous Integration the Virtuous Cycle
I Love APIs 2015: Continuous Integration the Virtuous CycleApigee | Google Cloud
 
Mico: A monkey in the cloud
Mico: A monkey in the cloudMico: A monkey in the cloud
Mico: A monkey in the cloudAndrés J. Díaz
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentScyllaDB
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
NIIT ISAS Q5 Report - Windows PowerShell
NIIT ISAS Q5 Report - Windows PowerShellNIIT ISAS Q5 Report - Windows PowerShell
NIIT ISAS Q5 Report - Windows PowerShellPhan Hien
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
A Brief Introduction to Writing and Understanding Puppet Modules
A Brief Introduction to Writing and Understanding Puppet ModulesA Brief Introduction to Writing and Understanding Puppet Modules
A Brief Introduction to Writing and Understanding Puppet ModulesDavid Phillips
 

Similaire à Command Line Interface for macOS Security Framework (20)

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Trigger
 
Basic Security in Routing and Switching
Basic Security in Routing and SwitchingBasic Security in Routing and Switching
Basic Security in Routing and Switching
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryption
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.ppt
 
Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014
 
I Love APIs 2015: Continuous Integration the Virtuous Cycle
I Love APIs 2015: Continuous Integration the Virtuous CycleI Love APIs 2015: Continuous Integration the Virtuous Cycle
I Love APIs 2015: Continuous Integration the Virtuous Cycle
 
Mico: A monkey in the cloud
Mico: A monkey in the cloudMico: A monkey in the cloud
Mico: A monkey in the cloud
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla Deployment
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
NIIT ISAS Q5 Report - Windows PowerShell
NIIT ISAS Q5 Report - Windows PowerShellNIIT ISAS Q5 Report - Windows PowerShell
NIIT ISAS Q5 Report - Windows PowerShell
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
 
A Brief Introduction to Writing and Understanding Puppet Modules
A Brief Introduction to Writing and Understanding Puppet ModulesA Brief Introduction to Writing and Understanding Puppet Modules
A Brief Introduction to Writing and Understanding Puppet Modules
 

Dernier

Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxVelmuruganTECE
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating SystemRashmi Bhat
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingBootNeck1
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 

Dernier (20)

Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating System
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 

Command Line Interface for macOS Security Framework

  • 1. security (1) BSD General Commands Manual security (1) NAME security — Command line interface to keychains and Security framework SYNOPSIS security [ −hilqv] [ −p prompt] [command] [command_options] [command_args] DESCRIPTION A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line. By default security will execute the command supplied and report if anything went wrong. If the −i or −p options are provided, security will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin security will exit. Here is a complete list of the options available: −h If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the help com- mand. −i Run security in interactive mode. A prompt ( security> by default ) will be displayed and the user will be able to type commands on stdin until an EOF is encountered. −l Before security exits, run /usr/bin/leaks -nocontext on itself to see if the command(s) you executed had any leaks. −p prompt This option implies the −i option but changes the default prompt to the argument specified instead. −q Will make security less verbose. −v Will make security more verbose. SECURITY COMMAND SUMMARY security provides a rich variety of commands ( command in the SYNOPSIS ) , each of which often has a wealth of options, to allow access to the broad functionality provided by the Security framework. However, you don’t have to master every detail for security to be useful to you. Here are brief descriptions of all the security commands: help Show all commands, or show usage for a command. list-keychains Display or manipulate the keychain search list. default-keychain Display or set the default keychain. login-keychain Display or set the login keychain. create-keychain Create keychains. delete-keychain Delete keychains and remove them from the search list. lock-keychain Lock the specified keychain. unlock-keychain Unlock the specified keychain. set-keychain-settings Set settings for a keychain. set-keychain-password Set password for a keychain. show-keychain-info Show the settings for keychain. dump-keychain Dump the contents of one or more keychains. Darwin March 1, 2012 1
  • 2. security (1) BSD General Commands Manual security (1) create-keypair Create an asymmetric key pair. add-generic-password Add a generic password item. add-internet-password Add an internet password item. add-certificates Add certificates to a keychain. find-generic-password Find a generic password item. delete-generic-password Delete a generic password item. find-internet-password Find an internet password item. delete-internet-password Delete an internet password item. find-certificate Find a certificate item. find-identity Find an identity (certificate + private key). delete-certificate Delete a certificate from a keychain. set-identity-preference Set the preferred identity to use for a service. get-identity-preference Get the preferred identity to use for a service. create-db Create a db using the DL. export Export items from a keychain. import Import items into a keychain. cms Encode or decode CMS messages. install-mds Install (or re-install) the MDS database. add-trusted-cert Add trusted certificate(s). remove-trusted-cert Remove trusted certificate(s). dump-trust-settings Display contents of trust settings. user-trust-settings-enable Display or manipulate user-level trust settings. trust-settings-export Export trust settings. trust-settings-import Import trust settings. verify-cert Verify certificate(s). authorize Perform authorization operations. authorizationdb Make changes to the authorization policy database. execute-with-privileges Execute tool with privileges. leaks Run /usr/bin/leaks on this process. error Display a descriptive message for the given error code(s). COMMON COMMAND OPTIONS This section describes the command_options that are available across all security commands. −h Show a usage message for the specified command. This option is essentially the same as the help command. SECURITY COMMANDS Here (finally) are details on all the security commands and the options each accepts. help [ −h] Show all commands, or show usage for a command. list-keychains [ −h] [ −d user|system|common|dynamic] [ −s [keychain...]] Display or manipulate the keychain search list. −d user|system|common|dynamic Use the specified preference domain. −s Set the search list to the specified keychains. default-keychain [ −h] [ −d user|system|common|dynamic] [ −s [keychain]] Display or set the default keychain. Darwin March 1, 2012 2
  • 3. security (1) BSD General Commands Manual security (1) −d user|system|common|dynamic Use the specified preference domain. −s Set the default keychain to the specified keychain. Unset it if no keychain is speci- fied. login-keychain [ −h] [ −d user|system|common|dynamic] [ −s [keychain]] Display or set the login keychain. −d user|system|common|dynamic Use the specified preference domain. −s Set the login keychain to the specified keychain. Unset it if no keychain is speci- fied. create-keychain [ −hP] [ −p password] [keychain...] Create keychains. −P Prompt the user for a password using the SecurityAgent. −p password Use password as the password for the keychains being created. If neither −P or −p password are specified, the user is prompted for a password on the com- mand line. delete-keychain [ −h] [keychain...] Delete keychains and remove them from the search list. lock-keychain [ −h] [ −a|keychain] Lock keychain, or the default keychain if none is specified. If the −a option is specified, all keychains are locked. unlock-keychain [ −hu] [ −p password] [keychain] Unlock keychain, or the default keychain if none is specified. set-keychain-settings [ −hlu] [ −t timeout] [keychain] Set settings for keychain, or the default keychain if none is specified. −l Lock keychain when the system sleeps. −u Lock keychain after timeout interval. −t timeout Specify timeout interval in seconds (omitting this option specifies "no timeout"). set-keychain-password [ −h] [ −o oldPassword] [ −p newPassword] [keychain] Set password for keychain, or the default keychain if none is specified. −o oldPassword Old keychain password (if not provided, will prompt) −p newPassword New keychain password (if not provided, will prompt) show-keychain-info [ −h] [keychain] Show the settings for keychain. dump-keychain [ −adhir] Dump the contents of one or more keychains. −a Dump access control list of items −d Dump (decrypted) data of items −i Interactive access control list editing mode Darwin March 1, 2012 3
  • 4. security (1) BSD General Commands Manual security (1) −r Dump raw (encrypted) data of items create-keypair [ −h] [ −a alg] [ −s size] [ −f date] [ −t date] [ −d days] [ −k keychain] [ −A| −T appPath] [name] Create an asymmetric key pair. −a alg Use alg as the algorithm, can be rsa, dh, dsa or fee (default rsa) −s size Specify the keysize in bits (default 512) −f date Make a key valid from the specified date −t date Make a key valid to the specified date −d days Make a key valid for the number of days specified from today −k keychain Use the specified keychain rather than the default −A Allow any application to access this key without warning (insecure, not rec- ommended!) −T appPath Specify an application which may access this key (multiple −T options are allowed) add-generic-password [ −h] [ −a account] [ −s service] [ −w password] [options...] [keychain] Add a generic password item. −a account Specify account name (required) −c creator Specify item creator (optional four-character code) −C type Specify item type (optional four-character code) −D kind Specify kind (default is "application password") −G value Specify generic attribute value (optional) −j comment Specify comment string (optional) −l label Specify label (if omitted, service name is used as default label) −s service Specify service name (required) −p password Specify password to be added (legacy option, equivalent to −w) −w password Specify password to be added −A Allow any application to access this item without warning (insecure, not recommended!) −T appPath Specify an application which may access this item (multiple −T options are allowed) −U Update item if it already exists (if omitted, the item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: −T "". If no key- chain is specified, the password is added to the default keychain. add-internet-password [ −h] [ −a account] [ −s server] [ −w password] [options...] [keychain] Add an internet password item. −a account Specify account name (required) −c creator Specify item creator (optional four-character code) −C type Specify item type (optional four-character code) −d domain Specify security domain string (optional) −D kind Specify kind (default is "application password") −j comment Specify comment string (optional) −l label Specify label (if omitted, service name is used as default label) −p path Specify path string (optional) Darwin March 1, 2012 4
  • 5. security (1) BSD General Commands Manual security (1) −P port Specify port number (optional) −r protocol Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ") −s server Specify server name (required) −t authenticationType Specify authentication type (as a four-character SecAuthenticationType, default is "dflt") −w password Specify password to be added −A Allow any application to access this item without warning (insecure, not recommended!) −T appPath Specify an application which may access this item (multiple −T options are allowed) −U Update item if it already exists (if omitted, the item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: −T "". If no key- chain is specified, the password is added to the default keychain. add-certificates [ −h] [ −k keychain] file... Add certficates contained in the specified files to the default keychain. The files must contain one DER encoded X509 certificate each. −k keychain Use keychain rather than the default keychain. find-generic-password [ −h] [ −a account] [ −s service] [ −options...] [ −g] [ −keychain...] Find a generic password item. −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −D kind Match kind string −G value Match value string (generic attribute) −j comment Match comment string −l label Match label string −s service Match service string −g Display the password for the item found −w Display the password(only) for the item found delete-generic-password [ −h] [ −a account] [ −s service] [ −options...] [ −keychain...] Delete a generic password item. −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −D kind Match kind string −G value Match value string (generic attribute) −j comment Match comment string −l label Match label string −s service Match service string delete-internet-password [ −h] [ −a account] [ −s server] [options...] [keychain...] Delete an internet password item. Darwin March 1, 2012 5
  • 6. security (1) BSD General Commands Manual security (1) −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −d securityDomain Match securityDomain string −D kind Match kind string −j comment Match comment string −l label Match label string −p path Match path string −P port Match port number −r protocol Match protocol (four-character code) −s server Match server string −t authenticationType Match authenticationType (four-character code) find-internet-password [ −h] [ −a account] [ −s server] [options...] [ −g] [keychain...] Find an internet password item. −a account Match account string −c creator Match creator (four-character code) −C type Match type (four-character code) −d securityDomain Match securityDomain string −D kind Match kind string −j comment Match comment string −l label Match label string −p path Match path string −P port Match port number −r protocol Match protocol (four-character code) −s server Match server string −t authenticationType Match authenticationType (four-character code) −g Display the password for the item found −w Display the password(only) for the item found find-certificate [ −h] [ −a] [ −c name] [ −e emailAddress] [ −m] [ −p] [ −Z] [keychain...] Find a certificate item. If no keychain arguments are provided, the default search list is used. Options: −a Find all matching certificates, not just the first one −c name Match on name when searching (optional) −e emailAddress Match on emailAddress when searching (optional) −m Show the email addresses in the certificate −p Output certificate in pem format. Default is to dump the attributes and key- chain the cert is in. −Z Print SHA-1 hash of the certificate Examples security> find-certificate -a -p > allcerts.pem Exports all certificates from all keychains into a pem file called allcerts.pem. Darwin March 1, 2012 6
  • 7. security (1) BSD General Commands Manual security (1) security> find-certificate -a -e me@foo.com -p > certs.pem Exports all certificates from all keychains with the email address me@foo.com into a pem file called certs.pem. security> find-certificate -a -c MyName -Z login.keychain | grep ˆSHA-1 Print the SHA-1 hash of every certificate in ’login.keychain’ whose common name includes ’MyName’ find-identity [ −h] [ −p policy] [ −s string] [ −v] [keychain...] Find an identity (certificate + private key) satisfying a given policy. If no policy arguments are provided, the X.509 basic policy is assumed. If no keychain arguments are provided, the default search list is used. Options: −p policy Specify policy to evaluate (multiple -p options are allowed). Supported policies: basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning, sys-default, sys-kerberos-kdc −s string Specify optional policy-specific string (e.g. a DNS hostname for SSL, or RFC822 email address for S/MIME) −v Show valid identities only (default is to show all identities) Examples security> find-identity -v -p ssl-client Display valid identities that can be used for SSL client authentication security> find-identity -p ssl-server -s www.domain.com Display identities for a SSL server running on the host ’www.domain.com’ security> find-identity -p smime -s user@domain.com Display identities that can be used to sign a message from ’user@domain.com’ delete-certificate [ −h] [ −c name] [ −Z hash] [ −t] [keychain...] Delete a certificate from a keychain. If no keychain arguments are provided, the default search list is used. −c name Specify certificate to delete by its common name −Z hash Specify certificate to delete by its SHA-1 hash −t Also delete user trust settings for this certificate The certificate to be deleted must be uniquely specified either by a string found in its common name, or by its SHA-1 hash. set-identity-preference [ −h] [ −n] [ −c identity] [ −s service] [ −u keyUsage] [ −Z hash] [keychain...] Set the preferred identity to use for a service. −n Specify no identity (clears existing preference for the given service) −c identity Specify identity by common name of the certificate −s service Specify service (may be a URL, RFC822 email address, DNS host, or other name) for which this identity is to be preferred −u keyUsage Specify key usage (optional) −Z hash Specify identity by SHA-1 hash of certificate (optional) The identity is located by searching the specified keychain(s) for a certificate whose common name contains the given identity string. If no keychains are specified to search, the default search list is used. Different identity preferences can be set for individual key usages. You can differenti- ate between two identities which contain the same string by providing a SHA-1 hash of the certifi- Darwin March 1, 2012 7
  • 8. security (1) BSD General Commands Manual security (1) cate (in addition to, or instead of, the name.) PARTIAL PATHS AND WILDCARDS Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per- URL basis. The URL being visited had to match the service name exactly for the preference to be in effect. In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using a ser- vice name with a partial path URL to match more specific paths on the same server. For example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect for "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must end with a trailing slash character. Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wildcard character ’∗’ as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity prefer- ence for the name "∗.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdo- main2.army.mil". Likewise, a preference for "∗.mil" will match both "server.army.mil" and "server.navy.mil". KEY USAGE CODES 0 - preference is in effect for all possible key usages (default) 1 - encryption only 2 - decryption only 4 - signing only 8 - signature verification only 16 - signing with message recovery only 32 - signature verification with message recovery only 64 - key wrapping only 128 - key unwrapping only 256 - key derivation only To specify more than one usage, add values together. get-identity-preference [ −h] [ −s service] [ −u keyUsage] [ −p] [ −c] [ −Z] Get the preferred identity to use for a service. −s service Specify service (may be a URL, RFC822 email address, DNS host, or other name) −u keyUsage Specify key usage (optional) −p Output identity certificate in pem format −c Print common name of the preferred identity certificate −Z Print SHA-1 hash of the preferred identity certificate create-db [ −aho0] [ −g dl|cspdl] [ −m mode] [name] Create a db using the DL. If name isn’t provided security will prompt the user to type a name. Options: −a Turn off autocommit −g dl|cspdl Use the AppleDL (default) or AppleCspDL −m mode Set the file permissions to mode. −o Force using openparams argument Darwin March 1, 2012 8
  • 9. security (1) BSD General Commands Manual security (1) −0 Force using version 0 openparams Examples security> create-db -m 0644 test.db security> create-db -g cspdl -a test2.db export [ −k keychain] [ −t type] [ −f format] [ −w] [ −p format] [ −P passphrase] [ −o outfile] Export one or more items from a keychain to one of a number of external representations. If keychain isn’t provided, items will be exported from the user’s default keychain. Options: −k keychain Specify keychain from which item(s) will be exported. −t type Specify the type of items to export. Possible types are certs, allKeys, pub- Keys, privKeys, identities, and all. The default is all. An identity consists of both a certificate and the corresponding provate key. −f format Specify the format of the exported data. Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported. −w Specifies that private keys are to be wrapped on export. −p Specifies that PEM armour is to be applied to the output data. −P passphrase Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI. −o outfile Write the output data to outfile. Default is to write data to stdout. Examples security> export -k login.keychain -t certs -o /tmp/certs.pem security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12 import inputfile [ −k keychain] [ −t type] [ −f format] [ −w] [ −P passphrase] [options...] Import one or more items from inputfile into a keychain. If keychain isn’t provided, items will be imported into the user’s default keychain. Options: −k keychain Specify keychain into which item(s) will be imported. −t type Specify the type of items to import. Possible types are cert, pub, priv, ses- sion, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what item_type an item contains based in the filename and/or item_for- mat. −f format Specify the format of the exported data. Possible formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the file- name and/or item_type. −w Specify that private keys are wrapped and must be unwrapped on import. −x Specify that private keys are non-extractable after being imported. −P passphrase Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI. Darwin March 1, 2012 9
  • 10. security (1) BSD General Commands Manual security (1) −a attrName attrValue Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys. −A Allow any application to access the imported key without warning (insecure, not recommended!) −T appPath Specify an application which may access the imported key (multiple −T options are allowed) Examples security> import /tmp/certs.pem -k security> import /tmp/mycerts.p12 -t agg -k newcert.keychain security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain cms [ −C| −D| −E| −S] [options...] Encode or decode CMS messages. −C create a CMS encrypted message −D decode a CMS message −E create a CMS enveloped message −S create a CMS signed message Decoding options: −c content use this detached content file −h level generate email headers with info about CMS message (output level >= 0) −n suppress output of content Encoding options: −r id,... create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address −G include a signing time attribute −H hash hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1) −N nick use certificate named "nick" for signing −P include a SMIMECapabilities attribute −T do not include content in CMS message −Y nick include an EncryptionKeyPreference attribute with certificate (use "NONE" to omit) −Z hash find a certificate by subject key ID Common options: −e envelope specify envelope file (valid with −D or −E) −k keychain specify keychain to use −i infile use infile as source of data (default: stdin) −o outfile use outfile as destination of data (default: stdout) −p password use password as key db password (default: prompt) −s pass data a single byte at a time to CMS −u certusage set type of certificate usage (default: certUsageEmailSigner) −v print debugging information Cert usage codes: 0 - certUsageSSLClient 1 - certUsageSSLServer 2 - certUsageSSLServerWithStepUp 3 - certUsageSSLCA 4 - certUsageEmailSigner Darwin March 1, 2012 10
  • 11. security (1) BSD General Commands Manual security (1) 5 - certUsageEmailRecipient 6 - certUsageObjectSigner 7 - certUsageUserCertImport 8 - certUsageVerifyCA 9 - certUsageProtectedObjectSigner 10 - certUsageStatusResponder 11 - certUsageAnyCA install-mds Install (or re-install) the Module Directory Services (MDS) database. This is a system tool which is not normally used by users. There are no options. add-trusted-cert [ −d] [ −r resultType] [ −p policy] [ −a appPath] [ −s policyString] [ −e allowedError] [ −u keyUsage] [ −k keychain] [ −i settingsFileIn] [ −o settingsFileOut] [ −D] certFile Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Set- tings. When modifying per-user Trust Settings, user authentication is required via an authentica- tion dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options: −d Add to admin cert store; default is user. −r resultType resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot. −p policy Specify policy constraint (ssl, smime, codeSign, IPSec, iChat, basic, swUp- date, pkgSign, pkinitClient, pkinitServer, eap). −r resultType resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot. −a appPath Specify application constraint. −s policyString Specify policy-specific string. −e allowedError Specify allowed error (an integer value, or one of: certExpired, host- nameMismatch) −u keyUsage Specify key usage, an integer. −k keychain Specify keychain to which cert is added. −i settingsFileIn Input trust settings file; default is user domain. −o settingsFileOut Output trust settings file; default is user domain. −D Add default setting instead of per-cert setting. No certFile is specified when using this option Examples security> add-trusted-cert /tmp/cert.der security> add-trusted-cert -d .tmp/cert.der remove-trusted-cert [ −d] [ −D] certFile Remove certificate (in DER or PEM format) in certFile from per-user or local Admin Trust Set- tings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options: Darwin March 1, 2012 11
  • 12. security (1) BSD General Commands Manual security (1) −d Remove from admin cert store; default is user. −D Remove Default Root Cert setting instead of an actual cert setting. No cert- File is specified when using this option. dump-trust-settings [ −s] [ −d] Display Trust Settings. Options: −s Display trusted system certs; default is user. −d Display trusted admin certs; default is user. user-trust-settings-enable [ −d] [ −e] Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings. Options: −d Disable user-level Trust Settings. −e Enable user-level Trust Settings. trust-settings-export [ −s] [ −d] settings_file Export Trust Settings to the specified file. Options: −s Export system Trust Settings; default is user. −d Export admin Trust Settings; default is user. trust-settings-import [ −d] settings_file Import Trust Settings from the specified file. When modifying per-user Trust Settings, user authen- tication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options: −d Import admin Trust Settings; default is user. verify-cert [ −c certFile] [ −r rootCertFile] [ −p policy] [ −k keychain] [ −n] [ −L] [ −l] [ −e emailAddress] [ −s sslHost] [ −q] Verify one or more certificates. Options: −c certFile Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first. −r rootCertFile Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself. −p policy Specify verification policy (ssl, smime, codeSign, IPSec, iChat, basic, swUp- date, pkgSign, pkinitClient, pkinitServer, eap, appleID, macappstore, times- tamping). Default is basic. −k keychain Keychain to search for intermediate certs. Can be specified multiple times. Default is the current user’s keychain search list. −n Avoid searching any keychains. −L Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it. Darwin March 1, 2012 12
  • 13. security (1) BSD General Commands Manual security (1) −l Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification. −e emailAddress Specify email address for the smime policy. −s sslHost Specify SSL host name for the ssl policy. −q Quiet, no stdout or stderr. Examples security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -s store.apple.com security> verify-cert -r serverbasic.crt authorize [ −updPiew] [right...] Authorize requested right(s). The extend-rights flag will be passed by default. Options: −u Allow user interaction. −p Allow returning partial rights. −d Destroy acquired rights. −P Pre-authorize rights only. −l Operate authorization in least privileged mode. −i Internalize authref passed on stdin. −e Externalize authref to stdout −w Wait while holding AuthorizationRef until stdout is closed. This will allow client to read externalized AuthorizationRef from pipe. Examples security> security authorize -ud my-right Basic authorization of my-right. security> security -q authorize -uew my-right | security -q authorize -i my-right Authorizing a right and passing it to another command as a way to add authorization to shell scripts. authorizationdb read <right-name> authorizationdb write <right-name> [allow|deny|<rulename>] authorizationdb remove <right-name> Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin. Examples security> security authorizationdb read system.privilege.admin > /tmp/aewp-def Read definition of system.privilege.admin right. security> security authorizationdb write system.preferences < /tmp/aewp-def Set system.preferences to definition of system.privilege.admin right. security> security authorizationdb write system.preferences authenticate-admin Every change to preferences requires an Admin user to authenticate. execute-with-privileges <program> [args...] Execute tool with privileges. On success stdin will be read and forwarded to the tool. Darwin March 1, 2012 13
  • 14. security (1) BSD General Commands Manual security (1) leaks [ −h] [ −cycles] [ −nocontext] [ −nostacks] [ −exclude symbol] Run /usr/bin/leaks on this process. This can help find memory leaks after running certain commands. Options: −cycles Use a stricter algorithm (See leaks(1) for details). −nocontext Withhold the hex dumps of the leaked memory. −nostacks Don’t show stack traces of leaked memory. −exclude symbol Ignore leaks called from symbol. error [ −h] [<error code(s)...>] Display an error string for the given security-related error code. The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple errors can be separated by spaces. ENVIRONMENT MallocStackLogging When using the leaks command or the −l option it’s probably a good idea to set this environ- ment variable before security is started. Doing so will allow leaks to display symbolic back- traces. FILES ˜/Library/Preferences/com.apple.security.plist Property list file containing the current user’s default keychain and keychain search list. /Library/Preferences/com.apple.security.plist Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as sys- tem daemons. /Library/Preferences/com.apple.security-common.plist Property list file containing the common keychain search list, which is appended to every user’s search list and to the system search list. SEE ALSO certtool(1), leaks(1) HISTORY security was first introduced in Mac OS X version 10.3. BUGS security still needs more commands before it can be considered complete. In particular, it should some- day supersede both the certtool and systemkeychain commands. Darwin March 1, 2012 14