Can you confirm a security hole in file sharing?

I have found a very annoying security hole, and I wonder if it is unique to my setup. I have my mini set up with file sharing turned on. It has 5 accounts, one administrator, rest ordinary users. My login for the administrative user on my laptop is the same as on the mini. I have not turned on "Back to my Mac."
From my laptop I navigate to the mini using either (a) the network panel in finder, (b) the local IP (afp://192.168.0.xxx), or the global IP (afp://64.xxx.xxx.xxx). (My router is set up to forward the appropriate ports to the mini's local IP). I mount the administrative user's home directory under apple file sharing. Now I have full access to these files. I DO NOT SAVE THE PASSWORD IN KEYCHAIN. All this is as it should be.
Now I eject the administrator disk.
From now on (until I reboot my laptop), I can mount that same disk without a password!
Can someone confirm?

{quote:title=William Lloyd wrote:}This is not a security hole.{quote}
While I can understand that some may consider Kerberos automagically creating what is essentially a keychain without the users express knowledge or consent a "feature", I definitely consider it a bug and a huge security hole.
The kerberos ticket should not live longer then the user is actually connected to the machine. Currently, if the user clicks the Disconnect button the Kerberos ticket lives on and any future connections to that server will user that ticket. This is not what users (especially novice to intermediate) would expect. If the user clicks the Disconnect button, then they would expect that they are completely disconnected and any further connections to that server would require authentication. Otherwise they leave their machine wide open, hense the security hole.
The other thing that makes this so nasty is that if the OS decides not to use kerberos, for whatever reason, the behavior is different. It behaves as the user would expect. Clicking Disconnect does completely disconnect you from the server and any future connections will require authentication. So at a minimum there is a dangerous inconsistency in behavior between when the OS uses Kerberos and when it doesn't. That, at a minimum, should be fixed.

Similar Messages

  • How can you reset your security questions??

    how can you reset your security questions if you forgot them???????????

    You can go to appleid.apple.com, sign in, click on password and security and if you have a rescue email on file you can select to send an email to reset them. If the option is not there you will need to visit expresslane.apple.com to request to have them reset.

  • How can you change your security question for I tunes?

    How can you change your security question for I tunes?

    If you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then the steps half-way down this page give you a reset link on your account : http://support.apple.com/kb/HT5312
    If you don't have a rescue email address (you won't be able to add one until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699
    When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 link above to add a rescue email address for potential future use

  • HT1918 How can you change your security questions?

    How can you change your security questions?

    1. See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities.
    2. Here are two different but direct methods:
        a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
        b. Call Apple Support in your country: Customer Service: Contacting Apple for support
            and service.
    3. For other queries about Apple ID see Frequently asked questions about Apple ID.
    4. Rescue email address and how to reset Apple ID security questions

  • How can you change your security questions if you for got them

    how can you change your security questions if you for got them

    Welcome to the Apple Community.
    Start here, and reset your security questions, you will receive an email to your rescue address, use the link in the email and reset your security questions.
    If that doesn't help or you don't have a rescue address, you might try contacting Apple through iTunes Store Support

  • How can you change your security questions!! i got a new iphone 5 and i forgot them!!

    How can you change your security questions?! I got the iphone 5 and i forgot them and it wont let me buy songs!!!!

    Click here and request assistance.
    (72909)

  • Please can you tell me the default maximum file size for an attachment in Case Management v12 ?

    Hi,
    Please can you tell me the default maximum file size for an attachment in Case Management v12+? I am able to define a maximum attachment size but I am not able to see what the default is set to.
    Thank you
    Regards,
    Anthony

    Hi,
    The default max attachment size is 8MB.
    Regards.
    Mike

  • Can you still access Adobe PDF SAVED FILES WHEN YOU GET A NEW COMPUTER

    Can you still access Adobe PDF SAVED FILES WHEN YOU GET A NEW COMPUTER ? Do you loose the files you have saved on you old computer when you get another computer?

    I may not be clear on what you are asking here but I'll try an answer anyway since that's the type of guy I am.
    If you have PDF files on your old computer, you will need to transfer them to your new computer. You can use a flash drive or CD if needed.
    But again, I think I'm not getting what you are really wanting to know. If I'm not, can you give us some more details?

  • Can you organize your "links" panel by FILE TYPE ?

    Can you organize your "links" panel by FILE TYPE ?
    Or can you somehow export to somewhere and accomplish this?

    Yes.
    Choose Panel Options from the Links panel menu and tick the checkbox next for Format under Show Column:
    Then, click the Format column-head button to sort...click again to toggle ascending / descending...

  • Can you add the security patch to iphone 5 without updating to ios7? i want to keep ios6

    can you add the security patch to iphone 5 without updating to ios7? i want to keep ios6

    Updating the iOS will Install the most current Version.
    Suggest you use iTunes on your Computer to Update from 6 to 7.
    See the Using iTunes Section Here...
    How to update your iPhone, iPad, or iPod touch

  • Can you open an FCP 6.0 file in 5.0?

    Well, that's my question: Can you open an FCP 6.0 file in 5.0? The machine with 5.0 is NOT a Duo Core system.
    Any help is greatly appreciated.
    ~R
    Message was edited by: reicko

    Rats, I wished I would have thought about that before leaving the office. I'm really not familiar with XML files. Good info that will have to be used next time.
    Gracias
    ~R

  • Please, can you confirm that after erase the phone using the find my iphone all my personal data will be unavailable? Someone stole my iphone 6  on the street

    Please, can you confirm that after erase the phone using the find my iphone option,  all my personal data will be completely unavailable? Someone stole my iphone 6 +  on the street. I have already received a mail from apple confirming that is erased. Can I trust on this message? It really works? my 3G connection was working properly.
    Thank you very much

    Hey Joangil,
    Yes! If you have received an email from Apple stating and confirming that it is erased then you should trust this message. It would have all been removed.
    Sorry to hear that your iPhone has been stolen,
    Zach

  • HT4990 how can you reset your security questions if you have forgot them

    How can you reset your security questions if you have forgot them.?

    You may find solutions if you look under More Like This at the right of this page. If not, this forum is for questions from those managing sites on iTunes U, Apple's service for colleges and universities to post educational material in the iTunes Store and hence not the best place to get assistance with this problem. You'll be most likely to get additional help with this issue if you ask in the general iTunes forums where this question has been asked and answered in a number of other threads.
    Regards.
    Message was edited by: varjak paw

  • Patches to enable  XML Publisher on NetApp - can you confirm?

    Customer has version 11.5.9 of NetApp. He understood that a patch or several patches would be required to enable XML Publisher.
    Can you confirm and if so, what are the patches (any metalink notes)?
    Thanks in advance
    Steve flournoy

    Hi
    We do not provide a VBA or .NET wrapper for the java APIs we provide. However, its not a huge task to call java from VBA. Just google, 'calling java from VBA'.
    you can then have the java API libraries sitting on the local machine and just call the one you need.
    tim

  • HT201363 How can you reset your security questions if you can't remember the answers?

    Hello! my question is how can you reset your security questions if you don't remember the answers?

    You need to ask Apple to reset your security questions; this can be done by phoning AppleCare and asking for the Account Security team, or clicking here and picking a method, or if your country isn't listed in either article, filling out and submitting this form.
    They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
    (106484)

Maybe you are looking for