续：Mac狮子系统又暴安全隐患

随着Mac OS X 10.7.4版本的发布，苹果在这个升级版中更正了前文中所述的安全隐患。这是一个好消息，也是苹果比较快地修正bugs的一个好的开端。而且也是它正式承认该隐患的存在，详见：OS X Lion v10.7.3: User account passwords appear in log files for Legacy FileVault, and/or network home directories。

其实，至于该隐患是不是如Apple自己所说的，只有在处理老版本FileVault和网络用户时才出现，或者是其它时候也会，业界的技术员们还在进行深入探讨，而且也在讨论自己的解决方案，比如在不安装升级版本的情况下如何解决这个隐患，特别是10.7.4系统在没有声明或者指示的情况下，变更了一些系统的设置，比如登录界面的背景，目前就无法使用10.7.3以前的方法变更，这个给好多企业用户带来了麻烦，因为他们很多，使用自己定制的背景图，无论是显示系统信息，还是企业信息等，至少这是一个很好企业用户展示的手段，这也是好多管理员抱怨的，Apple不理会／忽略企业用户的一个原因。

至少，目前为止，已经有人发现了一点该隐患的端倪，使用下面的方法之一，可能会避免系统记录用户密码：

Per Olofsson的方法：

xport TARGET="/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism"   sudo cp "$TARGET" "$TARGET.bak"   sudo perl -p -i -e 's/passwordAsUTF8String = %s/passwordAsUTF8String = %p/g' "$TARGET"   sudo perl -p -i -e 's/password = %s/password = %p/g' "$TARGET"

Brian Warsing 的方法：

#!/usr/bin/ruby# This code comes with no guarantees and it is not a "fix", just a workaround.# It would be trivial to replace the patched file and restore these debugging messages.# Also, this script modifies a Mac OS X System file, so...require 'etc'require 'fileutils'require 'syslog'@log          = Syslog.open('patchhomedirmech')@target       = '/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism'@backup_file  = '/private/var/root/HomeDirMechanism.backup'@newfile_path = '/private/var/root/HomeDirMechanism.new'def our_rescue(msg)  @log.notice(msg)  @log.close  exit 1end###################################################################### => MAIN###################################################################### Check UID (must be root)unless Process.euid == 0  raise "You must be root to execute this script."endbegin  @log.notice("Backing up file: #{@target}")  FileUtils.cp(@target, @backup_file)rescue => e  our_rescue("Error backing up file: #{e.message}")end @debug_strings = `/usr/bin/strings #{@target} | /usr/bin/grep "password.* = %s" 2> /dev/null`if @debug_strings  @debug_strings = @debug_strings.split("\n")else  our_rescue("Nothing to patch: target does not contain any relevant debugging strings")endbegin  @file    = File.read(@target)  @newfile = File.new(@newfile_path, 'w')rescue => e  our_rescue("Error loading file: #{e.message}")end    begin  @log.notice("Patching file: #{@newfile_path}")  @debug_strings.each do |string|    len = string.length    replacement = ''    len.times { replacement << "\000" }    @file.gsub!(string, replacement)  end  @newfile << @file  @newfile.flush  @newfile.closerescue => e  our_rescue("Error patching file: #{e.message}")endbegin  @log.notice("Replacing file: #{@target}")  FileUtils.rm_rf(@target)  FileUtils.move(@newfile_path, @target)rescue => e  our_rescue("Error replacing file: #{e.message}")endbegin  @log.notice("Nullfying security logs...")  raise unless system("cat /dev/null > /var/log/secure.log")  @log.notice("Removing archived security logs...")  logs = Dir.glob("/private/var/log/secure*.bz2")  logs.each { |log| FileUtils.rm(log) }rescue => e  our_rescue("Error deleting log(s): #{e.message}")end@log.notice("Done.")@log.closeexit 0