[besson3c]

http://www.securemac.com/macosxsingleuser.php

[gorickey]

I guess it should be fixed is what I think...

[besson3c]

Originally posted by gorickey:
I guess it should be fixed is what I think...

Does it work in 10.3 (it does in 10.2)? Does it require that the person enable the root account prior to performing these steps?

I.e. is this a real risk, or just a long shot?

[besson3c]

Originally posted by besson3c:
Does it work in 10.3 (it does in 10.2)? Does it require that the person enable the root account prior to performing these steps?

I.e. is this a real risk, or just a long shot?

As it turns out, you can replace anybody's password just as you would if you were the root user (i.e. the person doesn't have to have the root password enabled).

I think Apple should require a password to drop down to Single User Mode or something, this is kind of crappy.

[utidjian]

Originally posted by besson3c:
Does it work in 10.3 (it does in 10.2)? Does it require that the person enable the root account prior to performing these steps?

I.e. is this a real risk, or just a long shot?

The 'nidump passwd .' trick no longer works in Panther 10.3.4. Apple has finally gone with shadow passwords. It STILL works on Mcs that have not yet been upgraded of which there are quite a few.

One can set the OF password so that the system can not be booted to single user mode or from a 'foreign' disk (CD, USB, firewire). However...

To bypass the OF password one can fiddle the RAM (add or remove a module or change its slot). Or pop the PRAM battery. Both require internal access to the Mac. Most all Mac cases can be locked fairly well. A laptop can not be locked at all. Contrary to popular opinion physical access to Mac does not mean that all bets are off regarding security of the system. We have hundreds of Macs in labs where the OF password is set, the case is locked, and the rooms that they are in have video surveillance and lab techs when the lab is open. If someone has private physical access to a Mac and enough privacy so that cutting off a lock will not draw any attention then, yes, they can bypass the OF password.

So... half of that vulnerability no longer exists in 10.3.4 and the other half is "fixable" if you can keep your systems case physically secure.

[dampeoples]

So you have to be sitting at the computer to reset the password, correct?

[utidjian]

Originally posted by dampeoples:
So you have to be sitting at the computer to reset the password, correct?

Yes, for resetting the OF password you do.

No, for resetting the admin password you don't. If you already know the old admin password you can reset it with one of the netinfo tools remotely.

[dampeoples]

Originally posted by utidjian:
Yes, for resetting the OF password you do.

No, for resetting the admin password you don't. If you already know the old admin password you can reset it with one of the netinfo tools remotely.

Well, to me the first one isn't a problem at all. My computer is in my house, not a public terminal.
The second one, I dunno. If your password isn't written down, is sufficiently long, has letters and numbers, and isn't in the dictionary, it would take a wild guess to get in, same as any other machine, I suppose.

[Brass]

On one hand, it's not really that big a deal. If it is a shared server, and security is important, then it should be locked away physically, and inaccessible to restricted users. As they say, if you've got physical access to the machine, then all bets are off. If somebody can boot into single user mode, then they can boot off another CD. They can change the password either way. They can boot off another CD in many other Unix OS's too, and change the password... that's just life.

On the other hand, most other Unix OS's do NOT allow you to use single user mode without entering the password. This makes it very had for the Mac to be taken seriously in a security concious enterprise. I would love to introduce Macs to the department where I work, but the Unix people would not take it seriously due to things like this.

[besson3c]

Originally posted by Brass:
On one hand, it's not really that big a deal. If it is a shared server, and security is important, then it should be locked away physically, and inaccessible to restricted users. As they say, if you've got physical access to the machine, then all bets are off. If somebody can boot into single user mode, then they can boot off another CD. They can change the password either way. They can boot off another CD in many other Unix OS's too, and change the password... that's just life.

On the other hand, most other Unix OS's do NOT allow you to use single user mode without entering the password. This makes it very had for the Mac to be taken seriously in a security concious enterprise. I would love to introduce Macs to the department where I work, but the Unix people would not take it seriously due to things like this.

WHat Unix OS would they take seriously?

[sith33]

Originally posted by Brass:
On the other hand, most other Unix OS's do NOT allow you to use single user mode without entering the password. This makes it very had for the Mac to be taken seriously in a security concious enterprise. I would love to introduce Macs to the department where I work, but the Unix people would not take it seriously due to things like this.

I'm not sure that's really the case. Linux for example - it's not great deal to get the boot manager to give you a single user root shell.

Basically, if you've gotten to the point that you're worried that someone will physically tamper with the machine to get around open firmware protection, your security is gone no matter what. The person can just as easily remove the harddrive and get at your data that way. Or, after resetting OF, use target disk mode. Or just steal the computer altogether.

This really doesn't seem to be anything in the way of a security hole. Single user mode is a useful and important feature. If your machine is physically accessible, the security is all but gone. That's what encrypted disk images (filevault) or similar solutions are for...

[Brass]

Originally posted by sith33:
I'm not sure that's really the case. Linux for example - it's not great deal to get the boot manager to give you a single user root shell.

Basically, if you've gotten to the point that you're worried that someone will physically tamper with the machine to get around open firmware protection, your security is gone no matter what. The person can just as easily remove the harddrive and get at your data that way. Or, after resetting OF, use target disk mode. Or just steal the computer altogether.

This really doesn't seem to be anything in the way of a security hole. Single user mode is a useful and important feature. If your machine is physically accessible, the security is all but gone. That's what encrypted disk images (filevault) or similar solutions are for...

Which is pretty much what I said in my first point. My second point was related to enterprises that use a Unix that doesn't allow single user mode login without entering a password. Linux may allow it, but Solaris (and many others) do not. For enterprises using systems, it would be considered a bad thing (even though, as you and I have both suggested, it really doesn't make that much difference to actual security).

By the way, Single user mode is NOT just limitted to physical access to a machine.

I can access the console (and single user mode) on any of our Solaris machines here without going anywhere near them. I could do the same on Mac OS X (XServe, at least) if it were set up to do so (ie, have the console port attached to something useful on the network).

[utidjian]

Originally posted by sith33:
I'm not sure that's really the case. Linux for example - it's not great deal to get the boot manager to give you a single user root shell.

During a typical Linux (Fedora Core 2) install, as it has been for years, one is given the option of securing the bootloader with a password. See: http://www.gnu.org/software/grub/man....html#Security

The security for lilo (the older Linux bootloader) is similar.

With either system one can set it so it requires a password to boot to single user mode and/or any other mode.

Most PCs also have password protected BIOS so that one can not change the boot device order or options without a password. This can be cleared only if the attacker has access to the internals of the machine, as in Mac OS X.

This really doesn't seem to be anything in the way of a security hole. Single user mode is a useful and important feature. If your machine is physically accessible, the security is all but gone. That's what encrypted disk images (filevault) or similar solutions are for...

Most schools and colleges secure the case of Macs and PCs. They also set the OF, BIOS, and bootloader passwords... all standard procedure.
So when the case is locked and the passwords set... only if your machine is internally physically accessible, the security is all but gone.

[Person Man]

Originally posted by Brass:
On the other hand, most other Unix OS's do NOT allow you to use single user mode without entering the password. This makes it very had for the Mac to be taken seriously in a security concious enterprise. I would love to introduce Macs to the department where I work, but the Unix people would not take it seriously due to things like this.

Just enable the open firmware password then. Once it is enabled, you can't boot into single user mode. That's about the same as requiring a password to get in. The Unix people couldn't argue with that.

[wadesworld]

Ask the Solaris people if they've ever heard of "Stop-A" and the damage that can be done with that.

Wade

[Sarc]

this looks very insecure ... anyway, does it still work ? they talk of build 4K78 .. that's OS X 10.0 (cheetah) ...

[besson3c]

Originally posted by Sarc:
this looks very insecure ... anyway, does it still work ? they talk of build 4K78 .. that's OS X 10.0 (cheetah) ...

It worked on the Jaguar build I tried it on... as somebody else said in here, the password dump thing was fixed in 10.3.4

[utidjian]

Originally posted by besson3c:
It worked on the Jaguar build I tried it on... as somebody else said in here, the password dump thing was fixed in 10.3.4

Nope, it is not fixed in 10.3.4. I have seen three cases where one can still find the password in swap on machines running 10.3.4. All it takes is one case to show that it is still "broken".

[piracy]

Oh, man. I can't even believe I'm seeing this.

Please see this thread for details:

http://forums.macnn.com/showthread.p...hreadid=216692

I literally can't believe, after how many times single user mode has been brought up as a "security hole" (it isn't), and the numerous times several types of protections have been explained, that this STILL comes up.

Let's have a little remedial education:

- Having root access in single user mode is **NOT** a "security hole". When someone has physical access to a computer, all bets are off.

But, if you want to protect against this, you can do one of two things:

- Enable Open Firmware password protection. This disables single user mode boot (as well as target disk mode, booting from CD, and booting from external media).

- remove the word 'secure' from the following line in /etc/ttys:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure onoption="/usr/libexec/getty std.9600"

This causes single user mode to prompt for a root password (in crypt format) in /etc/master.passwd

But enabling the Open Firmware password is more than enough, and is the exact remedy for this situation.

But what if someone has physical access to your computer?

The Open Firmware password can be disabled by someone opening the case, changing the physical amount of RAM, and zapping the PRAM three times.

So you can lock the case.

But the lock can be cut.

Do you see where this is going? When someone has physical access to your computer, they can pretty much MAKE themselves root, no matter what. This is true of Windows, Linux, and all other UNIXes, and is not a "security hole". It's the fundamental reality that someone physically sitting in front of a computer can do pretty much anything they want with it.

(Also, starting with 10.3.0, the crypt hash of passwords is NO LONGER AVAILABLE when you do an nidump passwd. The only reason someone will still have a crypt hash on 10.3.x is if they have upgraded from 10.2.x/10.1.x/10.0.x and haven't changed their password since upgrading. All new user accounts, or any password change, will result in a shadowhash password, not visible in nidump passwd.)

[piracy]

Originally posted by utidjian:
Nope, it is not fixed in 10.3.4. I have seen three cases where one can still find the password in swap on machines running 10.3.4. All it takes is one case to show that it is still "broken".

Um, first of all, that is NOT what he was talking about. He was talking about "nidump passwd ." giving crypt hashes for passwords that could later be cracked, not the swapfile issue.

Second, Mac OS X stopped using crypt hashes by default in 10.3.0, so this has been fixed for a while. (Though if you upgraded from 10.2.x or earlier, you may still have a crypt hash. This can be fixed by changing your password).

And yes, the swapfile password recovery issue is not fixed in 10.3.4, but that's not even remotely what he, or this thread, was talking about.

It might be worth mentioning here that the swap password file recovery issue is **ONLY** an issue in two cases:

1. Some other malicious person is already root or a system administrator on your machine

2. Some other malicious person has physical access to your machine

And even in these cases, the only times the issue can amount to anything is:

- if you have critical confidential data on your machine THAT IS CURRENTLY ENCRYPTED by FileVault, because FileVault can be defeated

- a malicious person with root or physical access (e.g., already a trusted person, or a person with malicious intent) has a desire to recover your passwords, thereby possibly gaining access to other systems on which you have accounts without your knowledge

So yes, it should be addressed, but let's be realistic about the scope and impact of things.

[piracy]

[Millennium]

I disagree, because I do not believe that this is a security hole at all.

Single-user made can only be activated -for legitimate purposes or nefatious ones- by someone who has physical access to the machine, because it requires being able to use the actual keyboard attached to it. If a person has physical access, then every security measure which could possibly be put into place can be bypassed, and except for encryption they can all be trivially bypassed. That is a fact, and it is not one which can be changed. Taking out root access, therefore, does nothing but engender a false sense of security, while severely hindering a competent administrator's ability to repair a damaged system.

People are going to have to realize that in any system, no matter how secure, the user is the weakest link. Take responsibility for the security of your own machine, and you will become much more difficult to hack. Don't let someone touch your computer if you wouldn't trust them to not hack it.

[tooki]

This is a great example of how a little information is worse than no info at all.

tooki

[utidjian]

Originally posted by piracy:
Um, first of all, that is NOT what he was talking about. He was talking about "nidump passwd ." giving crypt hashes for passwords that could later be cracked, not the swapfile issue.

Yeah sorry... crossing my threads and stripping my nuts (so to speak).

It might be worth mentioning here that the swap password file recovery issue is **ONLY** an issue in two cases:

1. Some other malicious person is already root or a system administrator on your machine

2. Some other malicious person has physical access to your machine

I would add a third:

3. Some malicious person can get access to your removeable drive.
I have several colleagues that use a small portable firewire drive to keep all their data, apps, and a portable copy of their OS with them. They boot off of these drives in order to 'protect themselves'.