OSx security - from a switcher.

kinesin · Jun 12, 2006

Hi, I've currently got a MacBook on order and currently been shipped to me so tonight leaving work I picked up the office powerBook G4 to take home and have a little bit of play - and to show the parents as they keep wanting a laptop and I'm not really keen on giving them a windows one. Support is difficult enough at the moment, but will be more so once they move to aboard.

Anyway the powerbook was the only mac in our company hasn't been charged/switched on since november 2005 when the previous user left. The Windows IT guys where happy to let me take it home and play, especially as all the users data has already been deleted.

Now unsuprisingly enough upon booting I didn't know either the admin or user password - however as I've been browsing round this site etc I realised that single-user mode existed and booted into that. (I'm a Unix/Linux admin by day and run debian at work).

Now from my background single-user mode seems very insecure! The G4 is running 10.3.9 and a few command I've charged the root password and the users! (Not quite as simple ast 10.2 - 2 extra lines) No login prompt into single user mode, not bios prompt to CD.
Is this still the case with tiger? Does changing the root and users password to admin automagically make that user a admin user?
I know things like filevault and encrypted images exist - but how much is left out of these? Do the global logs etc show sites visited, is the cache and cookies contained within filevault.
From by brief play tonight, if my laptop gets stolen it seems at least some data might accessible, even with filevault.

Oh and is it possible to never display the user login names at the main login prompt?

I'm a bit gutted that there isn't whole disk encryption - is it planned?

crees! · Jun 12, 2006

kinesin said:
Oh and is it possible to never display the user login names at the main login prompt?

Answering this question you can have it so both name and password have to be typed in.

Blackheart · Jun 12, 2006

kinesin said:
From by brief play tonight, if my laptop gets stolen it seems at least some data might accessible, even with filevault.

AFAIK, filevault will secure anything you have within the scope of the encryption. For instance, to test it out, I've:

1) Turned filevault on a home folder
2) Booted the computer from an install CD
3) Changed the password with the CD
4) Booted the computer from the hard drive

I couldn't access the home folder when logging in because the image of it was encrypted.

yellow · Jun 12, 2006

kinesin said:
Now from my background single-user mode seems very insecure! The G4 is running 10.3.9 and a few command I've charged the root password and the users! (Not quite as simple ast 10.2 - 2 extra lines) No login prompt into single user mode, not bios prompt to CD.

Turn on the Open Firmware password
or
Block Single User Mode
or
Password protect Single User Mode

kinesin said:
Is this still the case with tiger? Does changing the root and users password to admin automagically make that user a admin user?

If you've used "passwd" to change the password, then it's likely that you've not actually changed the user's passwords, as OS X uses NetInfo, and not yellowpages. Not sure what you're saying here, changing a user's password to be the same as the root password has NEVER made a user an admin user in ANY UNIX-flavor. Do you mean added the user to the admin group? Then yes, of course that makes a regular user an admin user.

kinesin said:
I know things like filevault and encrypted images exist - but how much is left out of these?

FileVault only applies to the user's home directory.

kinesin said:
Oh and is it possible to never display the user login names at the main login prompt?

Yes, just use autologin from the Accounts prefpane to skip login and automatically logged in as the specified user.

kinesin said:
I'm a bit gutted that there isn't whole disk encryption - is it planned?

Planned? On encrypting the whole disk? Not likely.

balamw · Jun 12, 2006

yellow said:
Planned? On encrypting the whole disk? Not likely.

Why not? Encrypted DMGs are already supported, so what's the diff between a DMG and a partition? No really, just curious...

B

Blackheart · Jun 12, 2006

balamw said:
Why not? Encrypted DMGs are already supported, so what's the diff between a DMG and a partition? No really, just curious...

B

Doesn't a dmg NEED an operating system to "open"?

balamw · Jun 12, 2006

Blackheart said:
Doesn't a dmg NEED an operating system to "open"?

No more than any other file system. This is why you can use "dd" to create a bitwise image of a partition on the disk, call it a DMG and mount it.

B

Mord · Jun 12, 2006

first thing i do with a new mac is password up open firmware and set a password to single user mode.

7on · Jun 12, 2006

yeah, I also hear that Macs can be picked up and stolen!

By default you can get into the machine while sitting at it, but network security is much nicer. And you do have the option of setting up more security as others noted.

kinesin · Jun 12, 2006

yellow said:
Turn on the Open Firmware password
or
Block Single User Mode
or
Password protect Single User Mode

If you've used "passwd" to change the password, then it's likely that you've not actually changed the user's passwords, as OS X uses NetInfo, and not yellowpages. Not sure what you're saying here, changing a user's password to be the same as the root password has NEVER made a user an admin user in ANY UNIX-flavor. Do you mean added the user to the admin group? Then yes, of course that makes a regular user an admin user.

Thanks for links. I'm not very aware of Open Firmware - what happens if you forget that password? Back to apple for a new cmos chip?

I did use 'passwd' to change the user's password, however it was against the netinfo database, just started the netinfo daemon after bootstrapping.
On the user/root password been the same, I was just wondering Mac was doing something 'user friendly' as the user I'm now logged in as is admin user. I guess they always were.

yellow · Jun 12, 2006

balamw said:
Why not? Encrypted DMGs are already supported, so what's the diff between a DMG and a partition? No really, just curious...

What I took the OP's question to mean was that the whole boot partition and all would be encrypted. AFAIK, this would mean that the EFI would have to be modified to have the code to identify and decrypt the whole shebang, and then protect it (the EFI) from hackage. What a massive pain in the ass it would be to try and decrypt/boot/encrypt/shutdown. I just don't see it happening in Leopard.

kinesin said:
On the user/root password been the same, I was just wondering Mac was doing something 'user friendly' as the user I'm now logged in as is admin user. I guess they always were.

The initial set-up user (typically UID 501) is always an admin. Any subsequent users (typically UID 502+) are not admin unless specified as an admin. The UIDs can vary if someone has erased users and removed 'setupdone' files. But anyway..

kinesin · Jun 12, 2006

Blackheart said:
AFAIK, filevault will secure anything you have within the scope of the encryption. For instance, to test it out, I've:

1) Turned filevault on a home folder
2) Booted the computer from an install CD
3) Changed the password with the CD
4) Booted the computer from the hard drive

I couldn't access the home folder when logging in because the image of it was encrypted.

I understand that FV is secure, I thinking more about cached email attachments been left on the unencrypted parts of the drive and such like...

If I've already got a spare image in my home, (as in this case) can I just move it and run filevault on the current home.

yellow · Jun 12, 2006

kinesin said:
I understand that FV is secure, I thinking more about cached email attachments been left on the unencrypted parts of the drive and such like...

AFAIK, nothing like that should be scattered anywhere but in ~/Library/

Check /Library/Caches/ and you should find some very uninteresting things there.

Also note, that /var/vm is unecrypted in 10.3 and IS a security hole. This was fixed in Tiger.

SC68Cal · Jun 12, 2006

While physical theft is a security issue, I use FileVault on my laptop and ensure that all of my important data is encrypted. If I get paranoid enough, I might create a quick little applescript that secure trashes all of my documents if the password isn't entered in correctly with maybe one try before it kicks into gear.

Blackheart · Jun 12, 2006

SC68Cal said:
While physical theft is a security issue, I use FileVault on my laptop and ensure that all of my important data is encrypted. If I get paranoid enough, I might create a quick little applescript that secure trashes all of my documents if the password isn't entered in correctly with maybe one try before it kicks into gear.

That'd be a little scary. I could just imagine a friend trying to log into my computer when I'm not around, and end up deleting all of my files; never to be recovered.

Mord · Jun 13, 2006

by wary of file vault, if your HD fails all your data is lost irreparably, every utility i've tried is unable to recover the sparseimage, if you make merticuleous backups then thats fine, but of cource your backups can be stolen which negates the point.

AppleAce · Jun 13, 2006

kinesin said:
Thanks for links. I'm not very aware of Open Firmware - what happens if you forget that password? Back to apple for a new cmos chip?

If memory serves, changing the amount of RAM in the machine, followed by restarting and zapping the PRAM 3 times in a row will reset the open firmware password.

Search

Search

OSx security - from a switcher.

kinesin

macrumors regular

crees!

Suspended

Blackheart

macrumors 6502a

yellow

Moderator emeritus

balamw

Moderator emeritus

Blackheart

macrumors 6502a

balamw

Moderator emeritus

Mord

macrumors G4

7on

macrumors 601

kinesin

macrumors regular

yellow

Moderator emeritus

kinesin

macrumors regular

yellow

Moderator emeritus

SC68Cal

macrumors 68000

Blackheart

macrumors 6502a

Mord

macrumors G4

AppleAce

macrumors regular

Our Staff