Revoke an applications access to keychain passwords

keychain

I granted an application 'always allow' access to my keychain, i no longer want to have this application set to this, is there a central place where i can see which applications are allowed to access items / passwords in the keychain and then remove them as wanted ?


You can use Keychain Access to modify the access control lists on any keychain item that have them. (Most, but not all, keychain items do. For example, the public portion of my S/MIME certificate does not have one, presumably since it is a public key and thus does not need to be protected—but the corresponding key, available under Keys, does.)

Simply find the keychain item in question and press command-I (or select Get Info from the File menu). A dialog similar to this will appear:

Get Info dialog on an example IRC password created by Adium

From this dialog, you can manipulate the access control list on the keychain item as you see fit.


security is a command-line program which can access/manipulate the keychains. The following command will output a long stream of text, but it contains the info you're looking for. You just need to know how to look for it.

security dump-keychain -a login.keychain

This is an example of a keychain entry without any specific access controls:

access: 2 entries
    entry 0:
        authorizations (1): any
        don't-require-password
        description: <NULL>
        applications: <null>
    entry 1:
        authorizations (1): change_acl
        don't-require-password
        description: <NULL>
        applications: <null>

This is an example of an item that only iChat has permission to access:

access: 3 entries
    entry 0:
        authorizations (1): encrypt
        don't-require-password
        description: <key>
        applications: <null>
    entry 1:
        authorizations (6): decrypt derive export_clear export_wrapped mac sign
        don't-require-password
        description: <key>
        applications (1):            0: /Applications/iChat.app (OK)
    entry 2:
        authorizations (1): change_acl
        don't-require-password
        description: <key>
        applications (0):

If you only want to search for a specific application, then it is probably easiest to just send the output of the above command to a file, and read through it manually to search for your application string to find out what items it has permission to use.

Related

Spotlight, please don't show mail, but still let me search in Mail app
Hidden folder without a dot at the start
How can I encrypt my VirtualBox VM?
How can I disable this mutli-monitor window-cutoff in Mavericks?
OS X Server (Mavericks) requires wired network connection for Caching?
How to automount sparsebundle for Time Machine backups?
iPhone won't ring, only vibrates
How can I launch a GUI app in Applications folder from command line?
Is it better to purchase 1password from agilebits website or the app store?
Keyboard Maestro interfering with control-tab action in browsers - how to disable?
How to "un-maximize" or "restore" an Excel window
Converting publisher files for use on Mac