Isn't OS X's Single-User Mode a bad idea?

Physical access is total access, right? How is this any worse than a boot CD or yanking the hard drive and popping it into another system?

Not that I'm a fan of OSX or this particular feature, but if someone has physical access to a computer with an unencrypted disk, they have access to everything on that disk anyway, so single user mode doesn't make that any worse, either.


If FileVault is enabled, then you would need the FVDE credentials for one of the FVDE users in order to access single-user mode, even if you move the solid-state drive to a new machine.

However, if you are trying to prevent an end user from accessing an Administrator account (and/or the root account), FileVault is not sufficient because of single-user mode. One can enter single-user mode using their FVDE credentials, remount the filesystem as you demonstrate, and then rm /var/db/.AppleSetupDone to re-run the OS X Setup Assistant where a new Administrator account can be added, and which will have FVDE credentials.

In other words, you can protect files if you enable FileVault, but you cannot prevent someone with at least one FVDE credential from accessing everything as root because of single-user mode.


There's a misconception about this. The problem actually isn't the single-user mode. For example consider the following scenario:

Someone gets hands on your laptop. No harddrive-encryption and no BIOS-password. Now he has several options. Just to name two of them:

  • Get the harddrive out of the laptop and simply use it from another PC. Getting around any file-protection like file-owners defined by the system isn't exactly hard, since he can simply use sudo/the admin-account/whatever way of getting highest privilege his OS provides and simply alter the ownership the way he likes. On some macbooks this might get a bit difficult, depending on the way the harddrive is built into the machine.
  • Boot from another OS via a Bootable USB and retrieve the files via this OS.

Or the short version:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

From the 10 immutable Laws of Computer Security. The singleuser-mode just provides a simple ways to access the files without using any trivial workaround.

So: How do I protect my files?
First of all and pretty obvious: use disk-encryption, to prevent anyone from accessing the harddrive without password. OS X provides FileVault/FileVault2 for this purpose, which encrypts the data using XTS-AES 128. This would prevent anyone who doesn't have a registered account on the machine from booting the machine/accessing the files. But you can even take this one step further, by using a firmware-password (sometimes also referred to as EFI-password), to prevent your machine from booting from any other OS than your drive. In addition access to user-mode, Recovery and a few other features is denied to unauthorized users as well. So activating FileVault and using a firmware-password should be enough to prevent anyone except you from accessing your files. The only option that would remain would be to remove the harddrive and break the password. In other words: you can't get much more security on this attack-vector.

Tags:

Macos