Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Be aware of a multiple-user screen lock issue System
I noticed a possible bug when two users are logged in at the same time with the "fast user switch" option.

Assume I have two users, both with admin privileges -- user A and user B -- and both are logged in. Currently user A is working. The security preferences are set to ask for password if the screensaver or screen dimming goes on.

If you let the screensaver start, once you resume work, you get the login window asking for password. It will show the username of A and ask for the password, as that was the user working. However, if you change the username to user B and use that password, that will unlock the computer, but you will be logged in as A. So you can get access to all of user A's system by logging in as user B.

[robg adds: I tested this, and it's definitely true. However, given that both accounts are admin accounts, I'm not sure if it's a bug or simply unexpected behavior. As an admin user, user B could change user A's password at any time they wished, and then login to the account. I also tried unlocking the screensaver as a non-admin user, and thankfully, that did not work.

Update: Please read the comments for more details on how/why this works, and that it is indeed a feature and not a bug. While I understand that admins need control over the computer, it still doesn't seem quite right to me that a locked screen for a given account can be unlocked by any other admin account. I'm not sure what the right behavior might be, though. Perhaps asking the user to provide the user/pass of the logged-in account, or offering the option to start a new session via fast user switching?]
    •    
  • Currently 1.14 / 5
  You rated: 2 / 5 (7 votes cast)
 
[9,007 views]  

Be aware of a multiple-user screen lock issue | 16 comments | Create New Account
Click here to return to the 'Be aware of a multiple-user screen lock issue' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Be aware of a multiple user screen lock issue
Authored by: stewarsh on Dec 26, '07 07:55:58AM

I think you hit the nail-on-the-head, RobG. Any admin user can unlock the screen saver and resume whatever session is active. That is the way it is supposed to work. Every UNIX/X11 desktop I've ever worked with also works the same way.

In order to change users, I suspect that you must click the "Switch User" button on the login window.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: network23 on Dec 26, '07 08:00:17AM

True, but the BIG difference here is that as an admin, you can change the password and gain access to the other user' system, and the other user will know about the access, as the password has changed. In the above situation, the admin has access to the other user's system without the other user's knowledge.

---
Live and Direct, only from
Network 23



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: mantrid on Dec 26, '07 08:34:41AM

It is not difficult for an admin to change a user's password to log in to an account, then change it back, without the other using knowing about it. The exception is a filevault protected account, but even they can be accessed if they are already logged in and the session is just suspended.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: stewarsh on Dec 27, '07 09:53:47AM

Why change the password at all? As an admin I can have full access to any file you own.

Also with a single command I can become that user without having to know that user's password. Now since OS X is not X11, I'm not certain I can start a GUI session, but I can do anything else I want.

Remember that an admin(aka root-like) on a UNIX machine can pretty much do anything they want.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: stewarsh on Dec 27, '07 10:00:20AM

Please note, that the above does not apply to a file-vault account since the data there is kept in an encrypted DMG file and cannot be mounted without the right key.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: wgscott on Dec 26, '07 08:05:54AM

I discovered this a couple of weeks ago too, and was told it was a "feature" of an administrative user.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: lpbagley on Dec 26, '07 08:10:30AM

This is normal behavior and follows the "rules" for an admin account.

Since at least 10.3 I've used this very "feature" to install various updates for my kids computers. They are logged in on their admin account on a machine where I also have an admin account. I can then "authorize" installations by substituting my username & password. And yes, it's also always worked to wake the computer from a locked screensaver into their account -- whether or not you use fast user switch or have multiple people logged in.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: locklin on Dec 26, '07 09:00:37AM

It works in non-admin accounts also if you use your admin username and password



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: rhowell on Dec 26, '07 09:15:08AM
As an admin user, user B could change user A's password at any time they wished, and then login to the account."


Ah, but with this "feature" user B can also change user A's KEYCHAIN password, which is a whole different ball game.

[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: earthsaver on Dec 26, '07 09:53:30AM

Doesn't changing a password require knowledge of the original password? How could admin user B change user A's password without knowing user A's password?

---
- Ben Rosenthal
PBG4 1.25 - Leopard



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: stevanreese on Dec 26, '07 11:14:10AM

A user either IS an admin, or IS NOT and admin.
If both admin users are logged in then one admin cannot change the others password. (tested with 10.4.11, 10.5.1)

As for the question about the Keychain.
If admin A changes the password for admin B the the Keychain password is not changed.
If admin A now logs in as admin B and changes the password, the system preference pane reports that the password will be changed, however it is not because admin B's original password did not match. Note the fine print. (again tested with 10.4.11, 10.5.1) However, I'm not sure this has always worked.

The dialog presented when you change your password indicates that the Keychain password may not be the same as the account password.
The fine print; "If your Keychain is locked, you will be asked for your current Keychain password before your password can be changed"



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: leamanc on Dec 26, '07 11:40:10AM

This is neither a 10.5-specific or Fast User Switching-specific issue. I work at a place with 300+ Macs, and most users don't have admin privileges. I have been able to unlock screensavers with an admin username/password since at least 10.2.



[ Reply to This | # ]
10.5: Be aware of a multiple user screen lock issue
Authored by: Billieh on Dec 26, '07 07:02:42PM
This applies to almost every modern OS with User and Admin functions. An Admin, by default, has the ability to log in over any 'user' account because they are the admin. Admin rights dictate that they should have authority over user accounts. Some differences come in when dealing with multiple level users (super user, user, guest.. etc), but the concept is almost always the same. An Administrator will always have the highest level of power over the computer, regardless of the other users below it. Windows (2000, XPPro, Server), Linux, Novell - they all function this way.

---
-Meep

[ Reply to This | # ]

Normal Behavior
Authored by: gerritdewitt on Dec 26, '07 08:03:46PM

As others have noted, this is normal behavior. If the Security system preference's "require password to wake" box is checked, this causes the loginwindow process to require that the system.login.screensaver authorization right be satisfied.

By default, satisfying that right requires that the rule "authenticate-session-owner-or-admin" be true.

The system's list of rights and rules is defined in the /etc/authorization file, which defines which users or groups are authorized to perform specific tasks (which may or may not be filesystem operations).

You can change this behavior with Property List Editor (part of the Developer Tools or Server Admin Tools).

1. First make a copy of the authorization file in /etc. Place the copy on your desktop (for example), and make changes to that file.

2. Then change the behavior as desired:

a. If you prefer that only the current user (called the session owner) be able to unlock his/her screen, make this change:

Expand the rights dictionary, and look for the system.login.screensaver right. Expand that dictionary, and change the value of the rule string from authenticate-session-owner-or-admin to authenticate-session-owner.

b. If you want the current user and members of a particular group other than admin to be able to wake/unlock the screen, make these changes:

i. You need to make a new group. We'll use "screengroup" for the short name. You can do this via dscl or the Accounts preference pane. This is the group that will be the "screen admins" - any member can unlock any user's screen.

ii. You need to make a new rule. Pick a name for your new rule; we'll use "authenticate-session-owner-or-screengroup". Open /etc/authorization, expand and select the rules dictionary, and click New Child. Name the child "authenticate-session-owner-or-screengroup," and change its type to Dictionary. Then expand the "authenticate-session-owner-or-screengroup" dictionary, highlight it, and add six new children (via New Child button).

The new children should be:

"allow-root" of type boolean (choose yes or no) No disables root's ability to unlock the screen.

"class" of type string should be "user"

"comment" of type string can be your notes

"group" of type string is the short name of the group whose members can unlock the screen. This example uses "screengroup" for the group name.

"session-owner" of type boolean should be Yes

"shared" of type boolean should be No

iii. Modify the system.login.screensaver right to use the new rule. As with (a), expand the rights and system.login.screensaver dictionaries. Change the value of the rule string to "authenticate-session-owner-or-screengroup"

3. Save changes to the desktop copy of authorization. Then use Terminal move the existing authorization file:

sudo mv /etc/authorization /etc/authorization.apple

4. Copy the edited (desktop copy) of authorization to /etc. You can do this with Terminal or the Finder - use Go to Folder to navigate to /etc, which is hidden.

5. Ensure that the POSIX owner and group for /etc/authorization are correct:

sudo chown root:admin /etc/authorization

(Since you made a copy of the original /etc/authorization, the POSIX permission bits are preserved - they are 0644.)

6. Reboot.

7. To undo your changes, simply switch out the authorization files and reboot:

sudo mv /etc/authorization /etc/authorization.mychanges
sudo mv /etc/authorization.apple /etc/authorization

--Gerrit



[ Reply to This | # ]
Normal Behavior
Authored by: coolsoldier on Dec 26, '07 11:59:11PM

<i>This</i> is the hint that needs to be on the front page.



[ Reply to This | # ]
Be aware of a multiple-user screen lock issue
Authored by: stewarsh on Dec 27, '07 09:57:30AM

I'd like to point out that one of the reasons for this function is to allow an admin to debug a problem a user might be having. Given how complex a user's environment(prefs, settings, variables, etc) might be it is far easier to "become" that user and figure out what's going on than try to debug it on another account.



[ Reply to This | # ]