10.8's fdesetup can be used with non-enabled admin accounts on Yosemite to enable users for FileVault 2

Originator:rtrouton
Number:rdar://18985048 Date Originated:11-14-2014
Status:Open Resolved:
Product:OS X Product Version:10.10.0, build 14A389
Classification:Security Reproducible:Always
 
Summary:

As part of a discussion about how different versions of fdesetup handle enabling users for FileVault 2, it was discovered that 10.8's version of the fdesetup tool (extracted from a 10.8.5 Mac) can be copied to a Mac running Yosemite and used by a user account with admin privileges to enable user accounts for FileVault 2. 

Description:

As part of a discussion about how different versions of fdesetup handle enabling users for FileVault 2, it was discovered that 10.8's version of the fdesetup tool (extracted from a 10.8.5 Mac) can be copied to a Mac running Yosemite and used by a user account with admin privileges to enable user accounts for FileVault 2. 

The admin user can authorize the enabling of other accounts even if the admin account wasn’t enabled. An admin account can also enable itself using this process, by being both the authorizing admin account and the account being enabled.


Steps to reproduce:

Pre-requisites:

A copy of the fdesetup binary from a Mac running 10.8.x

1. Copy the 10.8 fdesetup binary to a Mac running Yosemite.
2. Set up a new user account (with admin privileges) and make sure it is not enabled for FileVault 2. 

Note: For this example, I'm using "new_admin_username_here" when referring to the new user account with admin privileges

3. Log in to the new user account
4. Open Terminal and run the following command with root privileges:

sudo /path/to/10_8_fdesetup add -usertoadd new_admin_username_here

Expected results:

1. You should be prompted for the username of the primary user. Put in new_admin_username_here
2. You should next be prompted for the password of the primary user. Put in new_admin_username_here's password here.
3. You should next be prompted for the password of the user you want to add. Put in new_admin_username_here's password here.

After providing the password in step three, I should receive an authentication error since the user is not enabled for FileVault 2.

Actual Results:

1. You should be prompted for the username of the primary user. Put in new_admin_username_here
2. You should next be prompted for the password of the primary user. Put in new_admin_username_here's password here.
3. You should next be prompted for the password of the user you want to add. Put in new_admin_username_here's password here.

After providing the password in step three, the "new_admin_username_here" account is enabled for FileVault 2.

OS X Version/Build:

OS X 10.10.0, build 14A389

Additional Notes:

I put up a blog post with my findings here:

http://derflounder.wordpress.com/2014/11/14/using-os-x-10-8s-fdesetup-tool-and-non-enabled-admin-accounts-to-enable-users-for-filevault-2-on-mavericks-and-yosemite/

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!