7 Replies Latest reply: May 11, 2012 3:51 AM by maiux
jlbmacuser Level 1 Level 1

The following describes a serious Lion security flaw & asks how to make Apple aware of it...


When Lion mounts a legacy FileVault sparse bundle at user login, the system logs the following to /var/log/secure.log (hostname and actual password changed for security reasons):


Apr 11 19:39:35 hostname authorizationhost[1240]: DEBUGLOG | -[HomeDirMounter mountEncryptedHomeWithURL:attributes:dirPath:username:] | about to call DIHLFVMount. urlAttribute = /Users/.username/username.sparsebundle, password = password-here-in-plain-text, mountPointParent = /Users, homeDirPath going to the DIHLFVMount call = /Users/username


Lion should not be writing the username and password to disk!  This is a serious security problem that renders an encrypted legacy FileVault useless because it makes the password available to anyone that can read the secure.log file.


How does one write a problem ticket to Apple to make them aware of this?

Lion OS, Mac OS X (10.7.3)
Solved by maiux on May 11, 2012 3:51 AM Solved

Update applied, it fixes the problem. But you have to clean secure.log manually.

Reply by Ashka on Apr 12, 2012 5:27 PM Helpful
Reply by easelpad on May 10, 2012 2:53 PM Helpful

Mac OS X 10.7.4 has been released, which fixes this issue. It is recommended for all users of Lion and is available via Software Update.


More info: http://support.apple.com/kb/HT5167

All replies