Mac lion System Security Risks

Recently, Apple's security risks have been exposed.

Security risks

In Mac OS x 10.7.3, in some special cases, it is found that Mac OS X records the user name and password in the system's security log, the password is a clear code.

See https://discussions.apple.com/thread/3715366

The log Content is similar to the following:

DEBUGLOG | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | about to call _premountHomedir. url=afp://server.com/Users, userPathComponent = pft, userID = 1-31, name = pft, passwordAsUTF8String = xxxxxxxxxxxxxx

It is unacceptable to record the user name and password in the system day, which is a serious security risk. Especially in the enterprise environment, the information of each user must be protected, this is the consideration of the Administrator when designing his/her own system environment. However, OS X easily destroys the Administrator's careful design, which is annoying.

Confusing

This user is using open directory authentication on several servers connected to snow leopard 10.6. Currently, only a few system administrators have confirmed this problem, the vast majority of others did not find such a problem on the system they managed.

No one has found its appearance pattern. For example, the system records the user password in which versions of the lion system the problem occurs, and under what circumstances the problem occurs. As far as we know, only the LDAP server communication may occur when the server is accessed to share resources. Currently, three cases have been confirmed. The administrators are investigating the cause, and they have confirmed that there are no problems in the following two aspects:

1. The System Authorization file is not modified.
2. Use the default debugging option, that is, only record error information in system logs.

However, they all seem to have implemented user-level login scripts to facilitate the implementation of their respective system management and user configuration. In addition, an administrator has confirmed that the build versions of the problematic lion version are 11d50b and 11d50.

Based on the fact that no regularity is found, whether the problem is caused by the system or other factors cannot be determined, for example, whether the script prepared by the Administrator is a problem, server settings may cause client configuration problems, or even virus infection.

Other cases

Another case is that the system records the user name and password in the security log. In the lions system, when a user opens an old version of filevault (usually called filevault 1, because filevault is upgraded in the lions system, which is also called filevault 2 ), after passing system authentication, the user name and password are recorded in the security log. So what security is there for the encrypted file for security consideration?

The following is an example of the log Content:

Apr 11 19:39:35 hostname authorizationhost[1240]: DEBUGLOG | -[HomeDirMounter mountEncryptedHomeWithURL:attributes:dirPath:username:] | about to call DIHLFVMount. urlAttribute = /Users/.username/username.sparsebundle, password = password-here-in-plain-text, mountPointParent = /Users, homeDirPath going to the DIHLFVMount call = /Users/username

Temporary repair

Temporary solution,
You can prevent the system from recording any security logs, such:

f=/var/log/secure.log && sudo rm $f && sudo ln -s /dev/null $f

Or regularly delete all security records.

Or delete records with known passwords.