Creating New Users @ Command line Single-User Mode

yancyg
New Contributor

I have a unique issue - students @ our local JDC have been creating users in 10.6.8 with Single User Mode - i have brought machine in to reimage. I believe the are using the info below to create the accounts. I am upgrading to 10.9.x, but wondering if there is a way to stop them for creating admin users via package. MCX or config profile?

  1. Boot into Single-User Mode

Turn on the computer. Upon hearing the startup chime, hold the key combination CMD+S. This boots the computer into single-user mode, which in turn gives you access via the root user. It is important to note, however, that this can be blocked by a firmware password. If that’s the case, head on over to one of our other guides on getting into single-user mode while locked.

  1. Mount the Hard Drive

Once single-user mode boots (it should look like a black screen with white text), we need to mount the hard drive. At the prompt type in:
/sbin/mount -uw /

  1. Remove the “Setup Has Been Completed” File

Now that the drive is mounted, we can edit the file system. We’re going to delete a file that tells your computer that you have completed the initial setup. Type in:
rm /var/db/.applesetupdone
This command deletes the file “.applesetupdone” in the /var/db/ directory, which the computer checks for on startup to ensure that the computer has already been set up.

  1. Reboot

Pretty self explanatory. We need the system to reboot so it can check for the file and then notice it’s missing. Type in:
reboot

9 REPLIES 9

b3nn
New Contributor II

Full out guessing, but can you set the autorun data to always add the .applesetupdone on boot?
or a script to 'touch' /var/db/.applesetupdone on boot

mm2270
Legendary Contributor III

As you already mentioned, setting up a Firmware Password that they don't know will stop them from booting into Single User mode, and thus stop them from creating new accounts.
The old trick of removing and replacing RAM sticks to reset the Firmware password doesn't work on most recent models within the last couple of years, so as long as your Macs fit that criteria, that would be the best way to stop them. The line stating "head on over to one of our other guides on getting into single-user mode while locked" may be referring to that old trick, but again, that doesn't work anymore on models from sometime in 2010 and up. The only way to get around a Firmware password is to know (or guess) the password and then unset it within Recovery HD, for example.

Banks
Contributor

single user mode = all bets off.
Use policy to reprimand offenders, I'd say. You could lock the firmware, at your support peril. Confucius say Do not bring knife to gunfight.
Allister

Chris
Valued Contributor

It's a losing battle.
Even with FileVault2 + Firmware password enabled,
if it's the "owner" of the computer who's tinkering with it,
they'd still have ways to accomplish this (depending on the kind of Mac they have), given a certain amount of "criminal" energy.
You can however set up some reporting on "non-standard" admin accounts, see
https://jamfnation.jamfsoftware.com/discussion.html?id=3541 and
https://jamfnation.jamfsoftware.com/discussion.html?id=7209 for example.

mm2270
Legendary Contributor III

Losing battle? Well, no technology is perfect and everything can be circumvented with enough time, energy and research, but I'd argue that setting the Firmware password would do two things:
1 - It will stop 95 - 99% of the offenders from using the above simple 2 minute procedure to create an admin account
2 - For anyone that DOES go through the amount of trouble necessary to circumvent the EFI lock, you can effectively throw the book at them because it will be a known that they really went out of their way to get around it.

Right now, if I were one of those students confronted with doing this, I'd just reply that it was so easy to do, so why shouldn't I? Just because you can't make it 100% impossible for them to do doesn't mean you shouldn't make it very hard to do. Right now its trivial, and I honestly don't blame them for doing it.

I'd also implement the reporting as suggested above, so you can keep tabs on those illicit accounts.

yancyg
New Contributor

Thank you, all for the advice we have a variety of machine in the environment from 2009 macbooks to 2012 macbook pro - EFI or Firmware lock and Filevault look like the best solution for the time being to redeploy. with File fault - i will at least be able to protect the current admin password and username for being changed then force a policy to user.

rmanly
Contributor III

Just as an FYI they have simply found the easiest fastest way to mess around with users. A Google search can turn up much better ways.

http://lifehacker.com/5681710/how-to-break-into-a-mac-and-prevent-it-from-happening-to-you

https://discussions.apple.com/thread/2448115

Here is a note I keep in nvALT:

To *change a user's password* while in single user mode in OS X… # /sbin/fsck -fy # /sbin/mount -uw / # launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist # dscl . -passwd /Users/whitsongordon lifehacker --- To *create a new user* from the command line. # dscl . -create /Users/luser # dscl . -create /Users/luser UserShell /bin/bash # dscl . -create /Users/luser RealName "Lucius Q. User" # dscl . -create /Users/luser UniqueID "1010" # dscl . -create /Users/luser PrimaryGroupID 80 # dscl . -create /Users/luser NFSHomeDirectory /Users/luser You can then use passwd to change the user's password, or use: # dscl . -passwd /Users/luser password Create /Users/luser for the user's home directory and change ownership so the user can access it, and be sure that the UniqueID is in fact unique. # mkdir /Users/luser # cp -r "/System/Library/User Template/English.lproj/" /Users/luser # chown -R luser:staff /Users/luser This line will add the user to the administrator's group: # dscl . -append /Groups/admin GroupMembership luser

In the regular BSDs and Linux there are ways to secure single user mode. Unfortunately as you have found above we really only have firmware passwords and FV2 to deal with that... *shrug*

rmanly
Contributor III

Just as an FYI they have simply found the easiest fastest way to mess around with users. A Google search can turn up much better ways.

http://lifehacker.com/5681710/how-to-break-into-a-mac-and-prevent-it-from-happening-to-you

https://discussions.apple.com/thread/2448115

Here is a note I keep in nvALT:

To *change a user's password* while in single user mode in OS X… # /sbin/fsck -fy # /sbin/mount -uw / # launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist # dscl . -passwd /Users/whitsongordon lifehacker --- To *create a new user* from the command line. # dscl . -create /Users/luser # dscl . -create /Users/luser UserShell /bin/bash # dscl . -create /Users/luser RealName "Lucius Q. User" # dscl . -create /Users/luser UniqueID "1010" # dscl . -create /Users/luser PrimaryGroupID 80 # dscl . -create /Users/luser NFSHomeDirectory /Users/luser You can then use passwd to change the user's password, or use: # dscl . -passwd /Users/luser password Create /Users/luser for the user's home directory and change ownership so the user can access it, and be sure that the UniqueID is in fact unique. # mkdir /Users/luser # cp -r "/System/Library/User Template/English.lproj/" /Users/luser # chown -R luser:staff /Users/luser This line will add the user to the administrator's group: # dscl . -append /Groups/admin GroupMembership luser

In the regular BSDs and Linux there are ways to secure single user mode. Unfortunately as you have found above we really only have firmware passwords and FV2 to deal with that... *shrug*

jacob_salmela
Contributor II

I take a slightly different approach since we do not currently use EFI passwords. Since I could not prevent them from booting to this mode, I decided to try the next best thing: get alerted when they do it. I came up with the script below.

Paired with Geektool running on my server, as soon as someone boots to this mode, I know about it.

#!/bin/bash
#----------AUTHOR------------
    # Jacob Salmela
    # 21 June 2013

#----------RESOURCES---------


#---------DESCRIPTION--------
    # This runs in Single-User Mode automatically 
    # 
    # Uncomment the echos for easier troubleshooting and to see the script in action
    # 
    # Use Geektool on server that constantly pings the IP address you set
    # If it successfully pings, you know someone booted into Single User Mode
    # You can also set it up to send you a notification

#-----------USAGE------------
    # To run: 
    #
    #   Just save the file as /var/root/.profile 
    #
    # It will run automatically any time Single-User Mode is launched
    # It can be cancelled by an admin using Ctrl C  

#----------VARIABLES---------
    # Variables are for hard-coded now for proof-of-concept
    # Change these according to your environment:

    # Ethernet device ID
    # This might be different depending on the hardware model, so adjust accordingly
    ethernetID="en0"  

    # Put static IPv4 with subnet mask here
    staticIP="10.10.110.200 255.255.0.0"

#----------FUNCTIONS---------

#########################
function mountAndLoad()
#########################
    {
    # Skips the file check in order to complete the script faster and find the culprit
    # Mounts the volume as read-write
    #echo "Mounting root partition..."

        /sbin/mount -uw /

    #echo "Root partition mounted."

    # Loads configd, which is responsible for network functions
    # This is necessary to get an IP.  It also allows the MAC address to be found in an ARP table...
    #echo "Loading configd..."

            launchctl load /System/Library/LaunchDaemons/com.apple.configd.plist

    #echo "configd loaded."

    return 0
    }

#########################
function getIP()
#########################
    {
    # Set a static IP that only appears when someone is booting to Single User Mode
    # Use a server running Geektool to alert an admin that someone booted into it
    # Head down to the computer and catch them in the act
    #echo "Setting static IP..."

        ipconfig set $ethernetID INFORM $staticIP       

    #echo "Static IP set."

    return 0
    }

#---------------------------------#
#---------------------------------#
#----------script starts----------#
#---------------------------------#
#---------------------------------#

if [ $TERM = "vt100" ];then
    mountAndLoad
    sleep 5
    getIP
fi