How can I protect Single User Mode to require a password?

I once read that you can modify a file on the computer to make Single User Mode behave differently, called "boot.rc" or something similar. Is it possible to modify the behavior of SUM? Since physical access would compromise all security (except FileVault) is it possible to prevent SUM from running bash and immediately boot into the GUI (or at least into something which requests a password) so potential hackers would have no way to gain root access without a password?


Solution 1:

You can add a firmware password, which will need to be entered before the Mac can be booted into Single User Mode (or from external media). Boot with ⌘R to enter Recovery, then select Firmware Password Utility from the Utilities menu to set it up.

Solution 2:

Another option is to enable FileVault 2. It makes entering single user mode require the login password of an account that is allowed to unlock the disk.