netkas.org

FileVault 2 is pointless sometimes

Imagine this:
1) You have a mac with Lion installed, you have administrative right on it
2) you wanna other people to be able to access the computer sometimes (like coworkers, roommates, etc) but do not be able to access your files ever, so you create non-administrative account for them
3) you enable filevault 2 to protect your files from being accessed by strangers (in office, for example)
4) user with account we created in pt. 2 and its password do this – reboot mac, hold down command+s on startup, then enters password for non-administrative account he has, and booting to single user mode with root access, game over, he has full access to all your files and even can change your password.

isn’t it a sick mindless design ?

Comments

  1. anders
    November 25th, 2011 | 11:20 am

    except it doesn’t work like that, you have to enable boot access for accounts. it’s not enabled for anyone.

  2. Mike
    November 25th, 2011 | 11:53 am

    Enable Firmware Password.

  3. digital_dreamer
    November 25th, 2011 | 12:06 pm

    Booting into Single-User mode and entering your password for your non-administrative account gives you root access to another account “secured” via Filevault 2?
    Mind boggling.

    MAJ

  4. synko
    November 25th, 2011 | 1:30 pm

    I haven’t tried it for a while but on a similar note you can reboot a linux machine, edit the grub boot line and set init to /bin/bash and boot directly into bash with root priviledges, no account or password needed.

    The rule of thumb always was that once someone has physical access to the computer it’s game over when security is concerned (unless we’re talking about encryption..)

    syn

  5. netkas
    November 25th, 2011 | 5:16 pm

    And here we are talking about encryption.

    It wasn’t possible to do this trick with first firevault

  6. netkas
    November 25th, 2011 | 5:17 pm

    Resettable

  7. Crazor
    November 26th, 2011 | 11:22 am

    How do I enable or disable boot access for a user? I’ve added an unprivileged test account (FV2 was already enabled) and it automatically got boot access.
    Couldn’t enter single user mode, though, because of the firmware password. But as netkas said, those are (were?) resetable. One method I remember is to change the RAM configuration of the machine. I’ll try if this still works with my 2008 MacBook later today.

  8. November 26th, 2011 | 5:30 pm

    This won’t work because of two things:
    1) You did not enable the other account to unlock the disk.
    2) Single user mode is only entered after having unlocked the disk.

    ///another account without admin privs enabled to boot mac, and this account can boot into single user mode, I checked it myself.

  9. Fulvius
    November 27th, 2011 | 8:17 pm

    As far as I know, the files are encrypted with _your_ password, so even if a user is given root access, he will be able to delete/copy but not read them as they will still be encrypted with your key.
    I think this is what filevault is all about, even if your content is stolen, thieves won’t be able to access it.

    //it was so with firevault 1, not firevault 2

  10. November 28th, 2011 | 2:12 pm

    […] Just made a fix for firevault2 issue i described earlier. […]

  11. ppl
    December 18th, 2011 | 12:49 am

    When you enable FV2 it will give you a screen where you can add or delete existing (!!!) user accounts for unlocking the disk. After you’ve set up FV2 it enables every user to do this in order to allow them to boot up the machine which makes perfectly sense.

    When booting into single user mode the logged in user can indeed access quite a lot of things but this is not something FV2 is trying to stop. FV2 is about whole disk encryption not prevention of accessing other peoples homedir or allowing them to boot into single user mode. There are other systems for that. For the first you have the standard UNIX permissions as well as the ACL. For the second situation you simply set the firmware password.

    In short: for your use case you need to do 3 things:
    1. make sure users can’t view other users homedirs at all (currently it does prevent you from running things like passwd or editing files with tools like vim because of insufficient rights; you may have set up an admin user
    2. prevent users to interact with the EFI so they can boot into single user mode, reset SMC, reset NVRAM/PRAM, etc. by setting the firmware password
    3. enable filevault for whole disk encryption so other people who do not know the accounts/passwords are able to read the contents of the drive.

    This is a big difference from how it worked previously. Filevault 1 was meant to encrypt a users homedir only. Filevault 2 is meant to encrypt the entire disk including all of the homedirs, system files, etc. So simply put you’ve failed to understand what FV2 does. The problem is point number 2 in your post, FV2 does not do this and is meant to do this.

  12. ppl
    December 18th, 2011 | 1:04 am

    Err I meant “The problem is point number 2 in your post, FV2 does not do this and is NOT meant to do this.”

    Just an addition: in OS X you can enable a guest account if somebody wants to use your computer for a bit. It will create the user upon login and delete everything upon logout. No need for a password. A nice safe option if you do not want to let them work under your account and access everything in it. But this causes problems when you use FV2, it will simply render it pointless as you can login without a password and unlock the drive then access everything on it. Apple thought of that and disables the guest partially when you enable FV2. It only allows guests to access to connect to shared folders, it does not allow guests to log in locally.

  13. February 12th, 2012 | 6:08 am

    Yes, I just confirmed this gaping hole, too! Thanks for the info!

Leave a reply