Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: How to prevent single user mode logins System
Tiger only hintEver since Tiger did away with running rc.boot at startup, there have been a lot of system administrators wondering how to deny single user mode to their users. While anyone with enough motivation can still gain privilege on a computer if they have physical access (think install disk), there is a fundamental difference between having a perfectly secure system and inviting tinkering by allowing anyone meandering through the office to become root by holding down command-option-S.

One way to balance your system security is to use the /var/root/.profile login script for root. This file is only run when root gains Terminal access using the -sh login shell. This generally only happens at two different times. First, when booting in single user mode, or second, when calling sudo -i from a Terminal window. Because single user mode uses a different $TERM than sudo -i from inside of Aqua, it's very easy to tell the two apart. Just create (as root, obviously) this simple /var/root/.profile file:
 if [ $TERM = vt100 ]; then /sbin/reboot; fi 
This will keep unprivileged users from booting in single user mode, while still allowing unlimited password protected xterm access. The only side effect to this is that you also will not be able to use the >console login with sudo -i. You can however, still log into >console as root, or use su or sudo -s, because all three of these use bash instead of sh by default, which reads the .bashrc file for configuration, and not .profile).

PLEASE NOTE: It's very important that this is only used by those who know the consequences of denying single user login. It may be necessary to boot in target disk mode if a bad system crash occurs to re-enable single user mode!
    •    
  • Currently 3.33 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[28,039 views]  

10.4: How to prevent single user mode logins | 17 comments | Create New Account
Click here to return to the '10.4: How to prevent single user mode logins' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: How to prevent single user mode logins
Authored by: syzygies on Feb 07, '06 07:11:22AM

I've done enough system hacking to be forced to learn my way around single user mode, to clean up ill-considered experiments. However, I also maintain several minimal emergency startup volumes, always available; these are typically where questionable experiments take place.

Recently I had a Homer Simpson "Doh!" moment, finding myself involuntarily in single user mode. I could go through the tedious steps of working there to fix the problem, or I could option-reboot, and log in as administrator to another emergency boot volume, and fix the problem from there using a 2006 GUI. The choice felt obvious.

If one takes this route (and disables autologin on all such volumes!), is there any reason to leave single-user mode accessible at all?



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: simonpie on Feb 07, '06 07:27:42AM

I would simply protect using the firmware.



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: paulsomm on Feb 08, '06 12:47:43PM

If you pop out a RAM chip and put it back it resets the firmware (not a big problem for a lab of desktops, but it's trivial to do on an iBook or Powebook).

Another downside of the Firmware route is that the machine doesn't boot at all until you've entered the password. If you have to reboot your mac remotely, it'll stay at the password prompt until you are physically available to type the password in.

also, you cannot use OpenFirmware passwords on Intel macs (as they have no OpenFirmware).



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: xcgr on Feb 08, '06 06:44:52PM

also, you cannot use OpenFirmware passwords on Intel macs (as they have no OpenFirmware).

From Apple Support article #106482: "Intel-based Macintosh computers can be protected by firmware passwords as well. The firmware in an Intel-based computer uses Extended Firmware Interface (EFI) technology—Open Firmware is used in computers that use PowerPC processors."



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: delight1 on Jun 18, '07 05:27:31PM

there are three options for the security on the firmware: none, command, and full.
command is good enough for most things, and does not need a password to boot...



[ Reply to This | # ]
clarification re shell startup files
Authored by: hayne on Feb 07, '06 12:54:04PM
because all three of these use bash instead of sh by default, which reads the .bashrc file for configuration, and not .profile
A small point of clarification since the above is rather misleading. The difference is nothing to do with bash versus sh - it is to do with "login shells" versus "non-login shells". The file ".profile" is only read by "login shells" (in both bash and sh). See this Unix FAQ for details.

[ Reply to This | # ]
single-user startup
Authored by: sjk on Feb 07, '06 02:38:49PM
... by holding down command-option-S.

Command-S is sufficient; the option key is unnecessary.

[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: CoolerQ on Feb 07, '06 02:59:18PM

Isn't the recommended way to block single user mode to set an OpenFirmware password? That will also block boot discs, etc.

--Quentin



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: klktrk on Feb 07, '06 03:22:17PM

Ah, but with physical access to the machine, there are ways of getting around this.



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: g-man on Feb 07, '06 08:22:06PM

What are the ways to get around this? I thought that the machine was locked down if protected with an openfirmware password.



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: kokaviel on Feb 08, '06 07:41:25AM

There are several ways to kill OF. One of which is changing the amount of RAM in the machine, another is to remove the battery and all power sources.

However, any computer that is locked down enough to require this kind of access is locked down enough to put a $2 masterlock on the back of the machine to prevent access to the internals.



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: st3phen on Feb 08, '06 10:18:48AM

Sadly, this is not possible on illegitimately-accessed mobile computers.



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: JKT on Feb 08, '06 07:42:23AM

AFAIK, removing RAM will cause the Open Firmware password to be reset.

However, it is sensible to have it active anyway as it will deter anyone who doesn't have the time or facilities to access the RAM.

---
PB G4, 1.5 GHz, 2x512MB RAM, 128MB VRAM, 80 GB 5400rpm HD, SuperDrive, MacOS X 10.4.3

Visit www.thelandgallery.com for nature-inspired British Art



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: Eelco Vriezekolk on Feb 08, '06 10:20:51AM
Unix uses the /etc/ttys file to control which console and terminal lines will accept logins. See 'man ttys' (in the Terminal app) for details. At the top of the /etc/ttys file on my Panther machine it says:

[...]
# If the console is marked insecure, single-user requires
# the root password.
[...]
# Since DirectoryServices is not running by the time we enter
# single-user mode, init will ask for the non-shadow crypt
# password stored for root in /etc/master.passwd. If no such
# password exists, it will not be possible to enter single-user
# mode from a console marked insecure.
##
console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure inoption="/usr/libexec/getty std.9600"
[...]

So, removing the word 'secure' on that line would cause the machine to ask for the root password just before entering single-user mode.

By default no password is set for root in /etc/master.passwd, disallowing login as root altogether. Using the Terminal, 'passwd' allows you to enter a root password:

passwd -i file root

then enter the new password twice.

I have tried this, and it works. The above is the normal way to secure a Unix workstation: protect the Bios/Firmware so that only booting from the internal hard disk is allowed, and require the root password before entering single user mode.

[ Reply to This | # ]

10.4: How to prevent single user mode logins
Authored by: raveldcp on Feb 08, '06 03:51:08PM

The modification of ttys only works in 10.3, not 10.4. It is even noted in the ttys file:

# To secure single-user mode, enable Open Firmware password protection.
# http://www.apple.com/downloads/macosx/apple/openfirmwarepassword.html
# http://docs.info.apple.com/article.html?artnum=120095
#



[ Reply to This | # ]
10.4: How to prevent single user mode logins
Authored by: thogard on Feb 11, '06 03:53:24AM

There be dragons hiding here.

Long ago in a Unix far far away one could do this:
login: TERM=adm3 joecool
password: snoopyrules

Welcome to system foo2u
% echo $term
adm3
%

I tired this on OS X 10.4.4 and it didn't work by running /bin/login directly but that doesn't mean the code isn't still in there in hiding and waiting. It will take looking at the source to know for sure and I'm not going to do that.

My take on it is that you should check the run level if you care about the run level.



[ Reply to This | # ]
password protecting SingleUser mode in Tiger
Authored by: Hal Itosis on Feb 14, '06 11:00:43AM
Tiger solution to password protection posted here:

www.MacGeekery.com

-HI-

[ Reply to This | # ]