sysadminctl -secureTokenStatus allows null password

Originator:broccardo
Number:rdar://36163828 Date Originated:12/20/2017
Status:Closed as Dupe Resolved:
Product:Mac Product Version:10.13.2/10.13.3b2
Classification:Bug Reproducible:Always
 
Summary:
sysadminctl allows passing null/garbage entry for admin password when using sysadminctl -secureToken Status

Steps to Reproduce:
1. On a Mac running 10.13.2 or 10.13.3b2 launch Terminal.app
2. Get elevated privileges with sudo -s
3. Enter the following command:
sysadminctl -adminUser [admin] -adminPassword [value that is not admin's password] -secureTokenStatus [username for user being checked]

Expected Results:
Would expect that system would reject command outright because the admin's password is incorrect.

Actual Results:
The system returns an error, but then still processes the command and returns a result. 
e.g. 

bash-3.2# sysadminctl -adminUser admin -adminPassword null -secureTokenStatus otheruser
2017-12-20 15:12:22.163 sysadminctl[505:3977] ### Error:-14090 File:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Admin/Admin-674/DSAuthenticator.m Line:94
2017-12-20 15:12:22.214 sysadminctl[505:3977] Secure token is ENABLED for user otheruser

Please note that other sysadminctl commands such as sysadminctl -secureTokenOff properly fail with incorrect admin user password. 

Version/Build:
10.13.2 (17C88)
10.13.3 Beta 2 (17D25b)

Comments

Closed as duplicate of 35079899

By broccardo at Dec. 21, 2017, 3 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!