Hi all,
I'm experiencing strange behavior with an authorization plugin we inserted into the authorizationdb. The plugin is working great when we log out and login regularly from the MacOS.
The strange behavior starts when we log in directly from the FileVault login (and auto-login is enabled). If the user is canceling our plugin (our plugin shows a UI view as part of the login after he inserts user+password) and the user is back to the password insertion screen he can insert any password he wants, and the system will save this password as a new password for this user (replacing the old password) and then triggers our plugin again, instead of the regular flow of inserting the password and continuing to our plugin. I've never seen this behavior where the user is inserting a password as part of the login, and it will just save any password he inserts as the new password (a security vulnerability?). This is our mechanism chain:
<string>builtin:policy-banner</string>
<string>loginwindow:login</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>our-auth:prepare,privileged</string>
<string>our-auth:main</string>
<string>our-auth:cleanup,privileged</string>
<string>loginwindow:done</string>
So, a summary of the flow:
- User powers the mac and inserts FileVault password.
- After the decryption process is done, our plugin triggers.
- The user cancels our plugin in the view, hence the view is removed, and the user is back to the password insertion screen.
- User can insert ANY password he wants (it will not mention to him that he is changing or changed the password).
- Our plugin triggers again as part of the chain.
- User approves our plugin and is logged in.
- Trying to use the old password does not work. Only the new password is working starting that moment.
I must say that it only happens if the user is canceling our plugin on the first try. If he does not cancel the plugin, it will continue with the current password.
Can someone help me understand why is it happening?
