Password protect Single User Mode in OS X

There are sometimes where setting a firmware password is less than desirable, but protecting access to single user mode is required.

The key to this is the “lock” command.  From the man page:

lock - requests a password from the user, reads it again for 
verification and then will normally not relinquish the terminal 
until the password is repeated.  There are two other conditions
under which it will terminate: it will timeout after some interval
of time and it may be killed by someone with the appropriate 

Apple stopped including the command with the OS after 10.4.  Fortunately it is open source so we can compile a version for newer versions of the OS.  You can get the source here or download a precompiled version here.  The lock command should be installed into /usr/bin/.

Once lock has been installed it is important to set the root password. This can be done with the following command.

sudo passwd -i file root

It is important to note that this will save the password to the UNIX password file which can be recovered via target disk mode or HD removal and then brute forced so you want to choose a strong password that is only used for this purpose.

The next step is to create a .profile in /var/root/ with the contents “/usr/bin/lock -p -t 38000”.  This can be done with the following command.

sudo echo "/usr/bin/lock -p -t 38000" > /var/root/.profile

Now when you try to boot to single user mode you will be prompted for a password.

Note: The -p flag tells lock to use the root password that we set earlier and the -t flag sets the timeout in minutes (the default is 15 min).


Workgroup Manager issue in 10.7


There is an issue in Mac OS 10.7 when working with Workgroup Manager (WGM) to administer a Mac OS 10.6.8 or other legacy directory service.  After launching and quitting WGM several times you get an error reporting “The server you are attempting to connect to has the maximum number of connections allowed.”

Workgroup Manager error message


The issue is a daemon “dspluginhelperd”.  You can either quit the process in activity monitor or run the command in terminal:

sudo killall dspluginhelperd

After this you will be able to launch Workgroup Manager and connect to your directory servers.