Question
Hey! Great site man. Thanks.
Back in Jaguar and Panther we could hack /etc/ttys and /etc/master.passwd to force SingleUser mode to request a password before it would supply the user a # prompt. (This was done by changing ‘secure’ to ‘insecure’ in ttys, and adding a hashed password into root’s master.passwd entry using the openssl -salt XY command tool).
Worked fine in Jaguar and Panther. No such luck in Tiger. When I tried to set it up using the old method, I noticed that my BlueTooth networking stuff went south… and command-S still booted directly into SingleUser mode (sans password request).
I see Apple has changed the comments in Tiger’s ttys, and now explicitly advises us to go with Open Firmware password. Hmm, that’s all well and good… but, I really liked having SU mode ask for a password anyway.
Can it be done in Tiger, or is it impossible without messing thing up?
TIA and have a nice day.
HI
Answer
They busted this in Tiger for various reasons, but there’re other ways around it. I C&Ped the previous article on the topic below, making changes as needed for Tiger.
Even if you have set the password for root before, you need to set the password for root using the below method before doing this.
Set the root password in /etc/passwd
By default, all password changes affect the NetInfo database and not the system flat files. When booting to SUM the NetInfo database is inaccessible, so the system looks for the data it needs in the flat files. We need to change the password there. Fortunately, the Mac OS X version of passwd has handlers for changing the password on all kinds of directory systems (manpage is the second one listed). Using this, we can change the version in the /etc/passwd file so that SUM can use it.
$ sudo passwd -i file root
Password:
Changing password for root.
New password:
Retype new password:
You cannot use an /etc/shadow file with this method. That leaves the password at a maximum of 8 characters and opens it to attack. The good news is this is separate from the “real” root account; as long as you don’t have “BSD” checked in Directory Access as an authentication source then this password will not grant you anything within the OS itself once it enters multi-user mode.
Detect and Lock SUM
Tiger gives us no method to lock the tty terminal, sadly, but there are other tricks. For instance, the environment variables in SUM are quite different than those in a normal shell:
FsckSlash=-F
TERM=vt100
NetBoot=
SafeBoot=
VerboseFlag=-v
PATH=/bin:/sbin:/usr/bin:/usr/sbin
PWD=/var/root
SHLVL=1
_=/usr/bin/printenv
OLDPWD=/
So all we do is drop in a little .profile script that the SUM shell will run that detects SUM and locks the terminal with the user’s password.
if [ $VerboseFlag = "-v" ];
then
lock -p;
fi
And now when you boot to SUM you’ll get:
lock: /dev/ttyp1 on localhost. timeout in 15 minutes
time now is Tue Feb 14 00:00:55 CST 2006
Key:
And when you open Terminal and su to root, it will drop right in. Voila.
I tried it… it worked!!!
You are a UNIX god.
Thank you, thank you.
I read about something called an “S/Key challenge” in man lock,
but OSX doesn’t have a man page for skey… so I guess that’s of
no concern to us?
Anywho… thanks again.
-HI-
Hmmm, it auto-unlocks after 15 minutes.
That is most inadequate.
According to BSD Guides there is a -n option to lock the terminal forever.
Perhaps it works on OSX too. (Will have to test it out). Else, maybe something like
-t 999999999 will work… “temporarily”.
-HI-
^
edit: Okay… no “-n” option with OSX. Finally settled on
/usr/bin/lock -p -t 7654321 ### over 14 years!
This sure has been fun and educational. Cheers all.
- –
PPS: it might also be desirable to put quotes around
that variable inside the test brackets [ ] ... i.e.,
%{color:green;} “$VerboseFlag” %
Post new comment