Be aware of a multiple-user screen lock issue

Dec 26, '07 07:30:00AM

Contributed by: Anonymous

I noticed a possible bug when two users are logged in at the same time with the "fast user switch" option.

Assume I have two users, both with admin privileges -- user A and user B -- and both are logged in. Currently user A is working. The security preferences are set to ask for password if the screensaver or screen dimming goes on.

If you let the screensaver start, once you resume work, you get the login window asking for password. It will show the username of A and ask for the password, as that was the user working. However, if you change the username to user B and use that password, that will unlock the computer, but you will be logged in as A. So you can get access to all of user A's system by logging in as user B.

[robg adds: I tested this, and it's definitely true. However, given that both accounts are admin accounts, I'm not sure if it's a bug or simply unexpected behavior. As an admin user, user B could change user A's password at any time they wished, and then login to the account. I also tried unlocking the screensaver as a non-admin user, and thankfully, that did not work.

Update: Please read the comments for more details on how/why this works, and that it is indeed a feature and not a bug. While I understand that admins need control over the computer, it still doesn't seem quite right to me that a locked screen for a given account can be unlocked by any other admin account. I'm not sure what the right behavior might be, though. Perhaps asking the user to provide the user/pass of the logged-in account, or offering the option to start a new session via fast user switching?]

Comments (16)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071214140616291