-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tables: implement password_policy
table for macOS
#7594
Conversation
@@ -0,0 +1,11 @@ | |||
table_name("password_policy") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least on my mac, this is documented both as having global policies, as well as per-user policies. Any thoughts about how to handle that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the reason I used ODNodeCopyAccountPolicies
API call is to get both global and per-user policies. I am not sure on other platform, but windows has NetUserModalsGet
in it's win32 API, from their description:
The NetUserModalsGet function retrieves global information for all users and global groups in the security database, which is the security accounts manager (SAM) database or, in the case of domain controllers, the Active Directory.
I am guessing that should cover it? I am not sure on Linux
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My windows internals knowledge is lacking, but based on above it seems we can continue with password_policy
as the table name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is both global, and per-user policy, how is that reflected in this schema? Can users have different polices? How is that represented.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On macOS, the concept of user
policies and global
policies has been deprecated for a while now. From the man page:
Account Policies
Account policies are the replacement for the deprecated legacy global and user policies. Account policies are specified as a dictionary containing three keys, one key for each policy category. Note that the dictionary is
not required to contain all of the policy categories
The policy_identifier
is something that a user can set (either manually or via MDM). Apple supplied policy has identifiers that start with com.apple.
, and currently Apple only supplies one policy by default -- where if filevault gets enabled, the password has to be 4 characters or more.
For other platforms, if there is a clear user/global distinction, I guess one can use the extended schema for the table.
Added one more column to make it easy to show the relevant data:
Final review @directionless? |
Hey @directionless, Did a little bit more digging and testing, there is another obscure-ish API to grab account policies for the user, in case there is a per-user policy. I have implemented that too, and I added a
In this example above, I created a new user, and set that user's account policy to have minimum length of the password to be 12 characters. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM unless those objects do need to be released.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sweet!
Uses OpenDirectory and output is similar to apple's built-in
pwpolicy
command.This covers default policy (
com.apple.defaultpasswordpolicy.fde
in the example above) as well as ones pushed by MDM profiles.