Locking Single-User Mode

Logging into Single User Mode essentially gives anybody root access to the system at a file level. From a security standpoint, this is a bad thing. The instructions below will tell you how to secure Single User Mode and require a password before any files are editable in Mac OS 10.2-10.5.

It should also be noted that from 10.4 on, Apple recommends using Open Firmware passwords to lock Single User Mode. They went so far as to disable the method that we’re using below for 10.4 in 10.5… but there is a way around it. So that being said, proceed at your own risk.

Locking SUM on 10.4 and 10.5
Because Single User Mode is using the Root user, we have to set a password for Root. Normally, when Root is enabled normally, the password is stored in the NetInfo database (Leopard it’s dscl flat files), however this is not loaded in Single User Mode, so the password must be stored in a seperate flat file. Open up a Terminal window and type in the following:

sudo passwd -i file root

Then type in the password you want it to be set to. You need to do this even if you’ve already enabled Root and set a password. This password can be the same or different from the actual Root password, if already set. The only time you will use this password is in Single User Mode.

Next type,

sudo pico /var/root/.profile

And enter your local administrator password when prompted. This brings up Pico, a Unix text editor, and the profile file that Root loads. This file is usually non-existent until you create it with the above command. Type in the following, make sure to get it exact.

This is where it changes for 10.5 vs 10.4. Changes were made in Leopard that break locking SUM using the method for 10.4. Luckily, you can still do it, but it involves downloading a file.
Apple removed the “lock” Unix binary from 10.5. Thus, breaking a big part of the script below. You can download the compressed binary lock.zip or get it from a 10.4 system. (You have to do this even if you did an upgrade install. It gets deleted! What is interesting though, is that they only deleted the binary. For example, the man pages for lock are still there…)
Download the zip file, decompress it, and place the binary back in it’s proper location, /usr/bin/. The permissions on the file don’t matter too much because all we care about using it is root. (You can get to the correct directory easily by using the Finder’s “Go to Folder” feature. Just type in /usr/bin/)

Next up is the script.

For 10.4

if [ "$VerboseFlag" = "-v" ];
then
/usr/bin/lock -p -t 86343727;
fi

For 10.5

if [ "$TERM" = "vt100" ];
then
/usr/bin/lock -p -t 86343727;
fi

This does a couple of things. First, it looks to see if the VerboseFlag variable is enabled for 10.4 and the TERM flag set to ”vt100′ for 10.5. These flags are only enabled when logging into Single User Mode, not when logging into Root normally. Then, it calls the lock utility and specifies two flags and a time (in minutes). The first flag, -p, asks for the current user’s password, aka the one we specified above. The second flag specifies a time for the session to remain locked. This second flag is necessary because for some reason the -n flag does not exist in OS X, which would allow you to permanently lock the session. Essentially the work around is to say unlock it after a specified amount of time, in this case something very very long like ~165 years.

Press Control and X, this will exit Pico and prompt you to save your changes.

Reboot the system, Single User Mode should now be locked for all intents and purposes. When you boot into it, you’ll be prompted to enter a “key”. This is the password that you specified earlier. You may have to enter the password twice.

Locking SUM on 10.2-10.3
Securing Single User Mode in 10.2 and 10.3 is a little different. The steps are outlined below.

Load up the terminal and type in

sudo cp /etc/ttys /etc/ttys.old

This will create a backup of the ttys file if you make a mistake. Edit the file by typing

sudo pico /etc/ttys

Replace occurrences of the word “secure” with the word “insecure” in the configuration lines of the file. Any line that does not begin with a “#” is a configuration line. Exit Pico and save your changes by pressing Control and X.

Edit the master password file, this serves the same purpose as specifying the root password in the 10.4 instructions above.

sudo pico /etc/master.passwd

Within the editor, delete the asterisk following the word “root”. Open a new terminal window and issue the following command, replacing <xx> with two random characters and <password> with an appropriate password:

openssl passwd -salt <xx> <password>

A hash of the password will be displayed after executing the command. Type or paste the password hash where the asterisk was deleted in /etc/master.passwd. Exit Pico, saving changes.