I really, really wish that before people freaked out about a "major security flaw", that they'd learn how the thing they're flipping out about works. The latest round in OMGWTFKHAAAAAAAN!!!111 bingo is HackMac.org's article about Single User Mode and the .AppleSetupDone file. In a nutshell, they discovered that booting single-user and deleting the .AppleSetupDone file will cause the Mac OS X Setup Assistant, (the one you see on a brand new Mac or new OS install) to run, allowing you to create a new user "without knowing the current administrator password". According to HackMac, this is a "major security flaw":
Here's how to create an admin account with knowing the current administrator password.
This is a major security flaw, but it is used nowadays by tech support if something happened and your computer crashed, or something got messed up with your password.
First of all, no it's not a major security flaw. It's how the OS has worked with regard to knowing if it needed to run the initial setup assistant or not. A quick Google search of .AppleSetupDone pulls up references on doing this from 2001. MacOSXHints.com has a post from Sunday, April 22, 2001 about this, because it's part of recovering from a hosed NetInfo database. This is not new. At all. Nor does Apple hide this information. A quick search for that file name on Apple's support site yields 4 quick hits in three documents on this
- Mac OS X, Mac OS X Server: How to Replace the NetInfo Database, which talks about this procedure in some detail
- Mac OS X Server 10.1.5 for Xserve: How to Reset the Administrator Password, which, like #1, dates back to 2002, and is specifically targeted at the very thing that HackMac decries as a "major security hole".
- Setting up Mac OS X Server for Xserve has this info too.
if this is some kind of "major security hole", it's the worst-hidden one in history. But then, it's not a hole. First of all, to do this all the way, you have to have physical access to the machine in question, to start Single - User Mode, or SUM. If I have that kind of unfettered, unmonitored access to a system, I can do far worse things than add a new administrator account via the setup assistant. That's actually the lame way to do it, because it's loud and slow. Far more effective to partially bring the system up, then just do it via the proper command line tools, which would also allow me to better hide the damned thing. Or just enable root on the box. For that matter, I can just boot off an OS install disk, and change the administrator password that way.
The point is, once you have unfettered physical access to the box, all bets are off. Your only hope is encryption, and that still relies on the quality of the password/passphrase.
As far as SUM letting me do this, well, that's what SUM's for. If you don't like people getting access to SUM, then set up an Open Firmware or EFI password, and lock access to the innards of your desktops. But once someone has SUM access and time, well, it's just their skills between you and an owned box.
But no, this is not a major security flaw, no matter what HackMac says. That article has some issues anyway. This part:
Step 6: Setup the computer. Select "DO NOT TRANSFER MY DATA". Don't worry, all your old stuff will still be there. Choose your internet connection and network, here is where you need your WEP or security password if you have one.No, actually, you don't need this at all. That part is bypassable.
For a site about "hacking", HackMac needs to spend a little more time on why, so they understand what's going on before they start chicken littling things.