Formerly “theelmerguy”
Join Date: Aug 2005
Location: Irvine, California
|
Here goes:
We have two Macs, 12" iBook G4 1.33Ghz and 20" iMac Core 2 Duo 2.0Ghz, both running 10.5.2. From the iBook: File Sharing: I see the iMac in sidebar in Finder. It automatically connects as "Guest." Only the public folder is accessible (I set it as read only for Guests). If I want write access to the entire iMac hard drive, I click "Connect As" and it prompts me to connect as a Guest (which I already am) or as a Registered User. I connect with the iMac's admin account and I can read and write to the entire iMac hard drive. If, at the prompt, I connect as Guest or click "Cancel", it will connect me as a Guest again. If, while connected as the admin, I clicked "Disconnect" it will automatically reconnect as Guest once again. Screen sharing: I need to enter the iMac's admin account user name and password every time. This how it should be. From the iMac: File Sharing: I see the iBook in the sidebar. It does not connect me as guest but automatically as the iBook's admin with full access the the iBook's hard drive. I click "Disconnect" it disconnects but does not reconnect me as a Guest and displays "Connection Failed." I then click "Connect As" and the prompt is different from the one above: It does not give an option to connect as Guest but only blanks for a Registered User name and password. If I fill it in with the appropriate values, I connect as the iBook's admin. Here's where it gets weird: If, at the prompt, I click "Cancel," it does not go back to "Connection Failed," but it connects me as the iBook's admin, giving full access to the iBook's hard drive! Screen Sharing: It automatically connects to the iBook every time with no prompt for password. This is obviously a security problem. *Note that I had to enter the iBook's admin account name and password once (the first time) for screen sharing and I specifically recall leaving "Remember this password in my keychain" unchecked. I never had to do this for File Sharing as it automatically connected me as the iBook's admin. (I accessed screen sharing before file sharing) I found this thread at macrumors.com documenting the screen sharing part of my problem, but it was never solved: http://forums.macrumors.com/showthread.php?t=407574 I really hope you geniuses can help me with this issue. Thanks. |
quote |
Formerly “theelmerguy”
Join Date: Aug 2005
Location: Irvine, California
|
Anybody have a clue? I'd really appreciate some help.
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
I have an idea I'll try tonight and share the details.
|
quote |
Formerly “theelmerguy”
Join Date: Aug 2005
Location: Irvine, California
|
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Wow. That's crazy. I have the same issue where it auto-logins when I connect to the other Mac. I'll try narrowing down a cause and hopefully find a logical explanation.
The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Question: do you have FileVault enabled on either of your Macs? Edit: Never mind, that doesn't seem to make a difference.
Also, initial test show that this is looking really, really bad. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Less than Stellar Member
|
I get the same thing without the "connection failed" part. It does auto-connect me, so it makes sense that canceling the prompt would just connect me as my previous user.
What user are you connected as? I've got .mac, so I use my .mac email to connect so "Back to my mac" works. How about this: launch Screen Sharing (the app, not from the button in the finder). In the application window, what do you see? |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Some initial frightening findings:
It seems for me that once I connect from Mac A to Mac B with credentials for an admin user on Mac B, those credentials are preserved until I reboot Mac A. In this setup, Mac B has "Allow guests to connect to shared folders" and only "File Sharing" enabled. Both Macs are running 10.5.2. No Keychain entries exist on either Mac for the other. Simple steps to reproduce:
WTF. Only after rebooting Mac A does it lose the automatic admin login for Mac B. This is somewhat baffling, but I'll continue to test and document my findings and try to find a way to clear the credentials without a full reboot of the client computer. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Veteran Member
Join Date: Jul 2007
Location: St. Louis, MO
|
Seems (from reading this thread) to be some sort of cached authentication token. The question I have is - where is the token cached, in ram or on disk. I would be interested in seeing what would happen if sharing were just turned off then back on, but I've only got a single Mac.
real hackers don't use sigs |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Turning sharing off on Mac B and back on makes no difference; Mac A still authenticates automatically.
Changing the user's password on Mac B also makes no difference; Mac A still authenticates automatically. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Veteran Member
Join Date: Jul 2007
Location: St. Louis, MO
|
so... the client seems to be caching the token, I'm guessing the cache manager... do you actually have the rights? If you touch a file, are you the admin? I'm wondering if it's just the view thats cached or are you actually connected...
real hackers don't use sigs |
quote |
Less than Stellar Member
|
I'm missing the big picture here. What's the problem with Mac A holding on to login info until it's rebooted? Mac B has nothing to do with it.
Here's an example: Does Safari (Mac A) care if Applenova's server's (Mac B) been rebooted since I last visited? Should it make me re-login if I click on a thread after AN's server reboot? No, and it shouldn't. So, what's the big deal? |
quote |
Veteran Member
Join Date: Jun 2006
Location: Florida
|
Quote:
Should I give login information to someone else for whatever reason, then they disconnect and I change my password, I should think that my system would now be safe... but it isn't so long as they don't reboot their system. Not that I'd give someone admin access to my system, but it doesn't seem right regardless. |
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
What is especially worrisome here is that it seems almost *impossible* to truly disconnect from a server in the Finder if you have authenticated just once. To draw upon the AppleNova analogy that you mentioned, say you're logged into AppleNova and you click "Log Out". Does it seem sane for Safari to automatically log you back in to the forums as soon as you visit any page on AppleNova again, without any login prompt or confirmation at all? The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|
quote |
Less than Stellar Member
|
Ok. I just tried it again, clearing out my MBP's keychain of all passwords related to my iMac. Connected as an admin to my iMac. Disconnected. Navigated elsewhere in the Finder. Tried to connect again, and I was only connected as a guest.
So, it seems fine here. |
quote |
Veteran Member
Join Date: Jul 2007
Location: St. Louis, MO
|
But, are you seeing a cached image (for wont of a better term) or are you actually reconnecting and getting the admin account authorization on the mounted volume?
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
|
quote |
Veteran Member
Join Date: May 2004
Location: Ottawa, ON
|
I wonder if this is a 10.4 issue as well.
In any event, I certainly agree that it is just wrong in principle for an explicitly disconnected user to be able to connect again without authentication and also wrong as a matter of practical security. I do share user accounts with the kids in our family, but they do not have access to the admin side of things. If I am file sharing one machine and disconnect and leave the machine, I do not expect them to be able to get into the account without authentication. Its not an actual issue with my usage, since I never file share on the admin accounts, but it could very well be for others. I also wonder how further the hole might be exploited. When there's an eel in the lake that's as long as a snake that's a moray. |
quote |
Less than Stellar Member
|
Brad,
What happens if you turn sharing off entirely on Mac B, try to connect with Mac A and then turn it back on Mac B? |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
I don't believe so. I only have one machine still running 10.4, but I'll give it a try later anyhow.
Not sure. I'll try that later too. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Formerly “theelmerguy”
Join Date: Aug 2005
Location: Irvine, California
|
Brad, thanks for looking into this. "Glad" to see I'm not the only one with the problem.
The funny thing is it's one way for me. The iMac unwantedly "stores" the login info for the iBook, but the iBook always asks for the iMac's login info just like it should. With your setup, does Mac B have the same issues connecting to Mac A? Also, did you try the Screen Sharing issue? It's basically the same security flaw, but just wondering if you experienced it too. Do you think Apple knows about this? Is there a way to let them know? |
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Problem with File Sharing-Security and Sharing all Folders | RickR10 | Genius Bar | 2 | 2008-02-06 01:00 |
Problem with File Sharing-Security and Sharing all Folders | RickR10 | Genius Bar | 0 | 2008-02-03 05:30 |
Odd problem with sharing folders & screen sharing | AubreyL | Genius Bar | 0 | 2008-01-28 01:25 |
VNC Client vs Leopard Screen Sharing | digitaldave | Genius Bar | 2 | 2007-11-14 14:07 |