Skip navigation

How can I stop someone from changing the admin password on my mac by using fsck?

658 Views 17 Replies Latest reply: Aug 21, 2012 5:35 PM by Kurt Lang RSS
1 2 Previous Next
jonathan.enriquez Calculating status...
Currently Being Moderated
Aug 21, 2012 5:41 AM

I recently ran into a forum about changing any users password on any machine (MBP, Mini etc) lion and below, have not tested it on mountain lion. It's basically using fsck > making all files rewritable > then changing the password.

 

I know it must have been designed for someone to recover a lost password, but how can a business use Macs when a standard user can rewrite themselves as an admin. Hopefully someone out there has an answer.

Mac mini, Mac OS X (10.7.4)
  • Kurt Lang Level 7 Level 7 (31,510 points)

    There isn't an OS in the world that can be locked down against a knowledgable person with direct access to a computer. Even a firmware password can be worked around. If necessary, lock your computer away in a separate room, safe, or if it's a Mac tower, even consider removing the hard drive at the end of the day. But basically, you need to find out who has access to your Mac, keeps changing it and fire them (or have them fired), or kicked out if they're a roommate.

  • Kurt Lang Level 7 Level 7 (31,510 points)

    Yup, but the reality is you can't fully lock down any computer against a person sitting in front of one. At least not a person who knows how to get around your attempts to block them.

  • Limnos Level 8 Level 8 (36,585 points)

    It isn't fsk that re-sets the password, by the way.  It is Single User Mode where you enter the commands, and that's easy to enter.

     

    An open firmware password makes it a lot more difficult for somebody to re-set the password. I'm not how sure how things are with new computers but with older Macs you would have to remove memory chips to re-set it. I guess you have to figure out if in your business you anticipate people bringing a screwdriver to work and disassembling their computer.

  • Kurt Lang Level 7 Level 7 (31,510 points)

    To expand a bit on Limno' comment. If you do set a firmware password, then IT would have to be the ones at the start of each day (or any restart) to enter the password and allow the Mac to finish booting while standing there and waiting until it was at the desktop. If you were to give the firmware password to each employee, you'd gain nothing. All they'd have to do is enter the password and then go right into Single User Mode.

     

    Setting up a firmware password is explained here. Also note it tells you three ways to remove the password.

  • Kurt Lang Level 7 Level 7 (31,510 points)

    Not sure if that would help. They note it works with build 4K78, which is 12 years back to OS X 10.0, which would be era of PowerPC Macs and Open Firmware, which doesn't exist on Intel based Macs. OS X has also changed drastically since then.

  • Limnos Level 8 Level 8 (36,585 points)

    Kurt Lang: I don't have firsthand experience with firmware passwords but my understanding (and supported by comments in the document you linked) is that it would not prevent normal booting of the machine for a regular user.  It does, however, prohibit the actions (see list in the link) that would enable a person to override regular login.  You could not, for example, start up in Single User Mode to reset the admin password, or use a separate startup volume to get access to the system files from the "outside". You would not have to have an IT person sitting there at startup every day ready to login at the base level before the user could then get into their account.

  • Limnos Level 8 Level 8 (36,585 points)

    Guys let me know if what you think. Thanks.

    It looks like the links to that item are all dead.

  • Kurt Lang Level 7 Level 7 (31,510 points)

    It does, however, prohibit the actions (see list in the link) that would enable a person to override regular login.

    As Limnos noted, those links appear to be long dead. They were also created for the very first version of OS X. I think it would be pretty much a guarantee they wouldn't work on any newer Mac, even if you could download them.

    You would not have to have an IT person sitting there at startup every day ready to login at the base level before the user could then get into their account.

    Yes, you are correct. My mistake above. However, it would be imperative that the user not know the Admin account name and password for that Mac so they couldn't disable the firmware password.

  • Limnos Level 8 Level 8 (36,585 points)

    I believe the only direct way to remove the firmware password would be for a person to do it in the firmware password setup, and for that you need to know the firmware password.  Even if you know the admin. password that will not bypass firmware password level restrictions.  The firmware password operates at a much lower level than any of the OSX features.  You wouldn't even need to have OSX installed and the firmware password features would still be active if you set them up.  That's why you really have to start taking apart the computer in order to reset them, and I am not sure if even that will work with all Mac models and you may have to take it into an Apple Store.

     

    If you set a firmware password, do not forget it or you are really in a mess.

  • Kurt Lang Level 7 Level 7 (31,510 points)

    According to Apple's article, the Admin user can remove or change a firmware password:

     

    Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):

    1. By any administrator user, as designated in the Accounts preferences (or in Server Admin).

    So if you knew the Admin name and password, you could login to the Admin account and change or remove the password in the Account settings of the System Preferences. While a firmware password blocks a variety of ways to startup your Mac, or boot to another drive, it doesn't appear to block logging out of an account and switching over to the Admin account.

     

    Really bad if you have a disgruntled employee who then changes the firmware password so only they know it.

  • Limnos Level 8 Level 8 (36,585 points)

    Interesting, thanks.  Still, if a person does not trust an employee sufficiently to provide them with admininstrator access in the first place, and there is a firmware password set so they cannot hack admin. access, they will not be able to get into the administrator features.  If you trust them enough to provide them with admin. access then they already have open access to the computer and it doesn't matter if you set a firmware password they can remove.  So the firmware password does provide a reasonable level of security against unauthorized admin. status unless you're worried about somebody walking off with the computer, but that's a whole different level of security concern. 

  • Kurt Lang Level 7 Level 7 (31,510 points)

    Haha! Yes, it's kind of a Catch-22. Somebody has to be able to reset the firmware password, or the Mac would be locked in its current state essentially forever since no one would be able to install a new OS (on a bootable disk or flash drive). So the Admin is the only account which can do that.

     

    But there's still other ways around it. The second way Apple's article notes is:

     

    Via physical access to the inside of the computer.

     

    It doesn't elaborate what you would do (good thing!). Apple was smart enough there not to be too verbose.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.