TS4272: OS X Lion v10.7.3: User account passwords appear in log files for Legacy FileVault, and/or network home directoriesLearn about OS X Lion v10.7.3: User account passwords appear in log files for Legacy FileVault, and/or network home directories
Currently Being ModeratedMay 10, 2012 7:42 PM (in response to llee)
Per the first sentence, this impacts users who either use Legacy FileVault or have home folders mounted via NFS, AFP, or SMB. If you don't fall in either category, no issue.
Per the second sentence, the logs these plain-text passwords are stored in may have been copied to backups (not Time Machine) or to syslog servers.
Link to TS4272 to save readers the trouble of finding it.
Currently Being ModeratedMay 10, 2012 8:11 PM (in response to Llessur999)
I didn't use FileVault, but my home folder was mounted by myself through AFP using other Macs on my network. Should I interpret the article to mean that the password may be stored in plain text on the Mac that hosted the home folder through AFP, or that the password may be stored in plain text in log files of any of the Macs that were used to access the home folder through AFP, or that the password might appear in clear text in the log files of any of those computers, whether hosting or accessing the home folder through AFP?
Currently Being ModeratedMay 11, 2012 2:45 AM (in response to llee)
* the first item describes the Login Window issue, with reference to CVE-2012-0652.
From Apple's document — and from seeing the symptom of the bug on (just one) computer where FileVault 1 was used — my understanding is that:
* simply making an AFP connection from a 10.7.3 client, to a server, does not cause the password to be saved in pain text
* the issue may affect a 10.7.3 client that uses a server for both (a) login window authentication and (b) automatic mounting of the client's home directory.
Hint: at a 10.7.3 client, in the Users & Groups pane of System Preferences, click Login Options. If any network account server is listed, then you may find that the password of a network account user is saved in plain text at that client computer.
More Like This
- Retrieving data ...
- This solved my question - 10 points
- This helped me - 5 points