Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10246

Cannot set/change password of a user resource on macOS 10.15

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Story Points:
      5
    • Sprint:
      NW - 2020-02-05
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Due to Apple changing user management in macOS 10.15, Puppet could no longer manage user passwords on that version. Puppet now uses the `dsimport` utility to manage passwords on macOS 10.15 or higher.
    • QA Risk Assessment:
      Needs Assessment

      Description

      It looks like direct access to binary plists under /var/db/dslocal/nodes/Default/ has been blocked beginning with macOS 10.15 (even with Full Disk Access activated), so we can no longer overwrite that file to set/change the password on an macOS user.

      Error: Unable to write the file /var/db/dslocal/nodes/Default/users/testuser.plist. #<IOError: File /var/db/dslocal/nodes/Default/users/testuser.plist not writable!>

      There's still a way to circumvent this and still be able to modify passwords. It involves the use of the dsimport command to indirectly manipulate the contents of the binary user plist.

      For this, we need to have the ShadowHashData (which we previously wrote to the plist) in binary format, then converted to base64.

      Here is some ancient dsimport documentation (Apple seems to have removed all mentions of this tool since, but it still works): http://web.archive.org/web/20090106120111/http://support.apple.com/kb/TA21305?viewlocale=en_US

      Basically the steps would be to:
      1. If the user exists, remove the existing ShadowHashData (with dscl delete)
      dscl -plist . read /Users/testuser should show no ShadowHashData
      2. Import the file with the base64-converted hash using dsimport: dsimport /file/to/import /Local/Default M
      dscl -plist . read /Users/testuser should show the new ShadowHashData

      The challenge that remains is to correctly build the ShadowHashData plist, convert it to binary and then to base64, then build the dsimport file.

      As per the documentation above, this is a file that changes the hashed password of an existing account:

      0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
      		 
      testuser:<base64 string>

        Attachments

          Activity

            People

            Assignee:
            gabriel.nagy Gabriel Nagy
            Reporter:
            gabriel.nagy Gabriel Nagy
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support