Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
21222324252627282930
3.8.3 Securing Single-User Boot
On Apple systems running Mac OS X, Open Firmware is the software executed
immediately after the computer is powered on. This boot firmware is analogous to
the BIOS on an x86-based PC. To prevent users from obtaining root access by
booting into single user mode or booting from alternate disks, the Open Firmware
settings should be altered. For desktop systems, the Open Firmware security mode
should be set to command. To configure the Open Firmware settings:
1. Boot the machine while holding -option-O-F (all four keys at the same
time) to enter the Open Firmware command prompt.
2. At the prompt, enter the command:
password
3. Enter and verify the password to be used as the Open Firmware password.
This password is limited to eight characters. A strong password should be
chosen; in this instance, a machine-generated random password would be
a good choice. This password should be written down, and secured in the
same location as the Master FileVault password. This password will not be
needed except for situations where the system must be booted from an
alternate disk, such as if the boot disk fails or its filesystem is in need of
repair.
4. At the next prompt, enter:
setenv security-mode command
5. To restart the computer and enable the settings, enter the command:
reset-all
6. The system should reboot into the Login Window.
In command mode, the system will boot from the boot device specified in the
system’s boot device variable and disallow users from providing any boot arguments.
To test that the system has been put into command mode as recommended:
1. Close all applications and choose Restart from the Apple menu.
2. A confirmation window will pop up. Continue restarting the machine by
selecting the Restart button.
3. Hold down the key combination -S while the machine boots.
4. If command mode has been set correctly, the machine will continue
booting into the Mac OS X Login Window. Normally, holding down the
-S key combination during a reboot would cause the machine to reboot
into single-user mode.
5. If the system did reboot into single-user mode, restart the system by
issuing the command reboot. Then repeat the previous steps for putting
the system into command mode.
21
UNCLASSIFIED