Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Completely disable single user mode System
A very simply way to disable single-user mode is to edit /etc/rc.boot (as root or with sudo) and in the section that prints "file system mounted read-only", simply add a line that says reboot Now, anytime the computer is booted in single-user mode, it simply reboots itself. This is totally non-bypassable because Apple disables any usable keys in the begining of the rc files.

I have mine set to do fsck;fsck;reboot because the only reason I boot single-user is to do fsck, and it also keeps the system secure.
If you're confused about what I mean, then you probably shouldn't use this hint.

[Editor's note: Although I haven't tested this hint, I looked through rc.boot, and it appears the section of the file you need to change actually reads ConsoleMessage "Root device is mounted read-only", and then there are a couple more lines of ConsoleMessage output, then an "else." You should insert the "reboot" before the "else," I believe (someone please correct me if I'm wrong).]
    •    
  • Currently 2.25 / 5
  You rated: 1 / 5 (4 votes cast)
 
[20,168 views]  

Completely disable single user mode | 26 comments | Create New Account
Click here to return to the 'Completely disable single user mode' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Secure?
Authored by: jwigdahl on Nov 11, '02 10:42:18AM

If you put other interruptable commands in there before the reboot, wouldn't it be possible to ctrl-C those and be dropped into a shell? Even a well placed ctrl-C might drop them into a shell whether there's an fsck in the script or not. Not that automating your fsck is a bad idea, I just don't think people should be given the idea that doing this is necessarily 'secure' if it's possible to easily bypass.



[ Reply to This | # ]
Secure?
Authored by: GaelicWizard on Nov 12, '02 04:38:28AM
in the beginning of all the rc files in /etc apple disables all keys like control-C
stty intr  undef
ect...

[ Reply to This | # ]
RE: Disabling Single User Mode
Authored by: Anonymous on Nov 11, '02 10:42:24AM

While this may seem like a nice hint, there's no mention as to the ramifications of this hint. What happens when you really need to get into single user mode. Say for instance the netinfo db becomes corrupted and you need to restore them. You may not be able to login successfully and may be forced to boot into single user mode to correct the problem, but if you followed this hint, you're out of luck. Better hope you've got a bootable cd or firewire drive.



[ Reply to This | # ]
What a stupid thing to do
Authored by: porkchop_d_clown on Nov 11, '02 11:30:26AM

Single user mode is there for a reason - it's often your last chance to save your machine before you have to reinstall.

Given the # of times I used it for that purpose, I wouldn't recommend this tip to my worst enemy.



[ Reply to This | # ]
What a stupid thing to do
Authored by: aaronfaby on Nov 11, '02 11:43:29AM

Agreed....

This is the worst "tip" I have ever seen on this website. Honestly, if someone has access to your machine in which they can reboot it into single-user mood, you're pretty much screwed anyways.



[ Reply to This | # ]
My objective with macosxhints is...
Authored by: robg on Nov 11, '02 12:42:52PM

... to publish information about OS X. I don't view my job as trying to decide whether a hint is stupid or smart (I'm too stupid about too many things to make judgements on such things), although I will occasionally comment with my opinion on a given hint.

What I do try to do is to determine which hints others might find interesting and publish them. In addition, I try to verify that every hint published here will, in fact, work as described. Finally, I try not to publish things which are blatantly illegal. So if a hint is interesting, looks like it should work, and its not illegal, then it gets published.

I'll leave the judgement decisions on stupid vs. smart up to the general readership here; I can only imagine failing miserably if I were to try to judge the 'stupidity level' of every submitted hint in addition to trying to decide if it looked interesting or not. But that's what the comment system is for, and I'm glad to see people using it as intended!

And finally, regarding this particular hint, if you actually do this to your system and want to undo it, it's incredibly trivial -- reboot the machine as normal, login, edit the file, remove the reboot code, and then boot into single user mode! This hack hardly makes single user mode inaccessible forever. I'd actually be much more afraid of forgetting my open firmware password than I would be of forgetting how to edit a file, but maybe that's just me.

-rob.



[ Reply to This | # ]
My objective with macosxhints is...
Authored by: rand on Nov 11, '02 01:53:36PM

open firmware password is not all it's cracked up to be either rob. 10 seconds (at most) is all it takes to fix it so that the machine will boot without requiring you to put the pass in.

i think the moral of this story is : the best security is keeping your powerbook with you, or having your machine in a safe place. even stopping the mac from being booted into single user mode, if someone is in front of the computer, a system cd (9 or X) is all it takes to get into your machine (even with with OF password in place).



[ Reply to This | # ]
To rand...
Authored by: thatch on Nov 11, '02 02:29:55PM

To the first part of your message, yes, but you must have the password to do what you suggest.

To the second part of your message, no, wrong, you cannot boot an open firmware password protected computer with any CD unless you have the password.



[ Reply to This | # ]
To rand...
Authored by: rand on Nov 13, '02 05:02:41PM

thatch, nope, you can disable the password, so that when you boot the machine it does _not_ ask for it anymore. after this you can boot from whatever you wish to boot from (as long as it boots the machine of course:)

i'm not sure if this information is available to non apple (employees/etc) so that was why i didn't post it, but search on apples TIL/KBase and it will tell you how to. if not then it is 'restricted' info. that is where i read about how it is done.



[ Reply to This | # ]
My objective with macosxhints is...
Authored by: aaronfaby on Nov 11, '02 04:11:40PM

Hello Rob,

I certainly understand your point of view, and I respect it. And, I am certainly grateful for the service you provide. However, I'm sure there are many OS X users out there who may try to implement this without fully understanding the ramifications.

There are many cases where this is bad. You are right, you can change this if you boot normally and edit the file. But what if the system won't boot normally? This can be caused by many things. A damaged filesystem, or possibly even a bad startup script (this has happened to me many times). In these situations it is not possible to boot into multi-user mode, and if the user has disabled single-user mode then they can't boot into that either. They could boot into a Mac OS CD, but what if they don't have one handy?

As a long time unix user and system administrator, I cannot think of one single reason why this should be done. However, I can think of many reasons why it shouldn't.

Regards,
Aaron



[ Reply to This | # ]
My objective with macosxhints is...
Authored by: babbage on Nov 12, '02 02:12:01AM

Saying that crippling single user mode is an easy change to reverse is like telling someone that it's no big deal to put a first aid kit in your parachute pack, because if you decide later that you'd rather have the parachute in there it's easy enough to repack it.

That is, by the time you're in a situation where you'd care, it's too late.

At first glance, this does look like an interesting suggestion, but the other posters are right: this suggestion is paranoid to a fault, and so only suitable for certain kinds of highly locked down environments where you absolutely cannot have anyone messing with your computer and would rather lose everything on it than let someone break in.

If you're the sort of person that would burn down your own home before allowing a burglar to steal anything in it, then this hint is for you. If you're willing to cut your losses & collect on the insurance instead [or as the case may be, you've backed everything up and can clean up as necessary], then this hint is going to do *way* more harm than good for a lot of people.

Please make that risk clear, Rob.



[ Reply to This | # ]
Use firmeware password instead
Authored by: jonesy on Nov 11, '02 11:39:54AM

Agreed, though this might be an idea on an "imaged" machine.

Better to enable the firmware password (on those machines that support it) and lock the machine physically.



[ Reply to This | # ]
Ummm...
Authored by: sharumpe on Nov 11, '02 11:47:57AM
Please don't take this the wrong way, but there should be a great big red "DO NOT EVER DO THIS" message above this hint. It's great that you can do this, but locking yourself out of single-user mode is like filling your machine with spray-foam and fusing it shut. Eliminating single-user mode may make your machine a little more tamper-proof, but if something goes wrong, you're screwed. Single-user mode is your last recourse against problems.

Mr. Sharumpe

[ Reply to This | # ]
No worries...
Authored by: robg on Nov 11, '02 12:46:37PM

See my response above -- this only locks out single user mode when you try to boot with Command-S held down. So how do you fix it? Just reboot as normal, login, remove the 'reboot' from rc.boot, and then boot into single user mode.

If the system is so hosed that it won't even boot, then fsck -y probably wouldn't help the problem anyway. Even then, you could boot off an external drive or another internal drive or in OS 9, edit the file, and reboot into single user mode.

In short, this hint is not something that I intend to do to my machine, but I don't think it's quite as bad as others seem to think it is ... but that's just my opinion!

-rob.



[ Reply to This | # ]
No worries...
Authored by: dr_turgeon on Nov 11, '02 02:52:31PM
..for me. I like these kinds hints, too. I don't believe this hint was *all* about security either. What can be done with rc at boot and various of ramifications can be good discussion. People, let's not freak when you can take out the reboot instruction and made this a "run fsck automatically on single-user" hint... and FUD to those who "Wouldn't recommend this to their worst enemies." Smart folks will simply see this hint as a starting point--not a final set of instructions. ():

[ Reply to This | # ]
Re: No worries...
Authored by: sharumpe on Nov 12, '02 06:54:57PM
See my response above -- this only locks out single user mode when you try to boot with Command-S held down. So how do you fix it? Just reboot as normal, login, remove the 'reboot' from rc.boot, and then boot into single user mode.

Unless something goes wrong that won't allow the normal startup process to complete.

If the system is so hosed that it won't even boot, then fsck -y probably wouldn't help the problem anyway. Even then, you could boot off an external drive or another internal drive or in OS 9, edit the file, and reboot into single user mode.

No, but there are other things you can do in single-user mode, like fixing config files that you have hosed, copying files if your system software is irreparably damaged, etc.

In short, this hint is not something that I intend to do to my machine, but I don't think it's quite as bad as others seem to think it is ... but that's just my opinion!

I don't really think it is anything to overreact about, either. I certainly didn't intend my message to proclaim that the "sky is falling" or anything of the sort. I just know a few people that would take something like this, try to implement it, and hose their rc.boot file in the process. Natural selection, I guess. :)

Perhaps a good idea for a new icon, though? In addition to the "Unix" icon, maybe a "Advanced Unix" icon for hints like these, to give the extra indicator that the hint is potentially damaging to your system setup?

Mr. Sharumpe

[ Reply to This | # ]
You seem so simple-minded
Authored by: englabenny on Nov 11, '02 12:13:28PM

I thought it was a great hint, I've often pondered how to do this.
Not that I will do this to my system, but it sure is a good hint...



[ Reply to This | # ]
Problem is... you don't know when you might need single user mode...
Authored by: cparker on Nov 11, '02 04:11:01PM

And when you do, if your computer is so screwed up you can't even login, then you have been hosed. I put a one line file in a directory, and it made all my logins stop working. I had to go into single user mode and fix it. All I can say is "THANK GOD FOR SINGLE USER MODE!"

That said, It's cool to know where that stuff is and how to change it.



[ Reply to This | # ]
Well...
Authored by: Ezekiel on Nov 11, '02 07:17:37PM

What everyone who's commented so far and thought this was a stupid hint has completely ignored, are those who admin computers in public places, like in schools and libraries, and so on. Or perhaps in net cafes. You don't want anyone poking around the system in those situations, and it's better to leave out the option of using single user mode to save from reintallation, than having to reinstall all the time anyway because stupid people who have access to the computer might enter single user mode and mess around with the system.

I think this was a great hint. I won't be using it myself, since I don't have the need for it, but were I the computer "janitor" of, say, a school, then I'd thank my lucky star for hints like these.



[ Reply to This | # ]
Useful for Open Labs, NetCafé's, etc.
Authored by: osxpounder on May 30, '03 11:55:06AM

I'm grateful for this hint, and I intend to share it with those colleagues of mine who administer rooms full of Macs--they would surely want to prevent a visitor from booting into single-user mode, and they use disk images to setup the Macs in the first place, so a hosed system isn't the same sort of problem for them that it would be for me, an ordinary desktop user.

Glad to see it here!

---
--
osxpounder



[ Reply to This | # ]
Great Thread, Kudos
Authored by: greggo on Nov 11, '02 09:36:31PM

This is why I come to OS X Hints...

Kudos

greggo



[ Reply to This | # ]
WOW!!!
Authored by: GaelicWizard on Nov 12, '02 04:50:03AM

as stated in other comments, this is pob not for most (all) people. I always have a complete backup of my system, so i would restore from a working backup if my comp wasn't bootable in the normal way anyway.
I lend my comp to my buds at PCC anyway so i'd rather that they can't go anywhere w/o permission than save the last day's worth of dloaded porno when restoring from backup. And when at home, my mom (yes, i still live with my mom. I'm only 18!!) has a habit of using my computer whenever I'm not here. If she EVER got into single user mode I'd be trying to fix my open-firmware AND system. This is prob most useful to people who run kiosks and the such.

I'm actually amazed and flattered that there's been so much outcry at my hint. actually I'm amazed my hint got published. Thanx robg!



[ Reply to This | # ]
WOW!!!
Authored by: effir on Nov 14, '02 11:03:38AM

Don't worry GaelicWizard they didn't see the interest to disable the single mode user. In a school where lots of student go on the same mac there is an interest. I don't want to see student hacking and changing password of my G4 so like that i'm quiet they can't be root. For my part i made an image of my G4 so even if my os is destroy i can restore my mac in 10 mn with all applications(3 partitions : 1 with the os another for the applications and another for users).

it's a good tip that's all it depend for wich use.

sorry for my poor English



[ Reply to This | # ]
Tiger 10.4 support
Authored by: ohly on Sep 20, '05 06:04:57PM

Does anyone know if this would work in Tiger as there is no rc.boot file. Maybe using one of the other RC files?



[ Reply to This | # ]
AMAZING!!!
Authored by: weee on Sep 14, '04 01:28:33AM

I think this tip is amazing!!! I am for sure gonna use it. I manage cafe computers and public ppcs, and not a month goes by without someone messing with the system thanks to single user mode. I can only lock the system down so much, and single user mode has been my archilles heel for some time now. I understand many people wouldnt want to use it in case they need it if their system gets fried, but i just reinstall my main image via firewire, taking up only 10 minutes of my time. This should save me alot of time from having to reimage systems cuz some noob decided to hose my system for sh*ts and giggles. Thank you so much for this hint!!!



[ Reply to This | # ]
Completely disable single user mode
Authored by: kaega2 on Oct 27, '11 05:50:28PM
I see a lot of people (most at first) talking about how stupid this tip is. Your last chance to fix a problem? This guy clearly gave an example of what he would use this for, a business environment. Why am I going to waste time in single user mode trying to rename the right file to fix my system, when I can take two minutes and start it on a reformat.

Single user mode logs you in as root.

I'm not even going to bother expanding on that.

[ Reply to This | # ]