blog advertising is good for you


blog advertising is good for you
User login

Password-Protect Single-User Mode

By Adam Knight » Posted on October 24, 2004 - 10:42am

If you can drop to SUM then you can, with some effort, reset passwords and do bad, bad, evil things. If you trust that the one file that will never go bad on your disk is your /etc/passwd file, then you can tell the system to require the root password to enter SUM.


This does not work in Tiger or later. We talk about that in another article.

Even if you have set the password for root before, you need to set the password for root using the below method before doing this.

Set the root password in /etc/passwd

By default, all password changes affect the NetInfo database and not the system flat files. When booting to SUM the NetInfo database is inaccessible, so the system looks for the data it needs in the flat files. We need to change the password there. Fortunately, the Mac OS X version of passwd has handlers for changing the password on all kinds of directory systems (manpage is the second one listed). Using this, we can change the version in the /etc/passwd file so that SUM can use it.

$ sudo passwd -i file root
Password:
Changing password for root.
New password:
Retype new password:

You cannot use an /etc/shadow file with this method. That leaves the password at a maximum of 8 characters and opens it to attack. The good news is this is separate from the “real” root account; as long as you don’t have “BSD” checked in Directory Access as an authentication source then this password will not grant you anything within the OS itself once it enters multi-user mode.

Update /etc/ttys

On or about line 16 of /etc/ttys you will find the following line:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure onoption="/usr/libexec/getty std.9600"

Change the word secure to insecure so that you have:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on insecure onoption="/usr/libexec/getty std.9600"

You absolutely must ensure this remains one line.

Reboot into SUM and observe:

Root device is mounted read-only
If you want to make modifications to files
run '/sbin/fsck -y' first and then '/sbin/mount -uw /'
Enter root password or ^D to go multi-user
Password:
cover of Mac OS X Tiger for Unix GeeksMac OS X Tiger for Unix Geeks
author: Brian Jepson,Ernest Rothman
asin: 0596009127
Average rating
(0 votes)
About Adam Knight
Adam Knight's picture

Author Biography

Adam Knight is one of the founders of Mac Geekery and is a geek at heart. Programmer by day, hacker by night, his daily life revolves around the Macintosh platform, which he has been a user and programmer for since the early days of System 7 when his LCII replaced his Apple //c.

In-between tech jobs, he’s managed to learn the basics of any web hacker: PHP, MySQL, Perl, Apache, Linux, *BSD, and the intricacies of ./configure —prefix=~/bombshelter/. Today, codepoet is concentrating on blogging again, writing some software for the Mac by himself (including Notae) and for his company (such as Switchblade) and has a few other toys coming out soon.

Bug him over AIM or email [link fixed].

Different method of securing SUM
4paul3 on April 20, 2006 - 2:49pm

Hi Coedpoet,

I am not very good with the Unix commands, and I want to secure my G4 Quicksilver OS X.3.9 from some very clever little folks who will be using my Mac. Your post is a little unclear to me and I found a document put out by the NSA that talks about securing SUM. It’s located at http://www.nsa.gov/snac/. Then click on “Operating Systems.” You can download the pdf named “Apple Mac OS X v10.3.x “Panther” Security Configuration Guide” or I can e-mail it to you if you don’t want to connect to the NSA. I just want to make sure the commands on pgs 49-52 are correct as I found an error in the document. If you look at pg 52 it says “Type or paste the password hash where the asterisk was deleted in step 10.” It’s suppose to be step 5. That’s why I’m asking for your help. I’m afraid there might be an error in the commands they list. The idiots don’t even proof their work and I know I could easily trash my system with the wrong commands. I would really appreciate you help. Apparently “you are a god.” I did register with your blog, but I had some trouble posting there for some reason.

Thanks,

Paul

Password-Protect Mail
Anonymous (not verified) on February 2, 2008 - 9:39am

Hi,

Is there a way I can password protect my mail. I don’t want other users to see my mails while they are using my system. I mean when they click on mail icon it should straight away ask for the password before it displays the content of the mail.

I am trying to locate a solution to it really seriously and any help would be greatly appreciated.

Rick

Re: Password-Protect Mail
anonymous (not verified) on May 30, 2008 - 9:19am

i think it is almost comical how I have been to almost 20 forums with people asking the same question and no one out there has an answer!!!! Im trying to do the same thing. Come on guys! Try harder.

Post new comment
The content of this field is kept private and will not be shown publicly.
5 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.