Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

MSEC Single User patch and problems in 10.2.1 Apps
I installed the MSEC Single User Patch that prevents single user mode (Command-S at startup) from being used. I installed this patch after upgrading to 10.2.1 (other versions may be affected), and things got screwed up. All my users except root cannot login. All the passwords for my users seem to have been modified somehow. I tried resetting the passwords with the account manager in system preferences, and it said it changed it, but nothing really happened. I attempted to reset the password from terminal (% passwd user), this also did not work. I even tried the boot CD reset tool, and that did not work.

Somehow the file in /sbin/mach_init was modified in a way that would not allow the users to login. I replaced this file from one on another machine that was identical with the problem machine, and everything was back to normal. I suggest that no one install this!

[Editor's note: I'd never heard of this patch, but a quick search showed it to be published by msec.net, which I cannot seem to access. I did find a slightly ominous warning in securemac.com's write-up on the program: "The patch disables this by installing a modified version of /sbin/mach_init. The patch does NOT backup the insecure version of /sbin/mach_init so if for some strange reason you want to revert to the insecure copy of mach_init you must restore that file from your own backups."]
    •    
  • Currently 0.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (0 votes cast)
 
[3,473 views]  

MSEC Single User patch and problems in 10.2.1 | 1 comments | Create New Account
Click here to return to the 'MSEC Single User patch and problems in 10.2.1' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Dumb idea!
Authored by: professor on Sep 23, '02 03:15:07PM
Disable booting into single user mode? That doesn't sound like a very bright idea.
How do you expect to be able to do any disaster recovery if you can't boot single user?
A more sensible approach is to password-protect single-user mode by inserting a password-checking routine into /var/root/.profile . (In single-user mode, root's shell is /bin/sh).
A favourite one from old NeXT days was a little c program called pw_check. So you'd put
    /usr/local/bin/pw_check root
in /var/root/.profile and make sure that roots password is in /etc/passwd (since netInfo iisn't running in single-user mode).

[ Reply to This | # ]