Apparently OS X Lion does a pretty lousy job securing passwords. So much for the whole “king of the jungle, protecting the pride" metaphor.
In earlier versions OS X encrypted passwords and stored them in “shadow files” placed in a secure location on the user’s hard disk. The files—while still editable—can only be changed by the user or an Admin with proper authentication. However, it has come to light that in OS X Lion these security features are missing.
The security structure in OS X Lion allows any user on the system to modify their passwords or the passwords of other local accounts without too much effort. The shadow files discussed earlier usually require users have direct access to view, however, this is bypassed “because the system holds the password hashes in the systems directory services.” The problem? Every user has access to the directory services.
Even worse, those with the most basic understanding of terminal (i.e. know how to launch it) can directly change any user’s password, including adminss, with the simple command line “dscl localhost -passwd /Search/Users/USERNAME.” When run, an error will appear, but if you enter the same newly minted password at all password prompts it will work. Obviously this is huge as someone could change the Admin’s password and gain full access to any system.
There are a few limitations for this exploit, most notably being local access to the system. The person trying to change the passwords must have physical access the computer and its accounts. It could be done remotely via SSH, but the hacker would need to know usernames and passwords beforehand to do this.
Second, the hacker needs to have directory service access. Even if the hacker can log into a system they’ll be dead in the water without access to the directory setup and be unable to change account information. Below are a few steps CNET recommends users take until Apple releases a security update:
- Disable automatic log-in
OS X has the option to automatically log in to a system. While this is convenient, it is also a security risk (especially for administrator accounts). By disabling automatic log-in in Lion you can prevent your account from being accessed merely by restarting it, and thereby prevent access to the Terminal and other utilities that can allow access to the directory services. Note that if you have FileVault 2 enabled, then automatic log-in will not be enabled.
- Enable sleep and screensaver passwords
Since this problem can be taken advantage of by anyone with physical access to an unlocked account, if you leave your system in a public area then someone can sit down at your account and invoke this hack. Therefore, enable a password both for waking from sleep and for when the screensaver starts, to prevent unauthorized access if you step away.
- Disable Guest accounts
If you have the Guest account enabled on your system, disable it in the Users & Groups section of System Preferences. Furthermore, only keep accounts active that are regularly used by people you know, and delete those that are no longer in use.
- Manage users on the system
It may seem easy to just set up all accounts with administrative privileges, but this setup is not a secure way to run the system, especially given this latest security issue. In OS X you can set up one admin user and then set all other users to be managed accounts. This will allow you to govern whether they have access to tools that could modify the directory services. For instance, since the Terminal allows for this you can disable access to that program for all accounts on the system except for the Admin account. If you enable the "Limit Applications" feature for an account in the system's Parental Controls, the Terminal and other similar utilities will be disabled by default for that user.