Mac OS X: single user mode operations and Security Vulnerabilities
Update:
: After "1: Check and repair the disk", the following judgment is added: Check whether the disk is normal and wrong, and how to deal with errors.
Introduction:
This document describes the entry and use of the single-user mode, basic operation commands and usage, and common application tools. It also briefly describes the multi-user management architecture of netinfo and dslocl, and also involves the management of user differences between the OS X 10.4 tiger SYSTEM AND THE 10.5 leopard System in multi-user mode, in single-user mode, how to manage user accounts in multi-user mode is different from the two root accounts, taking into account the management differences between 10.4 and 10.5 system services. Finally, we will discuss the security of MAC system software and hardware.
This article provides a reference for the deployment and design of a special environment for senior users, system administrators, and security specialists.
Why do we need to enter the single-user mode?
The single user mode is the single user mode, which is abbreviated as sum in many articles. This is a system startup mode supported by many * nix systems, which is mainly used to facilitate system maintenance by administrators.
There are not many cases when sum is used. Sometimes the solution to system problems or system maintenance requires entering the single-user mode, such:
. Fixed system disk errors. If the Repair Disk in Disk Utility cannot be fixed, it may be a good idea to try the single user mode.
If you forget the administrator password and do not have a boot disk at hand, you can change the root user password and try the single user mode.
Possible system problems caused by database corruption.
If you are an administrator, you should use sum to set/manage or even prohibit common users from entering sum to improve system security.
How to enter single-user mode
Simply put, when you start a computer and hear a boot sound, press and hold the two keys command + S at the same time until the character is displayed and released. Generally, you can enter the single-user mode.
If the firmware password is set on your computer, open it first. For more information, see Apple's official documentation: setting up firmware password protection in Mac OS X (Article: ht1352) http://support.apple.com/kb/HT1352 ).
If you still cannot succeed after multiple attempts, first, it is possible that your hardware is not supported or you need to upgrade firmware, or the system administrator setting does not allow users to access, for details, refer to the following security topics.
Procedure:
What should I do after entering the single-user mode? It is not a GUI that people are familiar with, but a shell environment (CLI) of the text interface. The following describes common commands and steps.
1. Check the disk: run the following command and press Enter,
/Sbin/fsck-fy
In fact, every time the system is started, the system will quickly run this check disk command to determine the integrity of the disk system.
If the fsck does not check the disk error, it will display at the endThe volume (name_of_volume) appears to be OK. OtherwiseIf an error is fixed or a warning is reported, the following message is displayed:File System was modified. At this time, you must repeat the above command until OK is displayed. If the problem persists after multiple attempts, your hard disk hardware may be faulty. You need to pay attention to or change to a new hard disk.
This official article lists explanations of fsck check errors: Mac OS X: fsck reports benign errors when journaling is turned on http://support.apple.com/kb/TS2028? Viewlocale = en_us. Note: Only journaling-enabled volumes (volume) are supported. This is why journaled is selected when installing the system.
2. Install the disk volume: The following command can be used only when the disk volume is installed:
Mount-UW/
3. Change the root password:
Chroot/
Passwd
3. Exit/restart:
Reboot
Or
Exit
The above changed the password of the root user. Before proceeding to the next step, let's take a look at the user management architecture in the multi-user mode of OS X. Note: In the network environment, the MAC system uses LDAP to manage users.
In the OS X 10.4 tiger system, multi-user management relies on netinfo. netinfo is a special database, its data inventory is stored in/private/var/DB/netinfo/local. in nidb/, only root users can access it. Users generally operate on it through netinfo manager tool and command line niutil or programming interface. Of course, netinfo also manages a lot of system resources, such as printers, network resources, protocols, etc. For detailed introduction of netinfo, refer to Wikipedia literature netinfo: http://en.wikipedia.org/wiki/NetInfo
Since the release of the leopard 10.5 system, the OS X Management User mechanism has changed significantly to XML-based file management (note: currently, no location is found for storing the account password file. If this file is found, it is easier to crack the account password.) It is a directory service of Open Directory, it also provides a set of management commands different from the previous ones, such as dscl. The XML of the management user is stored in/private/var/DB/dslocal.
Careful users will find that even if we changed the password of the root user in the GUI environment, after entering the single-user mode, the system actually operates in the root user, when the above root password is changed, the original password is not required. This is because, in single-user mode, the corresponding service is not started, so root uses the original * nix System File mode (/etc/passwd or/etc/shadow file storage) the two management systems are different.
In the GUI, the root users activated using netinfo/directory utility are all root users in the OS X multi-user management service. When su root is input in termianl, the password required by the system is the root password of OS X. If the root is not activated, the su root command will fail.
In normal terminal, passwd commands can also be used to modify * nix root file Password. In general, the default OS X user service is used without the option, look at the command:
Sudo passwd-I file Root
The system will directly ask you to enter a new root password and confirm it once.
You can compare the command to change the password under normal circumstances:
Sudo passwd Root
Even if the * nix root file password is set here, the machine will not ask you to enter the root password when entering the single-user mode. This issue will be discussed in the Security Section below.
4. Change other user passwords
To operate a user's database, you must first start the System Service, which also changes in 10.4 and 10.5, and 10.5 has greatly modified the startup of the system service, all system service management is handed over to launchd, which searches for all system services in/system/library/launcdaemons/AND/system/library/launchagents. plist definition file, and in 10.4, the system startup management is relatively scattered, so the following and later we can see that their differences cause some system management differences.
Well, we will describe different systems in the following sections. We will also describe them in the following parts:
First, start the corresponding system services:
For the 10.4 tiger system:
SH/etc/rc. Local
For the 10.5 leopard system:
Launchctl/system/library/launchdaemons/COM. Apple. directoryservices. plist
Launchctl/system/library/launchdaemons/COM. Apple. directoryserviceslocal. plist
Use the following command to change the password of the root user in multi-user mode, and change the rootpassword to your own root password:
Dscl.-passwd/users/"root" "rootpassword"
CLI-based interaction to change the root user password:
For the 10.5 leopard system:
% Dscl
Entering interactive mode... (type "help" for commands)
>-Passwd local/default/users/root my_password
(CTRL-d)
5. Add a user
And then operate on the user.
You can create an administrator user to log on to multiple users:
Dscl.-create/users/"MyAdmin"
Dscl.-create/users/"MyAdmin" usershell/bin/bash
Dscl.-create/users/"MyAdmin" realname "myadministrator"
Dscl.-create/users/"MyAdmin" uniqueid "ID"
Dscl.-create/users/"MyAdmin" primarygroupid "20"
Dscl.-create/users/"MyAdmin" nfshomedirectory/users/MyAdmin
Dscl.-passwd/users/"MyAdmin" "password"
Dscl.-append/groups/admin groupmembership MyAdmin
To ensure the success of the preceding command, the user must first be unique and the user ID must be unique. Use the following command to obtain the user list.
Dscl.-list/users
To obtain a unique user ID, you can use DCL.-list/users UID to list the IDs of all users. You can also use the following command to automatically obtain the largest idle ID:
Echo $ [$ (dscl.-list/users uid | awk '{print $2}' | sort-N | tail-N1) + 1]
6. delete a user database
There may be damage to the user database due to hard disk issues. In this case, we need to delete the multi-user mode user database to allow OS X system to recreate a default initial database and initialize the system.
Similarly, the system operations for the two versions are different, and a Tag file confirming successful installation is also deleted in 10.5.
For the 10.4 tiger system:
Rm-RF/var/DB/netinfo
For the 10.5 leopard system:
Rm-RF/var/DB/dslocal
Rm/var/DB/. applesetupdone
7. Run the Applejack tool:
Applejack is an open source software, it can be in terminal inside through the menu selection method of OS X system for some management, please refer to the official website of applejack Description: http://applejack.sourceforge.net
Security considerations:
As described above, we can see that if a system does not have good security measures for deployment, there are obvious security risks. Whether your Mac computer is exposed to outsiders or your laptop is lost, others can easily intrude into your computer. After obtaining administrator privileges, you can control your computer, any access to your daily unencrypted data may also be easily implanted into hacking programs such as Trojans.
Working on such an insecure computer can't help but fear security vulnerabilities. Of course, the absolutely secure system is unrealistic, but it can be as secure as possible or to a certain extent. Fortunately, currently popular MAC systems have both hardware and software security considerations.
1. Hardware measures:
Now, you can set the firmware password for each MAC system, including desktops and laptops. For how to configure and support your hardware, see the official Apple documentation: setting up firmware password protection in Mac OS X (http://support.apple.com/kb/HT1352 ).
Generally, this password is not set. Once the password is lost, no one can crack it, but it is not, for example, you can change the hardware environment (such as memory) and reset NVRAM/pram (see Apple's official documentation resetting your Mac's pram and NVRAM: http://support.apple.com/kb/HT1379 ).
People who are hopeful about hardware security measures may be disappointed after reading the above description. The cracking is still so simple.
Since the hardware cannot prevent others from entering the single-user mode, can the software? That's right. There are some good methods at present. Let's take a look at the software measures.
2. Software measures:
First, let's find the root user's home directory, that is, the/var/root/directory. Here we first create a file named. profile.
Touch/var/root // Profile
Then, according to different OS X versions, edit the. profile file as follows:
For 10.4:
If ["$ verboseflag" = "-V"];
Then
/Sbin/reboot;
#/Usr/bin/lock-p-t 86343727;
Fi
For 10.5:
If ["$ term" = "VT100"];
Then
/Sbin/reboot;
#/Usr/bin/lock-p-t 86343727;
Fi
The above checks whether the system is in single-user mode. If yes, it will automatically restart to prevent users from using the single-user mode. If you want normal users to use the single-user mode, replace the reboot line with the line noted below, and the system will ask the user's root password.
Postscript:
Security issues have always been a question mark on the mind of the IT people. It is always a question about how to provide a secure enough system. Here we only describe some aspects about Mac system security from the single-user mode of Mac OS X. Of course, there are many other aspects of MAC system security issues that need to be concerned, as far as I understand and know, filevault in Mac is the only and most ideal security measure for user data.
References:
1. Password-protecting single-user mode in Tiger: http://www.macgeekery.com/gspot/2006-02/password-protecting_single-user_mode_in_tiger
2. Forum-> Disable single user mode: http://forums.macosxhints.com/archive/index.php/t-84049.html
3. 10.5: How to reset leopard back to the setup ASSISTANT: http://www.macosxhints.com/article.php? Story = 2007110800450816
4. How can I run radmind in single user mode? : Http://www.macos.utah.edu/documentation/system_deployment/radmind/faqs/single_user_mode.html
5. Mac OS X single user mode password reset: http://www.jessecole.org/2008/06/25/mac-os-x-single-user-mode-password-reset/
6. Several ways to change the root password: http://bbs.kenapple.com/thread-1607-1-2.html
7. Setting up firmware password protection in Mac OS X: http://support.apple.com/kb/HT1352
8. Mac OS X: changing or resetting an account password: http://support.apple.com/kb/HT1274
9. Mac OS X: how to back up and restore your files: http://support.apple.com/kb/HT1553
10. locing sum: http://tech.tedthepenguin.com/mac-specific/booting-modes/single-user-mode/locking-sum.html
11. Mac OS X 10.5: hacking root: http://sprocket.io/blog/2007/12/mac-os-x-105-hacking-root/
12. Mac OS X 10.5.6 Update-Caution! : Http://www.themactech.com /? P = 227
13. Resetting Your mac's pram and NVRAM: http://support.apple.com/kb/HT1379
14. Applejack: http://applejack.sourceforge.net/
15: single-user mode commands: http://www.westwind.com/reference/OS-X/commandline/single-user.html
Mac OS X: How to start up in single-user or verbose mode
Resolve startup issues and perform disk maintenance with disk utility and fsck