Password Protecting OPENSTEP for Mach in Single User Mode

The ability to boot a UNIX system in single-user mode is a security concern, since single-user mode provides a root shell without requiring a password. This example allows you to force the user of an OPENSTEP for Mach system to supply a password before /bin/sh starts in single user mode. It does this by running a password checking program in the shell's startup file for root, /.profile. This document assumes that you are using OPENSTEP for Mach version 4.2.
Disclaimer

This procedure has been tested for security holes, and appears to resist concerted efforts to defeat it. However, Apple disclaims any warranty of any kind, expressed or implied, as to its fitness for any particular use. This procedure has not been tested under any version of MacOS X Server.

This script may not work if the password you use is more than eight characters long. Remember to test the script immediately after installing it to be sure your password is being fetched correctly.

Required Files

The files needed for this example are available in compressed form on Apple's FTP site, at:

ftp://ftp.info.apple.com/Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/openstep/examples/PW_Protected_SU.compressed

This archive includes:

Using Password Protection

To password protect single-user mode on your system, simply log in to a Unix shell as root, cd to the uncompressed directory containing the Makefile and source code and type "make." The pwcheck Makefile will automatically install the pw_check program and /.profile, place your local NetInfo domain's root password in your local /etc/password file, and protect your /etc/rc.boot file so that the startup sequence cannot be interrupted from the keyboard. Backup copies of your original files are created as /etc/passwd.orig, /etc/rc.boot.orig, and /.profile.orig.

The program prompts the user three times to enter a password. The default .profile included with this package will prompt for the root password, but you may specify another user's password in the command line. If the correct password is not entered in three attempts, the program halts the processor, shutting down the computer system.
Published Date: Feb 18, 2012