houltmac.net

tech.gadgets.video.geekculture.gaming.iphone. 
« Back to blog
Viewed 238 times
Favorited 0 times
November 14, 2008

10.5 Share point access

I am a big fan of OS X Server. I use it all the time at work and am considering using it at home also. I use many of it's features on a daily basis including AFP, DHCP, DNS, iChat, NFS, Open Directory, SMB, Software Update, VPN, and Web services. It's pretty cool.

Today I was working on a permissions issue on our RAID when I attempted to log in as myself from another machine (where my password isn't pulled from the keychain). The authentication was successful, but then something struck me - that wasn't my password. I had typed another password I use regularly, but not my own Open Directory users password. Worrying. To clarify I logged out and did it again - it still worked.

I checked a little known setting in Server Admin under AFP>Settings>Access called "Enable administrator to masquerade as any registered user". It's a bit of a mouthful, but it does exactly that. I you know the password for any local user (on the server, as in created in System Preferences on the server) with Admin privileges you can use that with any other users username to gain access to their AFP share points. In my case I was using my own OD username with a password that was used by the main admin account on the server and it was working.

Sadly that wasn't the end of the story as the checkbox to allow this behaviour was not checked. The situation was the same on both 10.5 servers we have in house. I tried a few things, narrowed the situation and was stumped. In the end I turned the option on, saved, back off and saved again. Now I had no access in this way. In short then the UI was not showing the status of the setting correctly, but it had happened on both servers. I logged this with Apple and have moved on.

If however you are running an OS X server I guess it'd be worth checking whether this option is actually turned on from time to time. It can be handy as an administrator (SysAdmin) to be able to log in as someone (even if it's just for AFP file sharing) from time to time, but it can also be dangerous. The passwords used for regular admin access to many servers is weak, and worse still it's often something everyone knows; a standard company password. If this is the case and you have proper naming conventions for users then it's pretty easy to allow access to the accounts share for those who shouldn't have access since all those enterprising people would need would be to figure out the username of someone in the accounts group.

This could then be a pretty serious little flaw, so keep an eye out admins.

Comments (0)

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter