open firmware

Apr 27 2009

Full Security

Brought to you by: James with special thanks to simX and Michel Evrard.

All right you security freaks. It’s time to make your computer a fortress. I’m sure that most of you have at least a password set on your user and the password prompt activated at startup, otherwise you wouldn’t be here. But did you know that anyone with access to your computer can boot from the install CD and reset your password? Well, they can, and if they want to, they will.

Call me paranoid, but I like plenty of security, especially on my iBook.

As I’m sure you all know, the ROM (open firmware) is the first part of your computer to activate. It then tells everything else what to do. What we’re going to do today is put a password on that guy, thus disallowing anything else to activate (including the CD Drive and the Hard Drive) without the proper password. Here’s what you do:

Boot up, holding command-option-o-f

You’ll now see a white screen with a few basic instructions. At this screen, enter setenv security-mode full

You’ll be asked to enter a password, do so, confirm, and now you’re ready.

Enter mac-boot

You’ll be asked for your password. Enter it. Now you’re on your way to a normal restart.

Incase you ever want to disable this feature, just enter setenv security-mode none

To re-enable it, just enter setenv security-mode full again.

Note: This security mode disables everything but booting straight to the Hard Drive. If you want to boot to the Command Line or a CD, you’ll have to disable the security.

Thanks to simX, we now know how to override this feature. “First, you need to open up the computer and add or remove a memory module (this is essential). Then, turn on the computer and immediately zap the PRAM, by holding down the keys Command-Option-P-R. Keep holding them down until you hear 3 additional startup chimes (that’s in addition to the first one you hear when powering on) — this will make sure you zap the PRAM. You’ll now be able to start up the computer without needing to enter the open firmware password. You may return the removed memory module at any time after this point.”

simX would also like to point out that there are some faults to this feature. “One of these is an alternate keyboard layout: when booting into open firmware, your keyboard layout will always be the default QWERTY layout (unless there’s some way to set this of which I don’t know — I’d be interested). So you could accidentally enter a password in your default keyboard layout, but the password will actually be entered in the QWERTY layout. Next time you try to enter your password when you restart, it won’t work.”

Michel Evrard has a way to change the keyboard’s layout as it is perceived by Open Firmware. “The default layout used before login is actually the root user default layout, and is certainly QWERTY when you install your machine with such a keyboard. Activate the root user from an Admin account (sudo passwd root, etc…), login as root, go into System Preferences to change your keyboard layout to fit what you need, and logoff from root. Et voilà! This default keyboard layout is also probably in a plist file belonging to root and can then be edited without activating the root user which is I admit a better solution. But I haven’t had the time to do the search yet. If you find it, I will be interested !!”

Well, I hope you enjoyed my security tutorial. Have fun!

* MacMerc.com is not responsible for lost or damaged computers.

By admin • Articles, Power User Monday Tip of the Week • Comments Off • Tags: anyone with access, command option, computer, everything, evrard, Full, full security, layout, Login, mac boot, memory module, open firmware, password, proper password, root, security mode, simX, time