Authorization Plugin not invoked for Fast User Switching (FUS) on Ventura

The user interface for Fast User Switching on macOS Ventura appears to have changed and our authorization plugin is not being invoked.

Previously FUS (system.login.fus in auth.db) would show our authorization plugin dialog with a “Switch User” button in the surrounding SFAuthorizationPluginView. In Ventura it first shows the login screen with the row of user avatars and then an animation appears as if the corresponding user from the FUS menu has been selected with a password input field. It looks like a normal login but it doesn’t invoke our authorization plugin like logging out and logging back in does.

The other use cases for our authorization plugin continue to work as expected in macOS Ventura:

  • system.login.console
  • system.login.screensaver
  • authenticate

Is there a work around we can use?

I submitted feedback using Apple's Feedback Assistant (FB11705643) a week ago but have yet to receive any response. I believe this is a security issue Apple may want to fix in a software update.

Up vote post of peter_at_trusona Down vote post of peter_at_trusona
692 views
Posted by
peter_at_trusona
Reply
Add a Comment

Replies

Is this new in the macOS 13.0 final? Or did it show up in one of the betas?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I noticed it in the Release Candidate last week but suspect it was present in earlier betas.

Posted by
peter_at_trusona
Up vote reply of peter_at_trusona Down vote reply of peter_at_trusona
Add a Comment

but suspect it was present in earlier betas.

I need to be clear about something here: The authorisation plug-ins mechanism is super brittle. If you’re relying on it, you really (really really!) need to test with new betas as we seed them. This is especially important for major OS releases, but it applies even for software updates.

As to your current issue, I’ve no idea what’s going on there. If you open a DTS tech support incident, I’ll take a proper look at this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks! I think I have some idea what's happening. My bigger concern is making Apple aware and whether a fix can be expected. Can open a DTS incident if it helps.

Posted by
peter_at_trusona
Up vote reply of peter_at_trusona Down vote reply of peter_at_trusona
Add a Comment

My bigger concern is making Apple aware

For that, file a bug report.

Please post your bug number, just for the record

whether a fix can be expected.

I’m not able to offer concrete information about timelines, either here or one-on-one in a DTS incident.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the quick response. I really appreciate the way you monitor the forums. Bug number is FB11705643 filed 2022-10-19. Best regards, - Peter (K1AV)

Posted by
peter_at_trusona
Up vote reply of peter_at_trusona Down vote reply of peter_at_trusona
Add a Comment

Looking at your bug report, it seems that system.login.fus is no longer a thing. Rather, the system switches to the new session and invokes system.login.console in that context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

It does look like that except that our authorization plugin is successfully intercepting login requests by modifying the auth.db entry for system.login.console as follows: Replace: loginwindow:login With: TrusonaAuthorizationPlugin:trusonaLogin

I suspect the bug is that the FUS code path is no longer using the system.login.console entry in auth.db. Somehow it is going directly to the login window bypassing the auth.db list of mechanisms for system.login.console. It might be interesting to test with your modified system.login.console.plist and corresponding plugins GUIAuthPlugin.bundle and LoggingAuthPlugin.bundle .

Kind regards, - Peter

Posted by
peter_at_trusona
Up vote reply of peter_at_trusona Down vote reply of peter_at_trusona
Add a Comment