[Tyler McAdams]

There is an article over at SecureMac.com that give details to a patch that disables single user mode:

http://www.securemac.com/disablemacosxsingleboot.php

At the bottum there is a diabled link where a url pointing to a patch used to be... Download: Not available.

Anybody know where I can get this patch? thx

[CharlesS]

Why modify a crucial system file just to do this?!

Just type the commands yourself in Open Firmware, or use the Open Firmware Password app that is on the OS X install CD.

[Tyler McAdams]

What do you mean by type the commands in Open Firmware? I already have the open firmware password protection... this is after you choose a folder to boot to.

[Millennium]

As SecureMac notes, this is not advisable.

If someone has physical access to your machine, then You Are Screwed. This is a fact. Whatever security measures you may put in place, The Bad Guy can bypass almost all of them simply by stealing the hard drive (and if he can get into your computer room, stealing the hard drive is unlikely to present any kind of obstacle) and putting it into his own Mac as a non-boot volume; at that point, the only security measure you can possibly implement which would still work is FileVault.

Meanwhile, Single-User Mode is one of those things which isn't needed often, but when you need it you really need it. Disabling it doesn't help matters, should one of those times come to pass.

[Tyler McAdams]

Well, I found the patch...

http://www.msec.net/software/

I guess I will not be installing it... I really wish there was another way to solve this issue.

[piracy]

Originally posted by Tyler McAdams:
Well, I found the patch...

http://www.msec.net/software/

I guess I will not be installing it... I really wish there was another way to solve this issue.

Jesus, can you not read? Not only that, but you're ignoring numerous other ways to gain access to the machine locally.

Just enable an Open Firmware password using the Open Firmware Password utility. This disables:

- single user mode
- booting from CD
- target disk mode
- using the option key on boot without a password

Also, instead of replacing a CRITICAL OS COMPONENT, like init, you can simply make single user mode prompt for a root crypt-format password in /etc/master.passwd by removing the word 'secure' from the following line in /etc/ttys:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure onoption="/usr/libexec/getty std.9600"

so that it appears as

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on onoption="/usr/libexec/getty std.9600"

But setting and Open Firmware password is the accepted, best practice way to do this, which the very second post in this thread told you.

Also, even though this was also said: IF SOMEONE HAS PHYSICAL ACCESS TO THE MACHINE, ALL BETS ARE OFF. Other than encrypted data, NOTHING is ever safe on any machine running any OS to which someone has physical access.

Originally posted by Tyler McAdams:
What do you mean by type the commands in Open Firmware? I already have the open firmware password protection... this is after you choose a folder to boot to.

"Type the commands in Open Firmware"??? No one ever said that.

What was said was to set an Open Firmware **PASSWORD**.

Using the OPEN FIRMWARE PASSWORD UTILITY:
http://docs.info.apple.com/article.html?artnum=120095

This BLOCKS single user mode, completely. You DO NOT have Open Firmware password protection enabled if you can still boot in single user mode.

*shakes head*

[piracy]

[Tyler McAdams]

Can you read? Let me post it again for you piracy:

I guess I will not be installing it...

I already have the open firmware password protection...
----
Type the commands in Open Firmware"??? No one ever said that.
CharlesS:
Just type the commands yourself in Open Firmware.

Calm down.

[CharlesS]

Originally posted by Tyler McAdams:
Type the commands in Open Firmware"??? No one ever said that.
CharlesS:
Just type the commands yourself in Open Firmware.

No, what I said was: Just type the commands yourself in Open Firmware, ***or use the Open Firmware Password app that is on the OS X install CD.***

You see, the nice thing about an Open Firmware password is that not only does it disable single-user mode, but you can turn it off at the Open Firmware prompt if things get hosed and you need to boot in single-user mode.

[Angus_D]

Originally posted by Tyler McAdams:
I already have the open firmware password protection...

So what is the problem? You already have it disabled.

[Tyler McAdams]

Right... there is no problem. I was just interested in the open firmware "Command" CharlesS was talking about. How exactly then do you turn it off so that you can boot in to single user mode?

[piracy]

Originally posted by Tyler McAdams:
Right... there is no problem. I was just interested in the open firmware "Command" CharlesS was talking about. How exactly then do you turn it off so that you can boot in to single user mode?

You can type

setenv security-mode none

or

reset-nvram

and then enter the password, and then reboot with

reset-all

But you'll have to reset the Open Firmware password again after this, either with the graphical utility or from within Open Firmware.

[Hal Itosis]

Originally posted by Tyler McAdams:
How exactly then do you turn it off so that you can boot in to single user mode?

setenv security-mode none
reset-all


Of course -- since you say OF password is already enabled -- that password will be requested, when the first command is entered.

[Tyler McAdams]

Ah! nice! That works perfectly. Now of course for the inevitable question... if you use the internal reset button or you take out the battery then that open firmware password would be bypassed anyway... is that right?

[Angus_D]

Originally posted by Tyler McAdams:
Ah! nice! That works perfectly. Now of course for the inevitable question... if you use the internal reset button or you take out the battery then that open firmware password would be bypassed anyway... is that right?

Probably, yes, but as has been repeatedly said, if someone has unsupervised physical access to the machine then all bets are off anyway. So that's a non-issue.

[Tyler McAdams]

I'm just wondering if there's more to it than a bios password. Not to start a flame here but I wish that there was at least something safer like this patch that would disable single user mode from the OS instead of the firmware. Everybody knows how easy it is to get around a PC bios password.

There is a program called Deep Freeze that will protect against some of the issues with taking out the drive and physical access.

http://www.faronics.com/html/DFMac.asp

Basically, I'm not worried about somebody stealing the computer or physical access to the machine... I'm worried about what is all to easy in the windows world and that is for someone with physical access to the machine putting some type of software on the machine without approval... whatever the software... good or trojen, virus ,keylogger... etc

The idea that you can break in to the machine and make changes that can not be easily traced is my main issue. Just so you know where I'm going with this.

[piracy]

Originally posted by Tyler McAdams:
Ah! nice! That works perfectly. Now of course for the inevitable question... if you use the internal reset button or you take out the battery then that open firmware password would be bypassed anyway... is that right?

Then lock the case.

(And actually, neither of the things you say will do it - it's changing the physical amount of RAM, and then zapping PRAM twice.)

I'm still not sure why you're worried about just single user mode. If someone bypasses the Open Firmware password, as you say, then they can also:

- Boot from a CD, and use the Password Reset utility to set or reset any password, including root

- Boot into target disk mode, and place any item anywhere on the drive, or alter the drive in any fashion

- Boot from another volume, and make changes to the boot drive

- Etc

And I already noted a method to disable single user boot, which is to remove the word 'secure' from the following line in /etc/ttys:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure onoption="/usr/libexec/getty std.9600"

That alone essentially disables single user boot altogether, making it prompt for a root password (a crypt password set for root in /etc/master.passwd, to be exact). If you don't set one, you simply won't be able to use single user mode at all (until you yourself change /etc/ttys appropriately).

I'm still not sure why you're only concerned with single user mode, however, if you're making the assumption that someone will bypass the Open Firmware password. If you enable Open Firmware password and lock the case, that is simply the best way to go. Doing anything else to explicitly disable single user mode is worthless, as there are several methods other than single user mode to alter the contents of the drive (if you're assuming that someone will bypass or disable the Open Firmware password). And if someone cuts the lock on the case, or walks with the machine, you've got bigger issues...

[Tyler McAdams]

Why am I worried? Let's just say I have some crazy friends. Most of them use windows only which makes me glad I've got a mac because they really don't know anything about it for the most part.

So you can't lose the password from taking the battery out... good.

I'll be using this technique you said to prompt for a password... thanks for the help!

As for the things you can do after you bypass open firmware, I'm wondering if this deep freeze program will account for it.

Why am I really worried? No, I'm just inquisitive on Mac security, that's all

[chabig]

Tyler,

I'm worried about what is all to easy in the windows world and that is for someone with physical access to the machine putting some type of software on the machine without approval... whatever the software... good or trojen, virus ,keylogger... etc

When the open firmware password is enabled, nobody will be able to do anything to your Mac. They won't be able to install software at all. The open firmware password can't be bypassed without making physical changes to your machine, as described by piracy.

The program Deep Freeze to which you referred does not protect you against the threats you mentioned. It is designed for labs--it lets the administrator return user accounts to a predefined state at predefined times. It does not protect admin accounts, nor does it protect the system files.

Chris

[Angus_D]

Originally posted by Tyler McAdams:
Why am I worried? Let's just say I have some crazy friends.

Get some new friends. Or make it clear to them that if they do bad stuff, you will press for the strongest prosecution under the law. Accessing a computer system without authorisation is illegal.

[Tyler McAdams]

lol I'm not that worried!!! If it was my work computer, yes I'd kill them, but hey otherwise it's just a funny game we play on each other...