Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Shut down, sleep, or restart from login window System 10.4
First, I must give credit to my colleague for finding this today...

How do you shut down or restart your Mac when you are at the login screen and the Restart and Shut Down buttons are disabled? It's simple; just type >shutdown or >restart as the user name, then click the Log In button. As far as I can tell, this only works in Tiger.

[robg adds: While testing this one, I found you can also use >sleep to enter sleep mode...

Some may claim this is a security hole of sorts; I don't believe it is, as being able to shut down or restart from the login screen implies that you can actually reach that screen in the first place. If this is a public kiosk machine, the login screen will be unreachable. If this is a home machine, more than likely the power button on the CPU will be reachable, which would let one do the same thing (without being at the login screen, for that matter). I just think this seems like a very handy timesaver -- note that you must have the "Display login window as" area of the Login Options section of the Accounts preferences pane set to "Name and password" for this to work. And, obviously, you must have unchecked the "Show the Restart, Sleep, and Shut Down buttons" option in that same area.]
    •    
  • Currently 2.80 / 5
  You rated: 5 / 5 (5 votes cast)
 
[24,529 views]  

Shut down, sleep, or restart from login window | 24 comments | Create New Account
Click here to return to the 'Shut down, sleep, or restart from login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Shut down, sleep, or restart from login window
Authored by: u2mr2os2 on Jun 20, '05 11:21:24AM

You don't have to set the login window to "name and password". You just have to press option+return if you use the user pictures list. However, on my system (10.3.9), I have to type the first letter of an existing user to highlight (don't press enter or click on it) it before option+return works to show the username and password login.



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: qwerty denzel on Jun 21, '05 02:16:42AM

Ditto (10.3.9)



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: Shawn Parr on Jun 20, '05 11:47:16AM

You can also hit Cntl-Eject (or the power button on older keyboards/powerbooks) to get the Sleep - Shutdown - Restart dialog box.

From that box R restarts, S sleeps, Enter does shutdown, and esc cancels.

Fewer keys to type if you want quick and easy.



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: PatentBoy on Jun 20, '05 01:25:26PM

To me, the security risk is there.

If, for example, someone has set up the computer to auto-log a specific User and then selects the Login Window... (set to not show the restart button) in the fast user switching menu prior to going to lunch, then someone could restart the computer with >restart while the User is away and the computer would boot right into the User account, gaining access to the computer to the extent the User has access.

PatentBoy



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: pwagenet on Jun 20, '05 01:39:32PM

The security risk there is in the fact that you set auto user login. Anyone who wants a secure system should not enable this.

---
-Peter



[ Reply to This | # ]
Wrong; no additional risk
Authored by: daveschroeder on Jun 20, '05 01:43:08PM

In order for someone to somehow gain access to the login window (e.g., via FUS) and the type ">restart", they need physical access to the machine. If they have physical access to the machine, they already can reboot it.

Even though I'm sure people will try to claim so, this does NOT represent a "security risk" above and beyond any access you already have by virtue of having physical access.



[ Reply to This | # ]
Wrong; no additional risk
Authored by: PatentBoy on Jun 20, '05 03:06:24PM

There is no risk if the computer always boots into the login window.

But, in my opinion, if the computer boots into a User account and that User (who is logged in) selects the login window, while going to lunch for example, another could reboot his machine and the machine would then boot into the User account automatically giving the other user access to the computer.

Am I missing something? perhaps I do not understand the complete situation.

PatentBoy



[ Reply to This | # ]
Wrong; no additional risk
Authored by: PatentBoy on Jun 20, '05 03:11:24PM

I finally figured it out...

If someone is logged onto the machine, it will not be able to be restarted unless an admin password is provided to safeguard the current users un-saved work, etc.

sorry for the confusion...



[ Reply to This | # ]
Wrong; no additional risk
Authored by: Shawn Parr on Jun 20, '05 03:52:09PM

No problem. Hold the power button down for a few seconds. The machine turns off.

Turn machine on and have access to any personal files for an auto login user...



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: thombo on Jun 20, '05 01:46:08PM

If this is the case then what is the point of having the ability to disable the buttons to perform the corresponding actions? So that only semi-educated users can perform them? Am I missing something here?

thombo



[ Reply to This | # ]
Yes
Authored by: daveschroeder on Jun 20, '05 01:58:27PM

It's to prevent clutter at the login window and to prevent casual users from randomly clicking on restart and shut down; nothing more.



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: GlowingApple on Jun 20, '05 02:37:09PM

I have a slightly unrelated question. I can't get Tiger to work with >console anymore. Is anyone else having this problem? I'm wondering since they added these options if maybe there are other options out there that use the redirection operator and maybe another option that replaced the >console.

---
Jayson --When Microsoft asks you, "Where do you want to go today?" tell them "Apple."



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: simonpie on Jun 20, '05 03:52:23PM
Works fine for me. I can use >console on a fresh install of tiger.

[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: errolbert on Jul 07, '06 08:21:23AM

If you switched to the login window by fast user switching console will not work.



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: thornrag on Jun 20, '05 04:11:54PM

There is *always* some risk associated with allowing a machine to shut down or reboot.

Previous security guidelines advised against enabling these buttons, as a small measure of defense against two general scenarios: in one, the attacker has modified binary code on the system by remote means (buffer overflow, filesystem tricks, etc.), and needs to reboot to apply the changes; in the other, the attacker wants access to protected data on the machine and intends to reboot from a custom hard disk or CD (think: Knoppix), or put the machine in TDM mode with their laptop.

Of course, this is a very small measure of defense. An Open Firmware password is much stronger against this kind of attack. But it's easier now, say, to pull an alley-oop, in which the attacker might install malicious code remotely using a nonauthenticated exploit, and then convince an unauthorized employee over the phone to reboot the server using one of these methods.

Regardless, this is pretty minor with regard to security. I only point these things out because I feel it's somewhat irresponsible *ever* to say "Wrong; there is no risk."

Make no mistake. There is always risk.



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: TvE on Jun 20, '05 05:08:54PM

Physical access to a computer equals a risk no matter what!

Open Firmware pswd's are easaly disabled via a couple of reboots and removal of RAM



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: pub3abn on Jun 21, '05 11:50:09AM

With a tower case, you can padlock the box so people can't get in and remove RAM, etc. But of course few people do. Securing a laptop is harder.



[ Reply to This | # ]
Works in 10.3
Authored by: giskard22 on Jun 20, '05 06:38:54PM

I've got several labs of computers running 10.3.7. This trick works on them.



[ Reply to This | # ]
Display as "Name and password" unnecessary
Authored by: wka on Jun 20, '05 08:17:21PM

To get this to work from the Login Window when it displays the List of users w/icons, instead of the Name and password inputs do the following:

1) Select any user using the up/down arrows (Do not click a user -- that will bring up the password input field)

2) Hit control-shift-return (works under 10.4. I recall a different key combination under Panther... maybe option-shift-return?)

The Login window will change to display name and password fields. Proceed as described in the hint.



[ Reply to This | # ]
Display as "Name and password" unnecessary
Authored by: qwerty denzel on Jun 21, '05 02:25:57AM

Please read all of the comments, including the first one, before commenting.



[ Reply to This | # ]
Display as "Name and password" unnecessary
Authored by: wka on Jun 21, '05 02:56:59PM

Oops... sorry.



[ Reply to This | # ]
10.4: Shut down, sleep, or restart from login window
Authored by: finne on Jun 21, '05 02:58:34AM

A scenario where you have a kiosk to use for different users could need the login screen, without physical access to the CPU: just Keyboard, Mouse and Screen.
The login screen can be set to ignore >console logins; its a hidden loginwindow.plist setting somewhere. I think bombich.com has some documentation on this. Perhaps the >restart etc logins can also be disabled in this way.
However you will need a third-party security tool to disable the shutdown dialog you get at pressing control-eject (or one of the key combo's that enter sleep/restart/shutdown mode direct).
But I think >sleep etc are unnecessary because there are GUI buttons for this already and if you can use >console you can then use the terminal commands to achieve the same.



[ Reply to This | # ]
Security Risk?
Authored by: timcrawf on Jun 22, '05 10:12:18AM

As soon as I posted this "hint", I thought I should have posted it as a bug or security risk.
Let us assume this, a server in a locked rack, but I keep the keyboard outside the cage for easy access. Of course the server is at the login window during normal use. and of course the shutdown and restart buttons are disabled. now I can login if needed, and once logged in can restart if needed, but restart and shutdown are not available without password. The control-eject key combo does not work at the login screen and you don't have access to the computer to shut off the power.
Although you could cut the power form outside the building and wait for the UPS to run out of juice and then restor the power.



[ Reply to This | # ]
Shut down, sleep, or restart from login window
Authored by: Fairly on Sep 13, '07 12:01:57PM

Security hole or not it's a flaw. Otherwise there would be no point in removing the reboot/shutdown options in the first place. And for the record: being able to reboot as one wants can in fact be regarded as a security concern.



[ Reply to This | # ]