OSx security - from a switcher.

Discussion in 'macOS' started by kinesin, Jun 12, 2006.

  1. kinesin macrumors regular

    Joined:
    Jun 10, 2006
    #1
    Hi, I've currently got a MacBook on order and currently been shipped to me so tonight leaving work I picked up the office powerBook G4 to take home and have a little bit of play - and to show the parents as they keep wanting a laptop and I'm not really keen on giving them a windows one. Support is difficult enough at the moment, but will be more so once they move to aboard.

    Anyway the powerbook was the only mac in our company hasn't been charged/switched on since november 2005 when the previous user left. The Windows IT guys where happy to let me take it home and play, especially as all the users data has already been deleted.

    Now unsuprisingly enough upon booting I didn't know either the admin or user password - however as I've been browsing round this site etc I realised that single-user mode existed and booted into that. (I'm a Unix/Linux admin by day and run debian at work).

    Now from my background single-user mode seems very insecure! The G4 is running 10.3.9 and a few command I've charged the root password and the users! (Not quite as simple ast 10.2 - 2 extra lines) No login prompt into single user mode, not bios prompt to CD.
    Is this still the case with tiger? Does changing the root and users password to admin automagically make that user a admin user?
    I know things like filevault and encrypted images exist - but how much is left out of these? Do the global logs etc show sites visited, is the cache and cookies contained within filevault.
    From by brief play tonight, if my laptop gets stolen it seems at least some data might accessible, even with filevault.

    Oh and is it possible to never display the user login names at the main login prompt?

    I'm a bit gutted that there isn't whole disk encryption - is it planned?
     
  2. crees! macrumors 68000

    crees!

    Joined:
    Jun 14, 2003
    Location:
    MD/VA/DC
    #2
    Answering this question you can have it so both name and password have to be typed in.
     
  3. Blackheart macrumors 6502a

    Blackheart

    Joined:
    Mar 13, 2004
    Location:
    Seattle
    #3
    AFAIK, filevault will secure anything you have within the scope of the encryption. For instance, to test it out, I've:

    1) Turned filevault on a home folder
    2) Booted the computer from an install CD
    3) Changed the password with the CD
    4) Booted the computer from the hard drive

    I couldn't access the home folder when logging in because the image of it was encrypted.
     
  4. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #4
    Turn on the Open Firmware password
    or
    Block Single User Mode
    or
    Password protect Single User Mode

    If you've used "passwd" to change the password, then it's likely that you've not actually changed the user's passwords, as OS X uses NetInfo, and not yellowpages. Not sure what you're saying here, changing a user's password to be the same as the root password has NEVER made a user an admin user in ANY UNIX-flavor. Do you mean added the user to the admin group? Then yes, of course that makes a regular user an admin user.

    FileVault only applies to the user's home directory.

    Yes, just use autologin from the Accounts prefpane to skip login and automatically logged in as the specified user.

    Planned? On encrypting the whole disk? Not likely.
     
  5. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #5
    Why not? Encrypted DMGs are already supported, so what's the diff between a DMG and a partition? No really, just curious...

    B
     
  6. Blackheart macrumors 6502a

    Blackheart

    Joined:
    Mar 13, 2004
    Location:
    Seattle
    #6
    Doesn't a dmg NEED an operating system to "open"?
     
  7. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #7
    No more than any other file system. This is why you can use "dd" to create a bitwise image of a partition on the disk, call it a DMG and mount it.

    B
     
  8. Mord macrumors G4

    Mord

    Joined:
    Aug 24, 2003
    Location:
    UK
    #8
    first thing i do with a new mac is password up open firmware and set a password to single user mode.
     
  9. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #9
    yeah, I also hear that Macs can be picked up and stolen!

    By default you can get into the machine while sitting at it, but network security is much nicer. And you do have the option of setting up more security as others noted.
     
  10. kinesin thread starter macrumors regular

    Joined:
    Jun 10, 2006
    #10
    Thanks for links. I'm not very aware of Open Firmware - what happens if you forget that password? Back to apple for a new cmos chip?

    I did use 'passwd' to change the user's password, however it was against the netinfo database, just started the netinfo daemon after bootstrapping.
    On the user/root password been the same, I was just wondering Mac was doing something 'user friendly' as the user I'm now logged in as is admin user. I guess they always were.
     
  11. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #11
    What I took the OP's question to mean was that the whole boot partition and all would be encrypted. AFAIK, this would mean that the EFI would have to be modified to have the code to identify and decrypt the whole shebang, and then protect it (the EFI) from hackage. What a massive pain in the ass it would be to try and decrypt/boot/encrypt/shutdown. I just don't see it happening in Leopard.

    The initial set-up user (typically UID 501) is always an admin. Any subsequent users (typically UID 502+) are not admin unless specified as an admin. The UIDs can vary if someone has erased users and removed 'setupdone' files. But anyway..
     
  12. kinesin thread starter macrumors regular

    Joined:
    Jun 10, 2006
    #12
    I understand that FV is secure, I thinking more about cached email attachments been left on the unencrypted parts of the drive and such like...

    If I've already got a spare image in my home, (as in this case) can I just move it and run filevault on the current home.
     
  13. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #13
    AFAIK, nothing like that should be scattered anywhere but in ~/Library/

    Check /Library/Caches/ and you should find some very uninteresting things there.

    Also note, that /var/vm is unecrypted in 10.3 and IS a security hole. This was fixed in Tiger.
     
  14. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #14
    While physical theft is a security issue, I use FileVault on my laptop and ensure that all of my important data is encrypted. If I get paranoid enough, I might create a quick little applescript that secure trashes all of my documents if the password isn't entered in correctly with maybe one try before it kicks into gear.
     
  15. Blackheart macrumors 6502a

    Blackheart

    Joined:
    Mar 13, 2004
    Location:
    Seattle
    #15
    That'd be a little scary. I could just imagine a friend trying to log into my computer when I'm not around, and end up deleting all of my files; never to be recovered.
     
  16. Mord macrumors G4

    Mord

    Joined:
    Aug 24, 2003
    Location:
    UK
    #16
    by wary of file vault, if your HD fails all your data is lost irreparably, every utility i've tried is unable to recover the sparseimage, if you make merticuleous backups then thats fine, but of cource your backups can be stolen which negates the point.
     
  17. AppleAce macrumors regular

    Joined:
    Mar 7, 2005
    Location:
    USA
    #17
    If memory serves, changing the amount of RAM in the machine, followed by restarting and zapping the PRAM 3 times in a row will reset the open firmware password.
     

Share This Page