Languages

OS X Lion v10.7.3: User account passwords appear in log files for Legacy FileVault, and/or network home directories

Symptoms

In OS X Lion v10.7.3, user account passwords for Legacy FileVault and/or home folders mounted via NFS, AFP, or SMB are stored as plain text in log files.

System backups and syslog servers may also have the user account passwords stored as plain text.

Note: Time Machine backups are not affected—Time Machine does not back up the log files in which user account passwords are stored in plain text.

Resolution

Note: Except for changing your password, these steps require an administrator account. If you do not have administrator privileges on your workstation, consult someone who does.

  1. Download and install OS X Lion v10.7.4 or later.
  2. Change the password for all affected user accounts using the Users & Groups System Preference.
    • Note: You may see an alert that the password could not be changed and to disable FileVault. If you see this, click "Change Password" again.
    • Note: If you are unable to change your network account password in Users & Groups for any reason, ask a network administrator to assist you.
    • Important: Change the password on unaffected systems that used the same password.
  3. In Finder, choose Go > Go To Folder… (⇧⌘G). Enter "/var/log/" (without quotes) and click Go.
  4. Drag the following files to the Trash:
    • All files that start with "secure.log" including the ones that end in ".bz2". Enter an admin name and password if prompted.
    • Open the "asl" folder found in /var/log/ and delete all files that end with ".U0.G80.asl". Enter admin name and password if prompted.
  5. In Finder, choose Finder > Secure Empty Trash… then click "Secure Empty Trash". Important: This will permanently delete the log files as well as any other items that are in your Trash.
  6. Open Disk Utility.
  7. Select your OS X Lion volume on the left.
  8. Click "Erase Free Space…".
  9. Select the Erase Free Space Option you want and click "Erase Free Space". Enter admin name and password if prompted.
  10. After the erase is complete, log out and then log back in.
    • If prompted for the previous password, enter it. The Mac will then set the password for the FileVault disk image to the new user account password entered in step 2.

Additional Information

Advanced solution

For advanced users and system administrators only, there are Terminal commands you can run while logged in as an administrator to delete the affected log files and erase free space.

After updating to OS X Lion v10.7.4 or later, use the Users & Groups System Preference to change the user account passwords.

Important: Because the following sudo commands require an initial authentication, if you use copy/paste to execute these commands, copy/paste each line individually.

Note: srm will warn "unable to stat" for files that don't exist.  This messaging can be safely ignored.

  • To delete affected log files:
sudo srm --force --simple /var/log/secure.log
sudo srm --force --simple /var/log/secure.log.{0,1,2,3,4,5}.bz2
find -xX /var/log/asl | grep ".U0.G80" | xargs sudo srm --force --simple

 

  • To erase free space:
sudo diskutil secureErase freespace 0 /

 

Important: The above commands perform single-pass zero-fill erasure. Your work environment guidelines may require other degrees of erasure. See the man pages for srm and diskutil for available values.

Log out and then log back in. If prompted for the old password, enter it. The Mac will then set the password for the FileVault disk image to the new user account password entered.

Last Modified: May 10, 2012
Helpful?
Yes
No
  • Last Modified: May 10, 2012
  • Article: TS4272
  • Views:

    3723
  • Rating:
    • 100.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked