9 Replies Latest reply: Jun 23, 2013 8:34 PM by Topher Kessler
jayv. Level 4 Level 4 (1,230 points)

Howdy,

 

I am looking into encryption methods for OS X (previous post here: https://discussions.apple.com/message/22321009#22321009) and in playing around with it i found the following:

 

If i have an encrypted drive or partition mounted on my desktop i can not secure it by simply unmounting, logging out or starting a password protected screensaver. Another user can sign in through 1. fast user switching, 2. the main login window after i have logged out and 3. by using the 'Switch User' button at the bottom of the screensaver when it asks for a password. As soon as the other user logs in, there are my encrypted drives or partitions, no password asked!

 

The only way to secure an encrypted drive is to 1. Restart the Mac, 2. Turn off the Mac or 3. in the case of an external device, physically disconnect it.

 

Am i overreacting or is this a huge security concern/flaw and more importantly, are there ways to plug these holes if multiple users have to have an account on the same system?

 

I have read something similar a few months ago that mentioned simply unmounting a drive was not secure but it did not cover other users or offer a solution (can't find the article anymore).

 

Jay


Mac Pro, OS X Mountain Lion (10.8.3), 12-Core 3.06, 64GB RAM, SSD & 12TB
  • 1. Re: Encrypted drives accessible by other users
    Linc Davis Level 10 Level 10 (117,935 points)

    I'm going to answer this because if I don't, there's a good chance you'll be given false information.

     

    Permissions are what protect data on an encrypted volume from other users. If you enable FileVault, make yourself the only administrative user and also the only user who can unlock the volume. Your home folder (which contains all your personal files) is protected from access by other users who can log in to the system by its permissions, which allow only you to read below the top level.

     

    If someone logs in to another account, which is not an administrator account, the encrypted volume is still mounted, but your personal files are inaccessible. That inaccessibility is enforced by the kernel and is no less secure than the encryption itself.

     

    If someone tries to reboot the system insecurely or mount the volume in target disk mode, he'll be confronted with the password dialog. Without the password, that's as far as he'll get.

     

    This security model will fail if you do either of the following:

     

    • Allow another user to unlock the volume; i.e., log in at startup.
    • Give another user administrator privileges.
  • 2. Re: Encrypted drives accessible by other users
    jayv. Level 4 Level 4 (1,230 points)

    Ugh, had not even thought about permissions, thanks. The only way i know how to change permissions per drive/partition is through Get Info > Sharing & Permissions. Btw i am talking about drives and partitions that are not considered the 'boot volume' that is covered by FileVault.

     

    I am not able to add a user to the privileges list and set that (non-admin) user to have 'No Access'. The only options available are Read Only, Read & Write and Write Only (Drop Box). The only group i can set the 'No Access' privilege for is 'everyone'. When i do this i assume it means everyone but those authorized to have read or write access has no access and should not be able to see the contents of the disk.

     

    I set it, switched to the other standard user account and was able to see the drive, it's contents and folder contents, unrestricted. I went back and even used 'apply to enclosed items' but it did not change anything.

     

    Any thoughts?

  • 3. Re: Encrypted drives accessible by other users
    Linc Davis Level 10 Level 10 (117,935 points)

    Select the volume icon in the Finder and open the Info window. Click the padlock icon in the lower right corner of the window and enter your administrator password when prompted. Uncheck the box at the bottom marked

    Ignore ownership on this volume

    Give yourself read & write access and "Everyone" no access. Delete any other entries in the access list. Apply to enclosed items. Close the Info window.

  • 4. Re: Encrypted drives accessible by other users
    jayv. Level 4 Level 4 (1,230 points)

    Thank you Linc, that did it. It falls apart if i leave the 'staff' user in the list, which has Read & Write privileges by default. Any potential issues i can run in to by removing the staff user from that list?

  • 5. Re: Encrypted drives accessible by other users
    Topher Kessler Level 6 Level 6 (9,340 points)

    This is how mounting volumes works in OS X. Once mounted, a drive is available systemwide, and not restricted to a specific user. The encryption that OS X sets up on a drive is per-volume only, and not intended to protect the data from other users on the system. Instead, its intent is to prevent someone from finding your drive and plugging it into another system to overcome security and access your files.

     

    Ultimately the mode for securing files from other users of the same system is to not rely on encrypted volumes. If mounted, the unencrypted drive will remain unlocked and re-mountable. The only way to secure it again is to fully detach or eject it from the system.

     

    However, overall it is not really a security flaw in the system. While intuitively it may seem the system ought to lock the drive again once ejected, this behavior still falls in line with how the system already handles local drives, where any volume (encrypted or not) is viewable accessible by other user accounts.

     

    The way you can prevent another user from accessing the mounted volume is to get information on the volume, and then click the lock at the bottom to authenticate for changes, and then uncheck the box to ignore ownership on the volume. This will have the system observe permissions restrictions for files on the drive, but keep in mind this will only be restrictive to non-administrative accounts, as any admin can re-check the box and have full access to the drive again.

     

    An alternative option is to use an encrypted disk image to secure files. Unlike encrypted drives, the system should fully eject an encrypted disk image when you eject it, requiring its password to be entered when mounting the image again. Unfortunately as with other mounted volumes, if you mount the disk image in your account and keep it mounted, then another user that logs in at the same time will be able to access this volume.

  • 6. Re: Encrypted drives accessible by other users
    jayv. Level 4 Level 4 (1,230 points)

    Thanks guys! This is because of guys like you, much appreciated.

  • 7. Re: Encrypted drives accessible by other users
    Topher Kessler Level 6 Level 6 (9,340 points)

    Cool! Thanks!

  • 8. Re: Encrypted drives accessible by other users
    Linc Davis Level 10 Level 10 (117,935 points)

    Any potential issues i can run in to by removing the staff user from that list?

     

    No.

  • 9. Re: Encrypted drives accessible by other users
    Topher Kessler Level 6 Level 6 (9,340 points)

    You can set the permissions of an external drive (or any other custom, isolated folder on your system) to whatever you want without hurting a thing (beyond adjusting who gets access to it, including yourself).

     

    By removing the staff group, you will simply keep everyone who is a member of that group from getting a permissions setting for that drive, which will by default deny access to that group.

     

    The "Staff" group in OS X is the default group for any local user, so settings for this group will adjust access for non-admin users.

     

    As a result, if removed, then only the remaining users listed (e.g., your user name) will be granted access to the drive. This is ultimately a more secure setup (mainly from a user-error standpoint, where you might inadvertently grant access with a permissions change to this group), but you can do the same by keeping the group and setting its permissions to "deny."