Logging into Single User Mode essentially gives anybody root access to the system at a file level. From a security standpoint, this is a bad thing. The instructions below will tell you how to secure Single User Mode and require a password before any files are editable in Mac OS 10.2-10.6.
It should also be noted that from 10.4 on, Apple recommends using Open Firmware passwords to lock Single User Mode. So that being said, proceed at your own risk.
Locking SUM on 10.4 – 10.6
Because Single User Mode is using the Root user, we have to set a password for Root. Normally, when Root is enabled normally, the password is stored in the NetInfo database (Leopard it’s dscl flat files), however this is not loaded in Single User Mode, so the password must be stored in a seperate flat file. Open up a Terminal window and type in the following:
sudo passwd -i file root
Then type in the password you want it to be set to. You need to do this even if you’ve already enabled Root and set a password. This password can be the same or different from the actual Root password, if already set. The only time you will use this password is in Single User Mode.
Next type,
sudo pico /var/root/.profile
And enter your local administrator password when prompted. This brings up Pico, a Unix text editor, and the profile file that Root loads. This file is usually non-existent until you create it with the above command. Type in the following, make sure to get it exact.
/usr/bin/. The permissions on the file don’t matter too much because all we care about using it is root. (You can get to the correct directory easily by using the Finder’s “Go to Folder” feature. Just type in /usr/bin/)Next up is the script.
For 10.4
if [ "$VerboseFlag" = "-v" ];
then
/usr/bin/lock -p -t 86343727;
fi
For 10.5-6
if [ "$TERM" = "vt100" ];
then
/usr/bin/lock -p -t 86343727;
fi
This does a couple of things. First, it looks to see if the VerboseFlag variable is enabled for 10.4 and the TERM flag set to ”vt100′ for 10.5-6. These flags are only enabled when logging into Single User Mode, not when logging into Root normally. Then, it calls the lock utility and specifies two flags and a time (in minutes). The first flag, -p, asks for the current user’s password, aka the one we specified above. The second flag specifies a time for the session to remain locked. This second flag is necessary because for some reason the -n flag does not exist in OS X, which would allow you to permanently lock the session. Essentially the work around is to say unlock it after a specified amount of time, in this case something very very long like ~165 years.
Press Control and X, this will exit Pico and prompt you to save your changes.
Reboot the system, Single User Mode should now be locked for all intents and purposes. When you boot into it, you’ll be prompted to enter a “key”. This is the password that you specified earlier. You may have to enter the password twice.
Locking SUM on 10.2-10.3
Securing Single User Mode in 10.2 and 10.3 is a little different. The steps are outlined below.
Load up the terminal and type in
sudo cp /etc/ttys /etc/ttys.old
This will create a backup of the ttys file if you make a mistake. Edit the file by typing
sudo pico /etc/ttys
Replace occurrences of the word “secure” with the word “insecure” in the configuration lines of the file. Any line that does not begin with a “#” is a configuration line. Exit Pico and save your changes by pressing Control and X.
Edit the master password file, this serves the same purpose as specifying the root password in the 10.4 instructions above.
sudo pico /etc/master.passwd
Within the editor, delete the asterisk following the word “root”. Open a new terminal window and issue the following command, replacing <xx> with two random characters and <password> with an appropriate password:
openssl passwd -salt <xx> <password>
A hash of the password will be displayed after executing the command. Type or paste the password hash where the asterisk was deleted in /etc/master.passwd. Exit Pico, saving changes.
Useful Links
Awesome!!
We have had kid(s) hacking our MAC’s through single user sign on in remote area’s of the school where there is no supervision. This will hopefully stop them from hacking.
Thanks a bunch!
Unfortunately it may not stop the guy as all you’d have to do is ctl+c or ctl+z to get out of the script. Plus this will also not work on newer versions of OS X as you can enter the recovery mode by booting with the cmd+r keys. In this mode you can access the terminal.
You could set a firmware password for the recovery mode too but unfortunately that can be bypassed if you remove the RAM and boot with cmd+alt+p+r and then replace the RAM.
Hopefully the guy isn’t that savvy though
You won’t be able to escape the script, but the note about the Firmware password is sound. In 10.7 and above you can enable FileVault FDE which will also provide similar protection (and prevent booting from external media and resetting the password).
That said, physical access will always win out over technical controls.
I thought you had to enter the:
trap “” 2 20
command into the beginning of the script to stop the use of exit keys?