rdar://36350507: AppStore Preferences lock is a lie

AppStore Preferences lock is a lie

Originator:	eholtam
Number:	rdar://36350507	Date Originated:	08-Jan-2018 11:15 AM
Status:	Open	Resolved:
Product:	macOS + SDK	Product Version:	10.13.2 17C88
Classification:	Security	Reproducible:	Always

 
Summary:
The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password.  

Steps to Reproduce:
1) Log in as a local admin
2) Open App Store Prefpane from the System Preferences
3) Lock the padlock if it is already unlocked
4) Click the lock to unlock it
5) Enter any bogus password

Expected Results:
The authorization to fail.

Actual Results:
Authorization succeeds and grants access to change the AppStore preferences.

Version:
10.13.2 17C88

Notes:
This only appears to be when logged in as a local admin. 
Tested with a non-admin account and I cannot unlock the prefpane with incorrect credentials.

Comments

Audit logs

In case it provides insight, here are the audit logs related to this bug. I entered a bogus password then collected the below event logs:

<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:53 2018" msec=" + 970 msec" >

<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />

<text>com.apple.SoftwareUpdate.modify-settings</text>

<text>mechanism builtin:entitled,privileged</text>

<return errval="success" retval="0" />

</record>

<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:53 2018" msec=" + 980 msec" >

<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />

<text>com.apple.SoftwareUpdate.modify-settings</text>

<text>mechanism builtin:entitled,privileged</text>

<return errval="success" retval="0" />

</record>

<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:54 2018" msec=" + 62 msec" >

<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />

<text>com.apple.SoftwareUpdate.modify-settings</text>

<text>mechanism builtin:entitled,privileged</text>

<return errval="success" retval="0" />

</record>

<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:05:55 2018" msec=" + 979 msec" >

<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />

<text>com.apple.SoftwareUpdate.modify-settings</text>

<text>mechanism builtin:entitled,privileged</text>

<return errval="success" retval="0" />

</record>

<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:06:05 2018" msec=" + 618 msec" >

<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />

<text>com.apple.SoftwareUpdate.modify-settings</text>

<text>mechanism builtin:entitled,privileged</text>

<return errval="success" retval="0" />

</record>

<record version="11" event="SecSrvr AuthMechanism" modifier="0" time="Mon Jan 15 10:06:06 2018" msec=" + 181 msec" >

<subject audit-uid="MYUSERNAME" uid="MYUSERNAME" gid="staff" ruid="MYUSERNAME" rgid="staff" pid="61483" sid="100007" tid="61484 0.0.0.0" />

<text>com.apple.SoftwareUpdate.modify-settings</text>

<text>mechanism builtin:entitled,privileged</text>

<return errval="success" retval="0" />

</record>

By bmwarren at Jan. 15, 2018, 3:10 p.m. (reply...)

We need more bugs!

Also there is another bug with these lock/unlock elements in macOS High Sierra 10.13.2. Steps to reproduce: 1) Log in as a local admin 2) Open Security&Privacy pane from the System Preferences 3) Lock the padlock if it is already unlocked 4) Click the lock to unlock it 5) Enter your password 6) Change user name to ANY. 7) Click to password field to apply changes to user name (one more little buggy) 8) Press Unlock

By Thuzerland at Jan. 12, 2018, 12:10 p.m. (reply...)

Tested on earlier version

Not reproducible on 10.13.1

seems to be a new one ;)

By VoelinMail at Jan. 11, 2018, 9:31 a.m. (reply...)

"Preferences lock is a lie" ???

Can we put on our grown-up pants and call a bug a 'bug'?

By bhagmeister at Jan. 10, 2018, 5:11 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!