Previous 1 2 Next 20 Replies Latest reply: Nov 26, 2009 7:16 AM by JiminSF
JiminSF Level 1 (0 points)
I just logged in to my system after restarting and immediately, before opening anything (other than Finder obviously), was presented with a request for the admin credentials (I was logged in to a user account), I think saying something about a change to my login preferences and/or login window, which didn't make a lot of sense to me.

Any idea what would cause this, or how to make sense of the logs to see what exactly prompted the request?

I installed Flash and Adium on this new machine this morning - would this have anything to do with it? I'm unaccustomed to getting the security prompt at unexpected times and now very nervous about whether this was malware, etc.

iMac 27 i7, Mac OS X (10.6.2), 16GB/2TB Model
  • dbsneddon Level 4 (1,525 points)
    I think saying something about a change to my login preferences and/or login window


    If you post the exact message you will have more chance of getting help.

    Dave
  • JiminSF Level 1 (0 points)
    Unfortunately I don't have the exact message - it was a security prompt and I didn't write it down, thus the question about whether the system logs would contain any useful info that I could use to find what caused this. Any ideas?
  • dbsneddon Level 4 (1,525 points)
    Can you not reproduce the sequence, restart then login, and see if
    it happens again?

    Dave
  • dbsneddon Level 4 (1,525 points)
    Another thought, do you have any Login items for the account you
    were using? One that may have wanted the authentication for some
    reason?

    Dave
  • JiminSF Level 1 (0 points)
    I tried plugging in and unplugging the external USB drive, etc., to see if I could reproduce (which would have been reassuring), but no luck.
  • dbsneddon Level 4 (1,525 points)
    Your original post said...

    I just logged in to my system after restarting and...


    Have you retried that sequence?

    Dave
  • JiminSF Level 1 (0 points)
    The only login item is iTunesHelper, which I imagine is enabled by default...? (And thanks for the help & attention, BTW.)

    I'm guessing that actions requiring an admin authentication are logged, but I just can't find it in the Console.
  • JiminSF Level 1 (0 points)
    Yes, I've restarted several times since then. No repeat.
  • dbsneddon Level 4 (1,525 points)
    Did this happen the first time you restarted after installing
    Flash and Adium? If so, it may have been something left over
    from the installation. I don't think it would have been related
    to Flash (although I wouldn't bet my life on it) since I have
    not encountered any similar incident. Don't know anything about
    Adium since I don't use it...

    Dave
  • JiminSF Level 1 (0 points)
    Yes, it was the first restart after the installs. Just seems weird though - what would it need admin credentials for, and does this not appear in the logs somewhere...?
  • dbsneddon Level 4 (1,525 points)
    I suspect it needed to setup something that requires privileges and
    the first login after the restart would have been the first chance
    for it to do that, maybe setting up some daemon or the like.

    The log that you should look in is /var/log/secure.log

    Dave
  • JiminSF Level 1 (0 points)
    Hmmmm. It shows the following interesting entries:

    Nov 25 17:14:05 X-iMac com.apple.SecurityServer[25]: UID 503 authenticated as user XXX (UID 501) for right 'system.preferences'
    Nov 25 17:14:05 X-iMac com.apple.SecurityServer[25]: Succeeded authorizing right 'system.preferences' by client '/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/ SCHelper' for authorization created by '/System/Library/CoreServices/loginwindow.app'

    So again, it looks like my system preferences were being edited by the login window. What would prompt this?
  • dbsneddon Level 4 (1,525 points)
    What does the following command in terminal reveal?

    id 503


    Dave
  • JiminSF Level 1 (0 points)
    The output is:

    uid=503(userid) gid=20(staff) groups=20(staff),402(com.apple.sharepoint.group.1),61(localaccounts),12(everyon e),404(com.apple.sharepoint.group.3),403(com.apple.sharepoint.group.2)
Previous 1 2 Next