Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: How to prevent single user mode logins' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: How to prevent single user mode logins
Authored by: Eelco Vriezekolk on Feb 08, '06 10:20:51AM
Unix uses the /etc/ttys file to control which console and terminal lines will accept logins. See 'man ttys' (in the Terminal app) for details. At the top of the /etc/ttys file on my Panther machine it says:

[...]
# If the console is marked insecure, single-user requires
# the root password.
[...]
# Since DirectoryServices is not running by the time we enter
# single-user mode, init will ask for the non-shadow crypt
# password stored for root in /etc/master.passwd. If no such
# password exists, it will not be possible to enter single-user
# mode from a console marked insecure.
##
console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure inoption="/usr/libexec/getty std.9600"
[...]

So, removing the word 'secure' on that line would cause the machine to ask for the root password just before entering single-user mode.

By default no password is set for root in /etc/master.passwd, disallowing login as root altogether. Using the Terminal, 'passwd' allows you to enter a root password:

passwd -i file root

then enter the new password twice.

I have tried this, and it works. The above is the normal way to secure a Unix workstation: protect the Bios/Firmware so that only booting from the internal hard disk is allowed, and require the root password before entering single user mode.

[ Reply to This | # ]

10.4: How to prevent single user mode logins
Authored by: raveldcp on Feb 08, '06 03:51:08PM

The modification of ttys only works in 10.3, not 10.4. It is even noted in the ttys file:

# To secure single-user mode, enable Open Firmware password protection.
# http://www.apple.com/downloads/macosx/apple/openfirmwarepassword.html
# http://docs.info.apple.com/article.html?artnum=120095
#



[ Reply to This | # ]