50

Recently, I had a Mac which fried its video logic board. Luckily, Apple had concluded that this was a design flaw and was fixing the affected models for free (see more here). However, I did not find this page for a while, and during that time had to think about recovering my data. So, I looked around the interwebs and found single-user mode.

When the computer is off, press the Power On button while holding the down the command and s keys. Keep holding these down, and instead of booting to the Apple loading screen, it boots to the underlying Unix terminal. Once there, you can enter the following commands:

mount -uw /
cd /Users/
ls

And all of the users' home folders are displayed. Continuing to cd into these folders and ls to view contents, you can browse all of the users' files, without needing a password.

I then found that you are also able to plug in a USB stick and copy files to it (or from it), or perform actions on the files such as move and delete.

While this was helpful for me recovering data from my fried Mac, how is this a good idea? If I ever got hold of the MacBook of a friend and it was locked, I could just shut it down, boot into single-user mode and mess with their files - or even make a copy of them to a USB stick for later use. Macs are used by many people, a lot of whom have very important files that they need to protect.

This obviously isn't a bug, as Apple has a support article on how to enter single-user mode. I also know that one of the original purposes of single-user mode is to reset your password if you lost it, but giving access to the entire computer through the command line does not seem like a good way to go about it.

So, is this a problem? Is single-user mode bad? As far as I see it it is a security hole, but I could be missing something.

Toastrackenigma
  • 621
  • 1
  • 5
  • 10
  • 88
    No matter what platform, login screens don't really protect any data from a physical attack. The only true mitigation is full disk encryption. – multithr3at3d May 18 '16 at 22:52
  • 2
    @korockinout13 Only Android does (with a locked bootloader , and maybe IOS too) since it does not allow booting from other devices and flashing ROMs without a unlocked bootloader – Suici Doga May 19 '16 at 06:54
  • 10
    @SuiciDoga Naw, you can attach a NAND reader to the board and dump all the data in a few minutes. Bypassing a locked bootloader is *much* easier than [bypassing full disk encryption](https://xkcd.com/538). – Navin May 19 '16 at 07:51
  • 1
    Locks, and login screens, only keep honest people honest. – Autar May 19 '16 at 08:26
  • 3
    It's a good thing. It forces you to realize a flaw that was always there, you just never saw it. Just like Chrome writing passwords in plain text. False sense of security is the biggest security hole - and it had been removed. – Agent_L May 19 '16 at 09:05
  • 8
    It's worth noting, but doesn't answer your question per se, that the single user mode traces its lineage very far back in UNIX history, quite likely to the very beginnings (and OS X is a UNIX descendant, so shares this history). On many systems, entering single user mode requires the root password (because unprotected single user mode is indeed a security risk), and on all systems, it is meant for low-level system maintenance that cannot be performed when the system is up and running. – user May 19 '16 at 09:39
  • 1
    Related on [unix.se]: [When was the UNIX single-user vs multi-user modes distinction first introduced?](http://unix.stackexchange.com/q/284119/2465) – user May 19 '16 at 09:49
  • @Navin Some Android devices have disk encryption. If you a unlocked bootloader they can use the freezer attack (put phone in freezer and boot malicous recovery to copy the key). The NAND reader method could give them access to the data if it is unencrypted. The FBI hacked a iPhone which was encrypted earlier this year using NAND mirroring (Google it) – Suici Doga May 19 '16 at 10:44
  • 1
    Doesn't this mode require physical access? If the attacker has physical access to the machine, all bets are off anyway, so I don't see a serious issue here. – bwDraco May 19 '16 at 19:19
  • 10
    OSX isn't a "UNIX descendant," it's UNIX. http://unix.stackexchange.com/questions/1489/is-mac-os-x-unix – Dan Pritts May 19 '16 at 20:09
  • 1
    @DanPritts [It would be more proper to use "unix" or "Unix", not "UNIX"](http://www.greens.org/about/unix.html) UNIX usually refers to the OS developed and trademarked by Bell labs (or sometimes, other vendors' proprietary OSes based on it), whereas "unix" refers to any UNIX-like, POSIX-complaint OS. – HopelessN00b May 21 '16 at 19:07
  • 7
    OS X is a BSD descendant/derivative. BSD is a unix-like operating system that descended from the original Unix. The Unix trademark is owned by "The Open Group" and a few years ago, Apple started paying them for certification as a "Unix" variant. tldr; depending on what your definition of Unix is, it's either a descendent, variant or "third cousin twice removed" who married back into the family or something like that. – Jonathan Vanasco May 22 '16 at 06:09
  • This is a comment on answers as well. I don't know about Macs, but if you are worried about physical security, many/most desktop/tower cases can be physically locked. So it is cheap and easy to make it quite hard (need bolt cutters and leave clear signs of breach, and make it very easy to involve police) to get the hard disk, simply by selecting lockable case, making sure HDs are installed inside, and buying a good lock. – hyde May 22 '16 at 19:57
  • @HopelessN00b, as Jonathan Vanasco says, OS X is in fact officially certified. And the officially certified trademark is "UNIX." – Dan Pritts May 24 '16 at 02:34

4 Answers4

97

Physical access is total access, right? How is this any worse than a boot CD or yanking the hard drive and popping it into another system?

Not that I'm a fan of OSX or this particular feature, but if someone has physical access to a computer with an unencrypted disk, they have access to everything on that disk anyway, so single user mode doesn't make that any worse, either.

HopelessN00b
  • 3,385
  • 19
  • 27
  • 12
    Sure it does, it makes it easier to access the data. Physically removing part of the computer, versus rebooting and holding down a key? – user253751 May 19 '16 at 07:34
  • 23
    @immibis there is also booting from USB, or even target disk mode: https://support.apple.com/en-us/HT201462 – Peter May 19 '16 at 07:52
  • 7
    So what about if the Mac is in a school environment or an office or a library? Someone could use this to install some malicious software or a keylogger or something else nefarious. They don't have to be an intruder, just a student or someone that normally has access rights to the computer. The "physical access is total access" thing is BS when you actually put it in context. Of course a student isn't going to be able to take the HDD out of the computer, but it's a lot easier to do something malicious at a software level. – JamEngulfer May 19 '16 at 17:02
  • @Peter : while Target disk mode is available during an active FileVault configuration, booting from USB is not. One has to open the Macbook and pull the SSD out of the M2 connector – atdre May 19 '16 at 17:07
  • 20
    @JamEngulfer 1) A student most definitely *could* pop out the hard drive of a computer. I did that very thing myself on the computers in my school's library, back when I was in 8th grade, IIRC. 2) A boot disk, which is another example I provided, provides an even greater level of access than OSX's single-user mode. 3) Physical access *is* total access, yes, with very few caveats. (Cold boot attacks against encrypted disks being a great example of how that is so.) Your personal feelings and unfounded assertions to the contrary don't change that. – HopelessN00b May 19 '16 at 17:08
  • Just wondering, was it something like an iMac, or more like a normally built computer in a case? I could take the HDD out of my home computer in a few seconds, but I'd have a lot more trouble taking one out of an iMac – JamEngulfer May 19 '16 at 17:14
  • 3
    @JamEngulfer iMacs didn't exist when I was that age, so in that particular instance, it was more like a normal desktop PC. That doesn't really change anything, though. With a couple simple tools, anyone can open an iMac or a MacBook and get the harddrive out inside a minute. It's a mistake to think that kids can't or won't do that because [it requires a spudger and a screwdriver](https://www.ifixit.com/Teardown/MacBook+Pro+13-Inch+Retina+Display+Late+2013+Teardown/18695). – HopelessN00b May 19 '16 at 17:32
  • 1
    @JamEngulfer If you're talking about education, "physical access is total access" expands to "wanting access is full access". Things are so insecure that I could probably, from home, hack into my school district's server, change everyone's grades, and install malware onto all computers across the school district in a few hours. – bjb568 May 20 '16 at 02:25
  • @immibis, when you talk about security, you talk about security from bad guys. Bad guys often do inconvenient things, if necessary. – Paul Draper May 21 '16 at 18:54
  • 1
    MacBooks are pretty easy, but I believe the latest iMacs are pretty well glued together. You might be hard pressed to open it in a minute, without leaving any obvious trace anyway. – Alexander O'Mara May 22 '16 at 07:33
  • 1
    @PaulDraper And the more inconvenient physical-access things a bad guy has to do the more likely they are to get caught doing it. – user253751 May 22 '16 at 09:23
30

If FileVault is enabled, then you would need the FVDE credentials for one of the FVDE users in order to access single-user mode, even if you move the solid-state drive to a new machine.

However, if you are trying to prevent an end user from accessing an Administrator account (and/or the root account), FileVault is not sufficient because of single-user mode. One can enter single-user mode using their FVDE credentials, remount the filesystem as you demonstrate, and then rm /var/db/.AppleSetupDone to re-run the OS X Setup Assistant where a new Administrator account can be added, and which will have FVDE credentials.

In other words, you can protect files if you enable FileVault, but you cannot prevent someone with at least one FVDE credential from accessing everything as root because of single-user mode.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 2
    Setting a firmware password (in addition to turing on FileVault FVDE) mitigates this somewhat. (I say "somewhat" because it doesn't protect against someone physically removing the drive, then using their regular FVDE password to unlock it on another computer.) – Gordon Davisson Jan 20 '17 at 22:01
  • Gordon, yes, and a firmware password may also help prevent a warm-boot or cold-boot attack as most Apple workstations have their RAM soldered to the board. Also -- always be sure you are updated -- http://www.theregister.co.uk/2016/12/16/apple_left_filevault_open/ – atdre Jan 21 '17 at 17:28
  • 1
    https://www.cnet.com/news/efi-firmware-protection-locks-down-newer-macs/ – atdre Jan 23 '17 at 21:31
  • https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/ – atdre Jun 14 '17 at 02:31
28

There's a misconception about this. The problem actually isn't the single-user mode. For example consider the following scenario:

Someone gets hands on your laptop. No harddrive-encryption and no BIOS-password. Now he has several options. Just to name two of them:

  • Get the harddrive out of the laptop and simply use it from another PC. Getting around any file-protection like file-owners defined by the system isn't exactly hard, since he can simply use sudo/the admin-account/whatever way of getting highest privilege his OS provides and simply alter the ownership the way he likes. On some macbooks this might get a bit difficult, depending on the way the harddrive is built into the machine.
  • Boot from another OS via a Bootable USB and retrieve the files via this OS.

Or the short version:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

From the 10 immutable Laws of Computer Security. The singleuser-mode just provides a simple ways to access the files without using any trivial workaround.

So: How do I protect my files?
First of all and pretty obvious: use disk-encryption, to prevent anyone from accessing the harddrive without password. OS X provides FileVault/FileVault2 for this purpose, which encrypts the data using XTS-AES 128. This would prevent anyone who doesn't have a registered account on the machine from booting the machine/accessing the files. But you can even take this one step further, by using a firmware-password (sometimes also referred to as EFI-password), to prevent your machine from booting from any other OS than your drive. In addition access to user-mode, Recovery and a few other features is denied to unauthorized users as well. So activating FileVault and using a firmware-password should be enough to prevent anyone except you from accessing your files. The only option that would remain would be to remove the harddrive and break the password. In other words: you can't get much more security on this attack-vector.

Paul
  • 783
  • 5
  • 12
  • 7
    "since the harddrive can't be removed in a simple way on most macbooks." I have removed the hard drive from my 2012 Macbook Pro no fewer than five times this month for various reasons. It takes me four minutes, they're not exactly hard to get to. – Undo May 19 '16 at 15:57
  • 1
    @Undo I should've been more clear on this point. I meant on most **new** macbooks. Laptops and especially apples products tend to be more and more difficult to disassemble. Most new laptops don't even allow to remove the battery without opening the casing. – Paul May 19 '16 at 16:29
  • 2
    The Retina MacBook's drive is just another chip surface mounted to the motherboard — it would definitely take more than four minutes to transfer that to another machine. Conversely, the drive in my MacBook Air is just a daughterboard. No problem. – Tommy May 20 '16 at 19:06
10

In addition to protecting the drive with FileVault 2's full-disk-encryption, you can disable single user mode by setting a firmware password. This will prevent other users who can decrypt the drive, such as a multi-user machine, from access the single user mode, among other things.

From Use a firmware password on your Mac:

To protect the data on your Mac, you can set a user account password to prevent unauthorized users from logging in. You can also encrypt your startup disk using FileVault so that unauthorized users can't read the data stored on your Mac without the right password.

For additional protection, you can also set a firmware password on your Mac. A firmware password prevents your Mac from starting up from any device other than your designated startup disk.

Though not specifically mentioned in the excerpt above, it disables single user mode (and the recovery partition) without first entering the firmware password, as it will only boot the default startup disk/partition without the password.

Of course, the firmware password does not protect against physically removing the drive and reading it from another machine, but used in tandem with FileVault 2 it can safeguard against other users with access to the machine.

Community
  • 1
Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38