Apple Bug – Standard User to Root

I was asked to assist my Apple sys admin with trouble shooting a problem with Mobile accounts. One of the options in trying to resolve this was to choose a specific attribute for the ‘Directory Utility’ to use when creating the mobile account. I need to preface this with a clarification that this is not something that should be an issue unless the system administrator did not testing; for that reason though the bug shows a serious flaw in some of Apple’s code it is not critical in my opinion.

Here are the details as I reported to Apple:

25-Feb-2009 07:27 AM Charles Profitt:
With some specific attributes from Active Directory used for generating a UID standard users are granted ‘root’ upon login.

Steps to Reproduce:

1. open Directory Utility
2. Show Advanced
3. Select Mappings
4. Check ‘Map UID to attribute’ and use the any of the following:
a. sAMAccountName
b. userPrincipalName
c. cn
5. Complete the remaining binding tasks
6. Login is a active directory user (who is not a Domain Admin nor has any other rights granted to them)
7. The user will have ‘root’

Expected Results:
Users will be logged in and have non-root rights

Actual Results:
Users are logged in and have ‘root’ rights
—–

The details of the initial issue with the mobile account creation as reported to Apple:

25-Feb-2009 07:37 AM Charles Profitt:
Summary:
When using the Active Directory Utility and selecting create mobile account at login some users will fail to be created.

Steps to Reproduce:

1. open Directory Utility
2. Show Advanced
3. Select User Experience and check the following:
A. Create mobile account at login
B. Force local home directory on startup disk
C. Use UNC path from Active Directory to derive network home location and select SMB as the Network protocol to be used
4. Uncheck Require confirmation before creating a mobile account
5. Complete remaining binding tasks
6. Login with users

Expected Results:
All users will login and have a mobile account created.

Actual Results:
In a inconsitent manner users are unable to login and the log files indicate a failure to generate the UID. The problem happens on multiple systems. On one system a user will work and that same user will fail on another system.

— LOG OUTPUT —
2/23/09 3:18:05 PM com.apple.loginwindow[512] chmod: Unable to translate ‘cool’ to a UID/GID
2/23/09 3:18:05 PM com.apple.loginwindow[512] 2009-02-23 15:18:05.933 DirectoryTools[550:10b] chmod +a failed with 1
2/23/09 3:18:15 PM com.apple.loginwindow[512] AuthorizationRef returned an error (-60006), with username = cool joe
2/23/09 3:18:15 PM com.apple.loginwindow[512] This indicates that a SecurityAgent plugin has returned something other than errAuthorizationDenied (usually cancelled) after the auth record is set up.
2/23/09 3:18:15 PM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[523]) Exited: Terminated

and

2/23/09 3:18:39 PM com.apple.loginwindow[580] chmod: Unable to translate ‘snoopy’ to a UID/GID
2/23/09 3:18:39 PM com.apple.loginwindow[580] 2009-02-23 15:18:39.979 DirectoryTools[607:10b] chmod +a failed with 1
2/23/09 3:18:49 PM com.apple.loginwindow[580] AuthorizationRef returned an error (-60006), with username = snoopy mr
2/23/09 3:18:49 PM com.apple.loginwindow[580] This indicates that a SecurityAgent plugin has returned something other than errAuthorizationDenied (usually cancelled) after the auth record is set up.
—–

I found a work-a-round for the sys admin by meeting his needs using some Apple Script and ‘bash’ skills so he is happy, but I was very surprised to see that a possible reasonable configuration of the ‘Directory Utility’ would lead to end users getting ‘root’ access to their managed Macs.

This entry was posted in Miscellaneous. Bookmark the permalink.

3 Responses to Apple Bug – Standard User to Root

  1. Pingback: OS X Grants Root to Active Directory Users by Mistake | The Mac Sucks!

  2. RaiulBaztepo says:

    Hello!
    Very Interesting post! Thank you for such interesting resource!
    PS: Sorry for my bad english, I’v just started to learn this language😉
    See you!
    Your, Raiul Baztepo

  3. ls says:

    I need help, I am trying to create a new admin user account because I forgot my old password. I’ve tried every reboot code that was given and when I put in my new information, the message I get is, “unable to create standard user” can someone help?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s