Quick Fix to Prevent dscl Unauthorized Password Changes in OS X Lion
We recently wrote about the dscl utility and how it allows a Mac OS X Lion user to change a password without knowing the existing password. The lack of required admin authentication has since been widely reported as a bug, and a small Security Update will likely be issued by Apple sometime in the near future. Nonetheless, if you’re paranoid about someone getting ahold of your Mac and changing the user password without authorization, you can manually change the permissions of the dscl utility yourself, forcing it to require administrative privileges in order to be run.
- Launch Terminal (located at /Applications/Utilities/)
- Type the following command and hit return:
- You will be asked for the current administrative password to confirm the permissions change, enter it and hit return
sudo chmod 100 /usr/bin/dscl
This is a simple permissions fix that likely mimics what an official security update will do. Using sudo chmod 100 states that only the owner (root) is able to execute the dscl command, which effectively prevents other non-admin users from accessing the directory services utility without using the sudo command, and thus the administrator password.
There may be some unintended consequences of changing those permissions, but it’s unlikely to effect most users. If you do encounter some problems you can always change the permissions back, which look to be set as 755 by default.
A big thanks to “Tjb” who left this tip in the comments!
Update: Jim T left the following recommendation in the comments, suggesting another chmod command to change the permissions:
Instead, do this:
sudo chmod go-x /usr/bin/dscl
That will -only- remove the execute permission on group and other, leaving the other permissions (read & write, and root’s full permissions) completely as was before the change. To reverse, do:
sudo chmod go+x /usr/bin/dscl
Only touch the stuff you need to touch!
His reasoning is that chmod 100 is too restrictive in that it changes the command to execute only, where as before the root user could read, write, and execute.