sorry....pt II
"Administrative users can boot from alternate locations by selecting an alternate System folder in the Startup Disk preference pane in System Preferences, by holding down the option key during startup, or by holding down the c key to boot from an installation CD.__ If the system is booted into Mac OS 9.x, filesystem permissions on HFS+ volumes can be circumvented, allowing the equivalent of root-level access to those volumes._ Booting from alternate Mac OS X installation locations circumvents filesystem permissions for both HFS+ and UFS volumes._ If an attacker has installed X on an external drive and can boot from it, he can authenticate against his own root or administrative user password hash on the external drive instead of the hashes stored in the default boot device._ Installing X on a UFS volume obviously imparts no resistance to this method of attack._
Apple has also provided a method by which a user may reset any user password on a Mac OS X system._ This is accomplished by booting from a Mac OS X CD and selecting "Reset Password" from the Installer menu._ Apple considers this a feature._ It will certainly be useful in a home setting where an administrative user may not understand the importance of remembering passwords, but it presents a risk of which any administrator should be aware.
?Target Disk Mode? also enables booting from an alternate volume._ Mac OS X systems that have built-in FireWire ports can be started up in Target Disk Mode by holding down the t key upon startup._ Connecting another Macintosh via FireWire cable to the system booted in Target Disk Mode will allow the mounting of its volumes._ If the host computer is running Mac OS 9.x, it will be able to mount HFS+ volumes on the target computer._ If the host computer is running Mac OS X, it will be able to mount UFS and HFS+ volumes._ Either way, the host computer will potentially gain root-level access to any volumes it can mount.
Another method of booting a Mac OS X system is single user mode._ One may enter single user mode by simply holding down the command-s key sequence during system startup._ The risk here is that single user mode requires no authentication by default and imparts root-level access to the system.
The most apparent method to eliminate these risks associated with physical access to a Mac OS X system is to change the ?security-mode? variable in the system?s Open Firmware._ This setting is supported by Apple Open Firmware 4.1.7 and later._ Supported values for this setting are ?none? (the default), ?command,? or ?full.? The effects of these values of the ?security-mode? variable, at the Open Firmware prompt, are described clearly by CodeSamurai in a SecureMac.com article: _
__________The ?command? mode just restricts the commands that may be executed to ?go and ?boot.?_ Additionally, under the ?command? mode, the ?boot? command may not have any arguments?that is, it will only boot the device specified in the boot device [sic] variable; no other command may be entered or any settings changed unless the password is supplied._ Moreover, this password protection feature also applies to booting up with the option key held down (which allows you to choose from available bootable volumes?)._ Finally, in ?full? mode, the machine is completely prohibited from booting until the password is entered (21).
Apple provides a GUI utility called, appropriately enough, ?Open Firmware Password? to set the Open Firmware security-mode variable to ?command? and create an Open Firmware password._ Once these settings are enabled and a password is set, (in addition to the Open Firmware command restrictions outlined above) keys that affect normal startup are disabled._ An Apple Knowledge Base document provides details: _
When turned off, Open Firmware Password Protection:
blocks the ability to use the ?C? key to start up from a CD-ROM disc.
blocks the ability to use the ?N? key to start up from a NetBoot server.
blocks the ability to use the ?T? key to start up in Target Disk Mode (on computers that offer this feature).
blocks the ability to start up in Verbose mode by pressing the Command-V key combination during startup.
block [sic] the ability to start up a system in Single-user mode by depressing the Command-S key combination during startup.
blocks a reset of Parameter RAM (PRAM) by pressing the Command-Option-P-R key combination during startup.
requires the password to use the Startup Manager, accessed by pressing the Option key during startup? _
requires the password to enter commands after starting up in Open Firmware, which is done by depressing the Command-Option-O-F key combination during startup. (11)
To enable these keys again the Open Firmware Password application must be used to reset the security-mode variable to ?none.?_ The password can be reset and changed 1) by any user of the admin group, 2) by starting up the computer from a Mac OS 9.x System Folder, or 3) if one has access to the internal hardware of the Macintosh._ If the first method poses a risk, then administrators should verify that all users belonging to the admin group require such privilege and should consider using the sudo utility to allow finer-grained control of administrative privileges than the admin group scheme allows (see Authorized Root Privilege Mechanisms, below)._ The Open Firmware password itself will prevent all but one method (the Startup Disk preference pane) of booting Mac OS 9.x, so method two should pose no risk._ If there is a threat associated with the vulnerability of physical access to the internal hardware, an administrator should lock the case of the Macintosh.___
It is important to note that Apple neither supports nor endorses the use of these Open Firmware security measures on versions of Mac OS X earlier than 10.1 or when used with third-party software utilities._ Improperly changing Open Firmware settings may cause damage that only Apple can repair and these repairs may not be covered by Apple?s warranty._ Good examples of potential harm are reports of permanent Open Firmware corruption if the Open Firmware password is not disabled before performing a firmware update.
The msec group has released a utility called FWsucker that will extract and decrypt the Open Firmware password._ It is available at
http://www.msec.net/software/FWSucker.sit ._ This program comes with little documentation and I have found that it worked only if my Macintosh was booted into Mac OS 9.2.2._ It would not work while Mac OS X was booted._ This program should pose little risk because unprivileged users will not be able to boot into Mac OS 9.x if Open Firmware is password-protected._ If the Open Firmware password is set, the only way to boot into Mac OS 9.x without knowing the firmware password is to select a Mac OS 9.x system folder in the Startup Disk preference pane._ This action can only be performed by users of the admin group._ Note that it is trivial procedure, then, for any administrative user to gain the Open Firmware password.
Leaving a system unattended while logged-in as a user with administrator privileges or with an open shell that has administrator or root privileges is against recommended practices on any flavor of UNIX._ All users should password-protect their screen saver and activate it when they step away from a Mac OS X system._ This will prevent passersby from tampering with the system._ One may enable this effect by clicking the ?Use my account password? in the ?Activation? tab of the Screen Saver panel in System Preferences._ One should also select an appropriately short delay for screen saver activation using the slider here and create a hot-corner for immediate activation of the screen saver in the ?Hot Corners? tab.
An out-of-the-box Mac OS X install, once activated by the creation of the first administrative user, may be setup to automatically login that user upon system startup._This behavior should be disabled by unchecking the ?Automatically log in? box in the ?Login Window? tab of the Login preference pane in System Preferences._ A final precaution that should be taken is to prevent Mac OS X from revealing valid usernames in the login window._One may do this by clicking the ?Name and password entry fields? radio button, under the ?Display Login Window as:? heading on the same tab.
To lessen the risk associated with physical access to a Mac OS X computer, administrators should make several changes to a default installation._ They should create an Open Firmware password._This measure disables most methods of booting from alternate boot devices. _They should carefully limit the privilege of belonging to the admin group to restrict the use of the Startup Disk preferences pane to boot from alternate locations._ Administrators should disable automatic login and disable the display of usernames in the login window._ They should physically lock the cases of Macintoshes._ Additionally, all users should use a password-protected screen saver._ The sum of these measures is a more physically secure Macintosh.
