Continued: security risks of MAC lions

With the release of Mac OS X 10.7.4, Apple corrected the security risks described earlier in this upgrade. This is good news and a good start for Apple to quickly correct bugs. It also officially acknowledges the existence of this hidden danger. For details, see: OS
X lion v10.7.3: user account passwords appear in log files for legacy filevault, and/or network home directories.

In fact, as Apple said, this hidden risk only appears when dealing with older versions of filevault and network users, or when it is used, technicians in the industry are still exploring and discussing their own solutions, such as how to solve this problem without installing an upgraded version, in particular, when the 10.7.4 system does not declare or instruct the system, some system settings, such as the background of the logon interface, cannot be changed using methods earlier than 10.7.3, this is troublesome for many enterprise users because many of them use their own customized background images, such as system information and enterprise information. At least this is a good means for enterprise users to display, this is why many administrators complain that Apple ignores/ignores enterprise users.

At least, some people have discovered this hidden danger so far. using one of the following methods may prevent the system from recording the user password:

Per olofsson method:

xport TARGET="/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism"   sudo cp "$TARGET" "$TARGET.bak"   sudo perl -p -i -e 's/passwordAsUTF8String = %s/passwordAsUTF8String = %p/g' "$TARGET"   sudo perl -p -i -e 's/password = %s/password = %p/g' "$TARGET"

Brian warsing:

#!/usr/bin/ruby# This code comes with no guarantees and it is not a "fix", just a workaround.# It would be trivial to replace the patched file and restore these debugging messages.# Also, this script modifies a Mac OS X System file, so...require 'etc'require 'fileutils'require 'syslog'@log          = Syslog.open('patchhomedirmech')@target       = '/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism'@backup_file  = '/private/var/root/HomeDirMechanism.backup'@newfile_path = '/private/var/root/HomeDirMechanism.new'def our_rescue(msg)  @log.notice(msg)  @log.close  exit 1end###################################################################### => MAIN###################################################################### Check UID (must be root)unless Process.euid == 0  raise "You must be root to execute this script."endbegin  @log.notice("Backing up file: #{@target}")  FileUtils.cp(@target, @backup_file)rescue => e  our_rescue("Error backing up file: #{e.message}")end @debug_strings = `/usr/bin/strings #{@target} | /usr/bin/grep "password.* = %s" 2> /dev/null`if @debug_strings  @debug_strings = @debug_strings.split("\n")else  our_rescue("Nothing to patch: target does not contain any relevant debugging strings")endbegin  @file    = File.read(@target)  @newfile = File.new(@newfile_path, 'w')rescue => e  our_rescue("Error loading file: #{e.message}")end    begin  @log.notice("Patching file: #{@newfile_path}")  @debug_strings.each do |string|    len = string.length    replacement = ''    len.times { replacement << "\000" }    @file.gsub!(string, replacement)  end  @newfile << @file  @newfile.flush  @newfile.closerescue => e  our_rescue("Error patching file: #{e.message}")endbegin  @log.notice("Replacing file: #{@target}")  FileUtils.rm_rf(@target)  FileUtils.move(@newfile_path, @target)rescue => e  our_rescue("Error replacing file: #{e.message}")endbegin  @log.notice("Nullfying security logs...")  raise unless system("cat /dev/null > /var/log/secure.log")  @log.notice("Removing archived security logs...")  logs = Dir.glob("/private/var/log/secure*.bz2")  logs.each { |log| FileUtils.rm(log) }rescue => e  our_rescue("Error deleting log(s): #{e.message}")end@log.notice("Done.")@log.closeexit 0