Request for Admin UID/PW Immediately After Login?

Question

Level 1

4 points

Request for Admin UID/PW Immediately After Login?

I just logged in to my system after restarting and immediately, before opening anything (other than Finder obviously), was presented with a request for the admin credentials (I was logged in to a user account), I think saying something about a change to my login preferences and/or login window, which didn't make a lot of sense to me.

Any idea what would cause this, or how to make sense of the logs to see what exactly prompted the request?

I installed Flash and Adium on this new machine this morning - would this have anything to do with it? I'm unaccustomed to getting the security prompt at unexpected times and now very nervous about whether this was malware, etc.

iMac 27 i7, Mac OS X (10.6.2), 16GB/2TB Model

Posted on Nov 25, 2009 6:04 PM

Reply

Answer 1

dbsneddon

Level 4

1,530 points

Nov 25, 2009 6:10 PM in response to JiminSF

I think saying something about a change to my login preferences and/or login window

If you post the exact message you will have more chance of getting help.

Dave

Reply

Answer 2

JiminSF Author

Level 1

4 points

Nov 25, 2009 6:13 PM in response to dbsneddon

Unfortunately I don't have the exact message - it was a security prompt and I didn't write it down, thus the question about whether the system logs would contain any useful info that I could use to find what caused this. Any ideas?

Reply

Answer 3

dbsneddon

Level 4

1,530 points

Nov 25, 2009 6:19 PM in response to JiminSF

Can you not reproduce the sequence, restart then login, and see if
it happens again?

Dave

Reply

Answer 4

dbsneddon

Level 4

1,530 points

Nov 25, 2009 6:20 PM in response to JiminSF

Another thought, do you have any Login items for the account you
were using? One that may have wanted the authentication for some
reason?

Dave

Reply

Answer 5

JiminSF Author

Level 1

4 points

Nov 25, 2009 6:24 PM in response to dbsneddon

I tried plugging in and unplugging the external USB drive, etc., to see if I could reproduce (which would have been reassuring), but no luck.

Reply

Answer 6

dbsneddon

Level 4

1,530 points

Nov 25, 2009 6:27 PM in response to JiminSF

Your original post said...

I just logged in to my system after restarting and...

Have you retried that sequence?

Dave

Reply

Answer 7

JiminSF Author

Level 1

4 points

Nov 25, 2009 6:29 PM in response to dbsneddon

The only login item is iTunesHelper, which I imagine is enabled by default...? (And thanks for the help & attention, BTW.)

I'm guessing that actions requiring an admin authentication are logged, but I just can't find it in the Console.

Reply

Answer 8

JiminSF Author

Level 1

4 points

Nov 25, 2009 6:29 PM in response to dbsneddon

Yes, I've restarted several times since then. No repeat.

Reply

Answer 9

dbsneddon

Level 4

1,530 points

Nov 25, 2009 6:33 PM in response to JiminSF

Did this happen the first time you restarted after installing
Flash and Adium? If so, it may have been something left over
from the installation. I don't think it would have been related
to Flash (although I wouldn't bet my life on it) since I have
not encountered any similar incident. Don't know anything about
Adium since I don't use it...

Dave

Reply

Answer 10

JiminSF Author

Level 1

4 points

Nov 25, 2009 6:35 PM in response to dbsneddon

Yes, it was the first restart after the installs. Just seems weird though - what would it need admin credentials for, and does this not appear in the logs somewhere...?

Reply

Answer 11

dbsneddon

Level 4

1,530 points

Nov 25, 2009 6:38 PM in response to JiminSF

I suspect it needed to setup something that requires privileges and
the first login after the restart would have been the first chance
for it to do that, maybe setting up some daemon or the like.

The log that you should look in is /var/log/secure.log

Dave

Reply

Answer 12

JiminSF Author

Level 1

4 points

Nov 25, 2009 7:06 PM in response to dbsneddon

Hmmmm. It shows the following interesting entries:

Nov 25 17:14:05 X-iMac com.apple.SecurityServer[25]: UID 503 authenticated as user XXX (UID 501) for right 'system.preferences'
Nov 25 17:14:05 X-iMac com.apple.SecurityServer[25]: Succeeded authorizing right 'system.preferences' by client '/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/ SCHelper' for authorization created by '/System/Library/CoreServices/loginwindow.app'

So again, it looks like my system preferences were being edited by the login window. What would prompt this?

Reply

Answer 13

dbsneddon

Level 4

1,530 points

Nov 25, 2009 7:11 PM in response to JiminSF

What does the following command in terminal reveal?

id 503

Dave

Reply

Answer 14

JiminSF Author

Level 1

4 points

Nov 25, 2009 7:24 PM in response to dbsneddon

The output is:

uid=503(userid) gid=20(staff) groups=20(staff),402(com.apple.sharepoint.group.1),61(localaccounts),12(everyon e),404(com.apple.sharepoint.group.3),403(com.apple.sharepoint.group.2)

Reply

Answer 15

dbsneddon

Level 4

1,530 points

Nov 25, 2009 7:26 PM in response to JiminSF

Is the "userid" the name of a user on the machine?

Dave

Reply