oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Securing Your TiBook (or Any Other Mac OS X Machine)
Pages: 1, 2

Of course, this is a Macintosh and you're not supposed to have to use the command line for anything. If you'd prefer a Mac GUI program that will keep it simple, but only let you set a password and set the security-mode described above to "command" (or back to "none"), you can get one from Apple. But since you're here, why not read the rest of this article?

Note also that with full security turned on you can no longer:

  • boot a CD-ROM just by holding "c" when rebooting; you must get into OFW and type the somewhat cryptic boot cd:,\\:tbxi and give the correct password.
  • Use the graphical boot device chooser by holding the Option key when rebooting; you must give a boot command at the OFW prompt and give the correct password. (You can use the graphical boot chooser if you have security-mode set to "command"; the Mac will prompt you for the password in a tiny little text field.)
  • "Zap the PRAM" by holding down CTRL/Option/P/R while rebooting; you must give the set-defaults command and enter the correct password, then reset-all to save the new values.

A minor historical artifact: there are a few differences between Sun's implementation and Apple's. Sun's doesn't allow setting your own variables, but Apple's does. The only real result is that Apple requires more care in typing. For example, if you meant to say setenv boot-file hd:,ofwboot but you actually type setenv boot-fiel hd:,ofwboot Apple's implementation will silently create a new variable boot-fiel, and since you haven't actually set the boot-file to anything, it will still have the default value. That is, Apple's OFW implementation will silently ignore a lot of errors. Strangely, Apple's implementation also does not implement the unsetenv command, so there is no defined way of deleting these extraneous variables. Perhaps Apple just doesn't intend people to use OFW interactively; indeed, the all-important, user-friendly command-line help command does not work. Sun's at least gives you a list of commands by category.

Do NOT try to set the password using the nvram command or using setenv in OFW. Doing so will create a "word" called password which will "hide" the password command so you will no longer be able to invoke the password command in OFW (you can then only change the OFW password using Apple's GUI program described in the text).

And what happens if you forget the password? You can turn your doorstop back into a Mac, of course, but it may cost you. First, if you can still boot (i.e., you didn't set security-mode full), and you have the password to an "administrator" account, you can reset the password using the Apple-provided GUI program mentioned earlier (but not using the nvram command -- see sidebar). Otherwise, you have to open the case and add or remove any amount of system memory. Apple figured this would happen AND figured that if you have physical access to open it, you "own" the machine. So if the amount of memory changes, the password is removed. Yet another reason for not leaving your TiBook lying around unattended! If that doesn't work or you just don't want to open the case, take it back to your Apple service center.

Dual Booting

Although most readers won't need to set up a machine for "dual boot", that is, being able to boot into one of two different operating systems, you only need one extra OFW command to enable it. You probably don't need a "boot manager" as you would on a PC. For example, because of my security work, my TiBook often runs OpenBSD, but can easily be booted into Jaguar, depending on my mood when I boot it up. Other choices for dual-booting, if you need the capabilities of the other system, are NetBSD and Linux/PPC. As per the install instructions for OpenBSD, I set the boot-device to be "hd:,ofwboot" after installing the file ofwboot in the root of the HFS+ partition.

setenv boot-device hd:,ofwboot

Now when I boot, I can just type "boot" at the OK prompt (with security-mode full, or just restart the machine with security-mode command) to boot into OpenBSD. Or, I can type the cryptic

boot hd:,\\tbxi

(note that with command mode, I have to enter OFW, then type any command that requires a password, then type the boot command above. I guess a boot manager might be good after all. And don't ask me what tbxi stands for, but I simply observed that it's the factory default in printenv's listing. And it gets me into Mac OS X. Alternately, I could have left this setting alone and used "boot" to get Mac OS and "boot hd:,ofwboot" to boot OpenBSD (right now you cannot use the graphical boot chooser to boot into OpenBSD from the hard drive).

Again, for normal Mac OS X-only use, you only need to set a password and security-mode; it will prompt you for the password as appropriate.

Other Local Openings

So you've set a boot password and enabled full security. Now the bad guy can't just turn your machine on and walk all through your secret data, right? Wrong. Because, out of the box, OS X doesn't even require login passwords. First thing to do is change this. Go to System Preferences -> System -> Accounts -> Users -> Set Auto Login... and ensure that the "Log in automatically" checkbox is not checked for any user. You now have to type a password to login to the computer. As an aside, your login password should not be the same as the "BIOS password" set earlier.

Now the Screen Saver. Screen savers should always have a password, so nobody can use your machine if they walk up to it while you've stepped out for a coffee. Go to System Preferences -> Personal -> Screen Effects -> Activation, and ensure that "Use my user account password" is selected. While you're there, "Hot Corners" provides a convenient way to start the screen saver--which should now be a screen lock--just by dragging the mouse off a given corner of the screen. I use this feature.

What about your OS 9 disk? If you have an OS 9 disk attached to your machine, or an OS 9 partition, with some Mac hardware you can sometimes get the Mac to boot into OS 9 by interrupting the boot on the OS X partition. Either don't keep OS 9 disks online or ensure you have selected passwords under the Multiple Users control panel.

Mac OS X Hacks

Related Reading

Mac OS X Hacks
100 Industrial-Strength Tips & Tricks
By Rael Dornfest, Kevin Hemenway

Network Security Openings

If you use rsh, telnet or SSH, you might want to enable remote access to your computer. Mac OS X comes with OpenSSH, the free, open-source implementation of SSH, the Secure Shell protocol. The client is part of Mac OS X--to ssh out to another host, just say "ssh" and you've got an SSH connection, assuming the host runs an SSH server. To enable the SSH server, look in System Preferences -> Sharing and check the box for Remote Login.

While you're there, if your machine is on the Internet or any other network, you should probably start the "Personal Firewall" under the Firewall tab. The "Personal Firewall"--like pf or ipf on BSD UNIXes--provides a simple but effective packet filter which prevents all incoming network traffic other than what you allow. When you turn on a service like SSH, it is automatically allowed by the firewall. Note that if you don't enable the firewall, there is a greater chance of crackers accessing system services or files remotely. There is more detail on the Personal Firewall in Chris Cochella's macdevcenter article.

There is no rsh or telnet server--and I'm glad they don't ship r*d or telnetd. Actually these do ship with OS X, but there is no way to enable these services from the System Preferences, which is a step in the right direction. These puppies are dangerous--read: "totally insecure"--and should not be used. Your Mac OS X comes with ssh; use it instead.

Most of these servers, as well as the OS kernel, are part of the "open source" Darwin project, which means two things: bugs are likely to get found and likely to get fixed. The system crackers have the source code to this stuff and are reading it while you're reading this article, so do be sure and apply all updates that Apple makes available.

Finally, the fewer "sharing options" you enable, the less likely you are to suffer a hull breach when the crackers attack from deep in cyberspace.


OFW is designed to help in debugging operating systems; as such, it gives you much more control over the machine than is good for you. Do not experiment with OFW commands not discussed here; you can render your machine unbootable or lose data from your disk.

Here's a handy table that shows you four useful keyboard combinations related to restarting and powering down.

Control SequenceWhen validMeaning
Command-Option-O-F During restart Enter Open FirmWare
Control-Option-P-R When restarting "Zap the PRAM", disabled by security-mode
Control-Option-POWER Almost anytime Emergency Power Off
Command-shift-option-delete During Restart Boot from CD

Ian F. Darwin has worked in the computer industry for three decades: with Unix since 1980, Java since 1995, and OpenBSD since 1998. He is the author of two O'Reilly books, Checking C Programs with lint and Java Cookbook, and co-author of Tomcat: The Definitive Guide with Jason Brittain.

Return to the Mac DevCenter.