Admin user can operate as any logged in user.

MrP
Contributor III

I noticed below today. I'm guessing this has been this way for a long time, and the community just accepts it? Does anyone know of a way to mitigate this?

If a user has the screen locked, any admin account can unlock the screen and have full access to the desktop/applications/network under the identity of the originally logged in user. This is a huge security issue. NO ONE should be able to operate as another user like that, with the exception of explicitly granted sudo privileges in a shell.

Noticed on 10.13.6, confirmed still present on 10.14.1.

3 REPLIES 3

Taylor_Armstron
Valued Contributor

Then disable it?

What baseline are you running? CIS? DISA?

This has been true of OS X basically.... since OS X started.

Section 5.16 of the CIS 10.13 baseline addresses the issue, FWIW.

Here's some discussion here in Jamf Nation on how to disable.

https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver

ifbell
Contributor

you can try the following

/etc/authorization

Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key.
Save the file.

MrP
Contributor III

From:
https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver

The command we are using to prevent users other than the logged in user to unlock their screen is: security authorizationdb write system.login.screensaver authenticate-session-user