Single User Boot - A Local Security Risk?

Try enabling the Open Firmware Password (http://docs.info.apple.com/article.html?artnum=120095). It requires a password for alternate boot scenarios like starting up off a CD or Target Disk Mode. I have never tried it with Single User Mode, though I guess it ought to require a password for that too.

That said, if someone has the physical capability to sit at and get to the computer you are trying to protect, and they want whatever is on that machine, they will get it if determined enough.

open firmware passwords can be disabled. if all else fails, someone could take the hard drive, or if small enough, the computer itself.

Leading on from open firmware:

I don't have it.

Is there an update or something? Other people with beige G3s seem to.

I know that people can be determined, but every little psychological barrier in their way can make it just that little bit harder to crack.

You have Open Firmware. All recent macs do. Hold down Command-Option-O-F at boot, but read a LOT of documentation first. This is the computer's lower brain stem, it's written in Forth (non-intuitive stack-oriented reverse-polish obscure language) and is extremely unforgiving of mistakes.

You have Open Firmware. All macs do. Hold down Command-Option-O-F at boot, but read a LOT of documentation first. This is the computer's lower brain stem, it's written in Forth (non-intuitive stack-oriented reverse-polish obscure language) and is extremely unforgiving of mistakes.

I have allready tried that. When I hold down Command-Option-O-F at boot, nothing happens! I have just assumed that old world macs dont have open firmware.

Is it possible to update my firmware?

Old World Macs are not capable to be updated to New World/OF.

Read TN 1167 if the gory details do interest you:

http://developer.apple.com/technotes/tn/tn1167

And there are only a select few Old World Machines to boot older versions of OS X anyway.

And physical access to a computer is in general equivalent to compromise.

You can mitigate the risk by

- physically securing the hardware from tampering
- setting the OF Password
- keeping critically important data in an encrypted disk-image and the key off-site

Versions of OF below 3 don't use the console, but the serial port for output.
However, they also lack password support if I remember correctly.

Each hardware-platform has it's own OF-version, so you won't be able to update unless there's an Apple-update available for your machine.

You have a beige G3, Machine ID 510 ?

Nothing keeps you from setting a root password in single-user mode, it's just plain Unix after all. Be sure to remember it, though ;) .

But booting of FireWire, CD and for OS 9 also USB cannot be prevented that way.

The capacity to do a single user boot without a password or identification would be a huge security risk on some computers. Is there a way of protecting access - I mean you are logged in as root as a single user, right???

Thanks in advance,
Christopher


Keep the machine behind a locked door.

Keep the machine behind a locked door....and give out the "S"-key of the keyboard only to trustworthy people :D

A few pieces of scrap metal and an arc welder might do the trick:
Seal off the FireWire ports, the CD slot, and any access points to
the RAM modules...

;)

You have Open Firmware. All recent macs do. Hold down Command-Option-O-F at boot, but read a LOT of documentation first. This is the computer's lower brain stem, it's written in Forth (non-intuitive stack-oriented reverse-polish obscure language) and is extremely unforgiving of mistakes.

Yeah, but if all you want to do is change that open firmware password, you use the one-click GUI utility provided by Apple at the link above, and suddenly, what was brain surgery becomes a no-brainer. :D

...and give out the "S"-key of the keyboard only to trustworthy people :D

Nice idea! :)

Sounds like you guys should implement the NSA Security Guide for Mac OS X (http://www.nsa.gov/snac/os/applemac/osx_client_final_v_1_1.pdf) (PDF). That's the National Security Agency of the USA. They are utterly hardcore about securing a machine. Give it a read. (Then roll your eyes.)

OK... well... I just discovered that I do actually have open firmware. Which raises another question - why wasn't it working before?

Anyway...



[This page intentionally left Blank]




10 hours later...

*Eyes rolling out of head*

Well... that could have been cut down to about 30 pages. Then again, I suppose they just love printing of reams and reams of paper...

Oh... and I just found www.securemac.com. I'll have a look there.

and give out the "S"-key of the keyboard only to trustworthy people

I cut mine in half and gave it each half to different people. Much safer.

Just keep the whole keyboard in a secure place! I have plenty of 'S' keys at home... ;)