DirectNET

Data Center Management Solutions including UPS Systems, Data Center Cooling, KVM over IP & IP Power Strips, Server Racks and Server Rack accessories; KVM Switches and KVM Extenders; Rackmount Monitors and Rackmount Keyboards.


NAVIGATION
Home
Store
INSIDE MAC
Television Shows
Broadcast Shows
Daily News Shows
Special Shows
EVENTS
DAILY TIPS
Design
Mac OS X
Mac OS X UNIX
COMMUNITY
Forums
Surveys
NEWS
Current
Press
Archive
FEATURES
Editorial
Dr. Mac
Reviews
Reader Reports
RESOURCES
FAQ
Documentation
Learning Center
MAN pages
Glossary
Tutorials
Tips
Links

OUR PARTNERS

Mac OS X Security Tutorials 

Mission Lockdown - Get Smart With Security Tactics for Mac OS X

By Kevin White, Contributing Editor

Good day special agent. It has come to our attention that the integrity of your OS X Macintosh is in danger. Physical access to your information could be compromised with a few easy hacks. There is an abundance of information on this site and others that discuss file security through permissions and network security using firewall technology. Yet should your Mac fall into the wrong hands (i.e. a teenager) all that you worked for could fall victim to a simple boot CD, or worse yet an errant sudo command. Your mission, should you chose to accept it, is the implementation of strong security measures for your OS X Macintosh.

Admins away!

The first step to a secure OS X Macintosh is to limit who gets in and more importantly what they have access to. In OS X there are Admin users and what most people refer to as Normal users. (Is there such a thing as a "normal" user?) Often thought of as a third type of user, System Administrator (aka. Root or Superuser), isn't really a user at all. Root access is more like a backdoor for emergencies and is not intended as an account to be used on a regular basis, but I digress. As you can imagine Normal users have limited rights and Administrators can do pretty much anything they want. Now I know you can play with privileges all day long and that the Admin account has default restrictions to certain system and user files, but before you start flame mailing me, consider the following.

All Admins are created equal... equally powerful. Any Admin can change or delete any other user account on the system, even other Admin accounts. Also, any Admin can evoke the power of the System Administrator using the Terminal command sudo. (More on sudo later.) If that's not enough, initially on OS X Root access is deactivated yet any knowledgeable Admin can activate and set the password for Root authentication. All this boils down to only giving Admin access to those who can be trusted with the responsibility. However, given the amount of trouble Admins can get into, the safest practice is to have only one Admin user.

Authentication Anonymous

The OS X login window is another area of concern for the would-be Macintosh security expert. As a default the login window advertises the user accounts on the machine. Now this may seem convenient to the user, but to a hacker it is valuable information that can further his crusade of mischief. There are two steps required to prevent usernames from appearing in the login window. First open the Login System Preference and chose "Display Login Window as Name and Password entry fields."

The first step will axe the cute user pictures and the list of user names, but there is one more step for user anonymity here. You'll note the login window shows the name of the last user who logged in. This is a neat feature for legitimate Admins, but it still gives clues to hackers. Apple has recognized this problem and issued a software fix, clearly without the help of Apple Marketing. HideOrShowPreviousLogin, as it is so brilliantly named, is available on the Apple Support website.

Even the most diligent user may step away from his machine for the occasional bio-break, leaving his user account logged-in and prime for hacking. If you didn't already know it, OS X's built-in screen saver has a password lock feature that works very well. There are a few catches though. First, adding to the mayhem that is already possible with Admin access, any Admin can bypass the screen saver lock with their own username and password. The system will stop the screen saver and allow the Admin unfettered access to the users environment. Also remember, if the machine goes to sleep before the screen saver starts, the screen saver will never automatically come on. Prudent use of the Screen Saver System Preference can thwart many an abandoned machine hack.

The Root of the problem

The all seeing, all powerful, and all potentially destructive power of Root is so tempting that many users feel the need to activate Root access even though it's best to leave it off. Although Root is an effective tool to do system work, in actuality it is not a necessity. By using the sudo command you can have all the Root access you need with out even having Root activated. More on sudo later, as promised. Apple is wise to leave Root turned off, and you should too if you desire a secure system. However, Apple gets it wrong by leaving Root access wide open without a password on a new system. Thus, the first thing to do on a new system is to enable and set the password for Root by using NetInfo Manager. (You can find more info on enabling Root in other articles.) Once you set up Root the first time then you can disable Root access.

With Root disabled no one can authenticate as Root. (Disabling Root also turns off a notorious command line back door known as su, or "substitute user.") Now if you need to re-enable root, you have to enter the Admin and the Root password in NetInfo Manager. By disabling Root, you make it that much harder for a hacker to access system items. You may be thinking, "Disabling Root makes it that much harder for ME to access system items." Not true... read on.

You do that sudo that you do so well

Man what a great command. Even the name is neat. Sudo, pronounced like pseudo, is short for "substitute user do." Precede any command by sudo and the machine will execute the command with the privileges of another user. Even better, the default action for sudo is to assume the privileges of the System Administrator. As a default all you need to invoke the power of sudo is an admin password. Here is an example where sudo can be a huge time saver. If you want to use the GUI to trash a delete user's folder; you have to log out of your admin account, login as Root, find the folder, throw it in the trash, empty the trash, log out of Root, and finally log back in to your admin account. Using Terminal with sudo, the following will delete the users file in a one-line command.

If you read the man page for sudo, "man sudo in the Terminal," you'll find that this command does all kinds of nifty tricks. Check out this trick for becoming Root in the terminal without knowing the Root password. Remember, the only password required by sudo is an admin password.

Another advantage of using sudo instead of Root is that every time someone issues a command with sudo it is logged for reference. Many UNIX gurus agree that sudo should be used in place of Root whenever possible because of this logging feature. Sudo writes its log entries to the file system.log, located in the directory /private/var/log/. The default location for the log entries, as well as many other defaults, are discussed in the manual for sudo. Upon reading the manual for sudo you will come upon the details of very important sudo configuration file. The aptly named sudoers file, located in the directory /private/etc/, controls which users are allowed to execute sudo commands. As a default Root and all Admins are allowed to play with sudo. By modifying this file you can make it so only certain users, or nobody at all, can play with sudo.

Now, if you have been paying attention, we have almost solved our first issue of having more than one Admin. If we want to have more than one Admin user, but we only want one Admin to have Root capabilities, we now know how to do that. First, follow the last section to setup and disable Root. Now only those who know the password can login as Root. Second, edit the sudoers file so only Root has sudo privileges. Ultimately, only a user with the Root password will be able to have full system access.

Hold down any key to compromise startup... Where's the anykey?

You can spend eternity setting up a perfectly secure operating system, but ultimately all a hacker needs to foil your system is to boot up from another system. The antiquated OS 9 doesn't give a hoot about UNIX user accounts or privileges. Even the most novice of Mac user knows that by holding the "c" key, one can boot from a CD. Another startup mode is to hold the "option" key, which allows you to chose a boot volume among any connected drives including FireWire devices. Or how about options for the OS X guru hacker? Holding down "option-s" in OS X boots into "super user mode," where no password is required to muck around with essentially Root access. Or he could boot from an OS X installer CD, which lets you change all the passwords on a machine. But wait, there's more! Startup holding the "t" key and turn you Mac into a FireWire target disk! Simply plug it into another Mac and suck down or destroy the entire contents of an internal drive at lighting speed.

Apple has provided all manner of startup modes to facilitate system management. However, every one of these highly useful tools is a serious security risk. Yet once again Apple returns with an eccentric little app to fix this problem. The Open Firmware Password utility, also available on Apple's support pages, will disable ANY startup mode on new Macs. To "turn on" Open Firmware Password, check the box and enter a new password. Finally, enter your Admin name and password.

Once Open Firmware Password is on the Mac will always startup with the setting from the Startup Disk System Preference or Control Panel. The only way to bypass startup is to hold the "option" key, which will prompt you for the Open Firmware Password. Enter the correct password and you will be allowed to choose another startup volume.

The Open Firmware Password is almost hack-proof, but there is a back door. If you change the amount of physical RAM and double zap the P-RAM by holding "command-option-p-r" at startup till you hear three chimes, you can nix the Open Firmware Password. Basically, you are proving to the machine you have physical access to the system, therefore you should be allowed in. Let's face it; if someone has enough time to take out some RAM, they might as well just yank the hard drive.

Aside from physically securing your Mac, these steps will ensure a safe OS X system. Remember, there is an old adage in the UNIX world, "The only secure computer is locked in a safe and off the network." Wasn't there a movie about some guy who broke into a computer in a safe? I think Tom Cruse was in it...

Anyhow, should you or any of your operatives fail this mission, all information regarding your actions will be disavowed by our organization. Good luck agent... this webpage will self-destruct in 15 seconds...

If you have any questions or comments about this article, feel free to e-mail me at kevin_white@osxfaq.com

Copyright © 2000-2008 Inside Mac Media, Inc. All rights reserved.
Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users.
Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc.