AppStore Preferences lock is a lie
Originator: | eholtam | ||
Number: | rdar://36350507 | Date Originated: | 08-Jan-2018 11:15 AM |
Status: | Open | Resolved: | |
Product: | macOS + SDK | Product Version: | 10.13.2 17C88 |
Classification: | Security | Reproducible: | Always |
Summary: The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password. Steps to Reproduce: 1) Log in as a local admin 2) Open App Store Prefpane from the System Preferences 3) Lock the padlock if it is already unlocked 4) Click the lock to unlock it 5) Enter any bogus password Expected Results: The authorization to fail. Actual Results: Authorization succeeds and grants access to change the AppStore preferences. Version: 10.13.2 17C88 Notes: This only appears to be when logged in as a local admin. Tested with a non-admin account and I cannot unlock the prefpane with incorrect credentials.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Audit logs
In case it provides insight, here are the audit logs related to this bug. I entered a bogus password then collected the below event logs:
<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:53 2018" msec=" + 970 msec" >
<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />
<text>com.apple.SoftwareUpdate.modify-settings</text>
<text>mechanism builtin:entitled,privileged</text>
<return errval="success" retval="0" />
</record>
<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:53 2018" msec=" + 980 msec" >
<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />
<text>com.apple.SoftwareUpdate.modify-settings</text>
<text>mechanism builtin:entitled,privileged</text>
<return errval="success" retval="0" />
</record>
<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:54 2018" msec=" + 62 msec" >
<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />
<text>com.apple.SoftwareUpdate.modify-settings</text>
<text>mechanism builtin:entitled,privileged</text>
<return errval="success" retval="0" />
</record>
<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:55 2018" msec=" + 979 msec" >
<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />
<text>com.apple.SoftwareUpdate.modify-settings</text>
<text>mechanism builtin:entitled,privileged</text>
<return errval="success" retval="0" />
</record>
<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:06:05 2018" msec=" + 618 msec" >
<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />
<text>com.apple.SoftwareUpdate.modify-settings</text>
<text>mechanism builtin:entitled,privileged</text>
<return errval="success" retval="0" />
</record>
<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:06:06 2018" msec=" + 181 msec" >
<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />
<text>com.apple.SoftwareUpdate.modify-settings</text>
<text>mechanism builtin:entitled,privileged</text>
<return errval="success" retval="0" />
</record>
We need more bugs!
Also there is another bug with these lock/unlock elements in macOS High Sierra 10.13.2. Steps to reproduce: 1) Log in as a local admin 2) Open Security&Privacy pane from the System Preferences 3) Lock the padlock if it is already unlocked 4) Click the lock to unlock it 5) Enter your password 6) Change user name to ANY. 7) Click to password field to apply changes to user name (one more little buggy) 8) Press Unlock
Tested on earlier version
Not reproducible on 10.13.1
seems to be a new one ;)
"Preferences lock is a lie" ???
Can we put on our grown-up pants and call a bug a 'bug'?