Single User Mode on Mac OS X 10.6: Choosing between security and usability

On Mac OS X 10.6 Snow Leopard, and probably on 10.5 Leopard (but not yet tested), there’s a security issue Apple seems aware but not willing to adress.

When you boot on Single User Mode (pressing Cmd+S before the chime) a unix-like root console is provided with no security regards. You are not prompted to provide root password like in debian’s maintenance mode, it just grants the person in front of the computer a root console with root permission. You can do everything root can, except one thing: changing root password is not possible, but you can add any user to the computer or change the permissions to the existent user, or, as you have root access and maybe an ethernet connection, install a rootkit, a keyboard spy script or anything you can think of.

Yay, it’s great to have root access if you have any problems with the GUI or you forget your user password, but isn’t it too risky to have an open root console available for whomever gets two minutes alone with an Apple computer? Indeed it is. Is it possible to avoid this unsecure mode?

Prior to 10.6, it was possible to use some Unix hacks in order to be asked for a password.

One of them was taking advantage of the different environment variables of SUM so you could lock the terminal. This worked on Tiger, but the lock command is now obsolete and you cannot use it nowadays.

Another hack was about editing the /etc/ttys file and setting the console as insecure, which means that there is no physical security to the computer, so software security must be implemented. This used to be some elegant and fancy solution to the problem, but not even more works. The actual /etc/ttys file show this comment

# To secure single-user mode, enable Firmware password protection.

So, as Apple says so, the only option nowadays is to use Open Firmware password protection, which is not set by default. But whereas this option makes impossible to log in using SUM, it also disables many interesting boot modes, like verbose mode (V), booting form a dvd using (C), diagnose mode (D). You can only boot the usual way or press option key, inset root password and select the disc to boot (hard disk, optical drive, network disk..). Of course you have that security, and the option to revert it, but it takes two booting sequences to revert it while it should take none.

I tried to discuss this in Apple official forums and the only answer I got form those Apple gurus was that “physical access trumps any security”, “lock the computer and have long wires for keyboard and screen” (yes, I laughed too) or “no, it is not possible to do that”.

So, that’s it. Apple, by default, grants a password free root console and the only way to avoid that risky situation is to prevent any boot mode apart from the usual one. I am not asking for a difficult hack, just a little bit of security, which was available time ago (and still on Linux and BSD systems) without trumping the usability of advanced booting modes. Some good ad campaigns, the new intel microprocessors, games like Warhammer Online or WoW having Mac versions, and many other reasons have made Mac computers become very popular in past years, especially among european students which we can get benefits and discounts or even free iPods like in the US. But there is that backdoor.

PS: I usually post in spanish in this blog, but I recall this problem to be so important that this entry will be in english so it’s available to anyone that googles about the issue.

(Traducción. Suelo postear en castellano, pero me parece un problema de tal calado que prefiero que llegue a la mayor cantidad de gente posible que busque información sobre el tema).

2 Responses to “Single User Mode on Mac OS X 10.6: Choosing between security and usability”

  • Safari 531.22.7 Mac OS X 10.6.2

    I went through every possible option to make this happen in our Mac labs as well .. and the firmware passwords are just a pain in the butt, however I did not want to have to type in the password to use the other modes like Netboot and target mode. This article saved the day for me .. It might for you .. Its easy and only takes a few minutes to complete .. It is also ARD friendly ..


  • Mozilla Firefox 3.6 Windows Vista

    Enabling the firmware password doesn’t disable those modes. If you as the admin still want to access them you hold option on boot, enter the firmware password, select the OS X volume you want to boot off of (CD’s Volumes ,and hit enter, then quickly hold down Command S after you hit enter for single-user mode.

Leave a Reply