Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Single user mode and open firmware passwords System
Call me paranoid, but I try to keep my iBook as secure as possible, so if it's ever lost or stolen, the culprit will have a lot of hard work to do before getting to my files.

One of the things I've done is set up the Open Firmware password to prevent the machine from being booted from anything but its internal hard drive. It also prevents the machine from going into Target Disk mode, and it also prevent booting to single user mode (command-S at startup). The machine will always boot to the login window.

This presented a problem for a while, because I couldn't figure out how to fsck my disk when I suspected problems. But there is a way ... rather than booting directly into single user mode, we're going to go further than that and then go backwards to it. It's like going two steps forward and one step back. Here's how:
  1. Boot the machine to the login window
  2. Login as >console
  3. From the console, login as an administrator
  4. Then type 'sudo shutdown now'
  5. Supply your admin password
The computer will then shutdown to single user mode and once there you can run "fsck -y" to verify the drive. When you're all done, I recommend you do a full reboot by typing "reboot".
    •    
  • Currently 4.50 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[33,881 views]  

Single user mode and open firmware passwords | 14 comments | Create New Account
Click here to return to the 'Single user mode and open firmware passwords' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
You need more security...
Authored by: Paul Burney on Jul 25, '02 09:04:03AM

If you are really worried about your files' security, you should put the sensitive ones in an encrypted disk image. Open Disk Copy, Create a New Image and choose the AES-128 Encryption. To get access to the image you will need to enter a password (don't have the keychain remember it, duh!). CAUTION: If you forget the password, your files remain random bits forever.

BTW, it is fairly easy to remove a hard drive from a machine and place it in another to get the files off of it. Actually, if you've got the machine, you can just remove the Open Firmware password by removing one of the DIMMS (or adding one if you only have one) and zapping the PRAM a few times.



[ Reply to This | # ]
You need more security...
Authored by: chabig on Jul 25, '02 09:53:30AM

Of course you are right. There are ways around the open firmware password, and someone could always take the hard to another computer (not easy on the iBook, BTW). I am not after foolproof security. If someone steals my iBook someday, I just want to make life harder for them. Or if I misplace the computer, I don't want nosy people browsing around before they call me to return it.

The encrypted disk image works great for more security, though.



[ Reply to This | # ]
Question:
Authored by: iMMersE on Jul 25, '02 10:24:33AM

Thanks for that information, very interesting ... However ... ;)

On three occasions I've needed to boot straight into single user mode, or boot from the install CD, to recover my system after I've messed it up. This tip would stop me doing it. Can anyway comment on whether this is a good thing to do if you are regularly experimenting with the system? Although I don't really treat this machine as a production machine, I still want to limit it's use to anyone who might get their hands on it.

Note: I'm not saying this is a bad thing to do, but if like me, you like messing with config files and installing new versions of software, it might cause problems recovering from any serious errors ...



[ Reply to This | # ]
Question:
Authored by: bakaDeshi on Jul 25, '02 02:06:04PM

Hold down the option key when booting. It will ask you for your password(Open Firmware). You will then be able to select another disk(cd). You can also use the same app to turn off the security, it isn't permanent.



[ Reply to This | # ]
single-user mode with OF password
Authored by: donvy on Jul 25, '02 10:59:00AM

You can, in fact, still boot into single-user mode even when Open Firmware Password is set to on. Problem is, you will ALWAYS have to boot into single-user mode.

From the \"nvram\" man page:
EXAMPLES
example% nvram boot-args=\"-s rd=*hd:10\"

Set the boot-args variable to \"-s rd=*hd:10\". This would
specifiy single user mode with the root device in hard
drive partition 10.

For my setup, I just entered:
nvram boot-args=\"-s\"
and I always boot into single-user mode after going through the Open Firmware password login.



[ Reply to This | # ]
single-user mode with OF password
Authored by: Anonymous on Jul 30, '02 01:57:52AM

Hrmm... I bet you can do this from within Open Firmware itself (cmd-option-O-F), if you can get the syntax right; OF's command parser is really ugly. e.g., set boot-args 's' said unknown word: set, but boot-args 's' said unknown word: s. shrug, i'll cruise the kbase I guess.



[ Reply to This | # ]
single-user mode with OF password
Authored by: Anonymous on Sep 14, '07 10:06:05AM
Lose the quotes:
sudo nvram boot-args=-s
And it's "setenv" in OF:
setenv boot-args -s


[ Reply to This | # ]
Here's a thought
Authored by: leenoble_uk on Jul 25, '02 12:07:09PM

I too have the OF password installed and am fairly secure in the knowledge that a thief wouldn't get to my stuff without pulling out the HD or at least opening it up.

But this presents me with one problem.

If that's all they can do then they'll probably have to do it.

Would it be a better idea to have a non-password account on the computer with limited privileges (you could even go in to the terminal and nail permissions specifically) so that the thief can at least carry on using the computer and not break it in frustration?
This would also aid recovery if you have any IP tracing sofware running intermittently from a hidden user account.
Thoughts?



[ Reply to This | # ]
Here's a thought
Authored by: chabig on Jul 25, '02 12:26:13PM

That's a great idea!

Let's also assume that there are a few honest people in the world, and you happen (by accident) to lose you precious iBook. If you set the login screen to show the list of users and one of them happens to be name Guest, for example, the person who finds your iBook could log in and you could have the desktop picture display your ownership information, and maybe even a reward offer.

Chris



[ Reply to This | # ]
Close your apps before shutdown
Authored by: Steff-X on Jul 25, '02 06:09:30PM

Be warned that the shutdown command kills all open applications without any notification. As a consequence, you may lose modifications in your unsaved documents. So remember to manually close all your running applications before using shutdown.



[ Reply to This | # ]
Close your apps before shutdown
Authored by: chabig on Jul 26, '02 03:27:04AM

Good idea. But remember, we are logged into the console, so there is no GUI, and no GUI apps are running when you shutdown.

Chris



[ Reply to This | # ]
Lockdown
Authored by: leenoble_uk on Jul 26, '02 04:08:01AM

You could meticulously scour the fake user's library and lock any preferences as root to stop things being tampered with. Set the login items to start stickies. Or write an applescript which displays an alert on bootup about the computer being in the wrong hands.
What would you do with Terminal.app? Stick it on an encrypted disk image?
Or how about writing a shell script for the fake user and setting it up as the first thing to do when a terminal window is opened; "exit".
Or do you think the warning thing will just encourage them to wipe the drive?
If we combine a bunch of tips together...
Use NetInfo manager to hide your regular account at the login screen.
Only have the fake user and "Other" as accounts on that screen.
Set up your account with crons running at various times running traceroutes and suchlike and emailing them to yourself [admittedly I haven't looked into this very far yet and I've never got sendmail working yet, presumably because I don't have DNS although I've downloaded a tutorial on DNS setting up and will do this after Jagwire has been installed].
Severely limit the fake user's account so they have no access to folders you don't want them too.
{what's the deal here, can you set up a new group to block access to things like the /Users folder or something? Ideally we don't want them even knowing there are other accounts on the machine. Would chmod o-x stop them opening the /Users folder?
Let them have free reign to connect to the internet. Help them by having a network location which is a dialup account useable from anywhere (and label it clearly)
You could even stick aliases on the desktop for Mail and Explorer or whatever and stick like a tutorial background picture pointing to things to encourage their use (or am I taking it too far now).
Configure their preferences how YOU want them and lock any changes out.
Set the terminal to logout every time [if it's possible] using one of the .files in the home directory.
Stop them seeing other accounts if possible.

Any other ideas?



[ Reply to This | # ]
Lockdown
Authored by: Hes Nikke on Jul 26, '02 07:37:15AM
i wrote a simple C++ program and set my locked down account to ues that for it's shell :D here is the source code:
#include using namespace std; int main () { cout << "i'm sorry, you don't have shell access. Have a Nice Day" << endl; return 0; }


[ Reply to This | # ]
Lockdown
Authored by: Hes Nikke on Jul 26, '02 07:40:05AM
the HTML deleted the include tag... here it is fixed:
#include <iostream> using namespace std; int main () { cout << "i'm sorry, you don't have shell access. have a nice day." << endl; return 0; }


[ Reply to This | # ]