He then said, "Dad let me show you something". He opened the lid and it showed the login screen with my name and an empty password field. On that same login dialog box he changed the user name to his name and entered his password. The expected result here should be that it should log him into his account right? The actual result is that the Mac lets him unlock the screen using his password and actually use my account as if it was me who had entered my own password!
This is obviously a huge security flaw. A user of a machine can access another user's account on the same machine and have full control over applications and files and impersonate that user any time.
Has anyone else seen this? I am amazed that Apple has not come across this before and has not fixed this. Can anyone else verify that they can do this on their Mac? Does anyone know whether this was fixed in Snow Leopard?
Don't think so. UNIX allows the super user to "su" to any account and pretend to be that person; this done using the super users's password. I'm a number of years removed, but since your son is an admin, he can impersonate anyone he wants, including you.
ReplyDeleteI am not real familiar with the Apple implementation, but why are you both admins? In unix worlds, users is users and admins is admins and never shall the two get confused. Your "user" accounts should drop the admin rights and you should use root for admin stuff.
-Joe Nord
While I can't comment on Mac OS X, I know some older versions of windows allowed the current user or a system administrator to unlock a locked screen.
ReplyDeleteI don't know exactly how the OSX screen unlock works.
On Unix systems, if you have access to the root account (or sudo), you can "become" any other user.
He is an admin because Facebook would not even let him login unless he was. Not sure why Facebook behaved this way but making him an admin fixed that. Neither of us is root. That's a separate account on the machine.
ReplyDeleteI did confirm that a non-admin user cannot do what my son was able to do. Still this seems like the wrong behavior. I can envision a machine that needs to have multiple accounts, each with the ability to install and administer certain things but not the root password. In that case, these users should not be able to unlock each other's accounts.