How to disable single-user boot (command S)

mac security boot

By default, Macs are extremely insecure if somebody can get physical access, as they can simply shut it down, press the power button, hold command-S, and there, they get root access in 5 seconds.

Is there a way to disable the single-user boot mode, or at least password-protect it?


Solution 1:

The best you can do is set a firmware password in hopes that someone won't change the boot options stored in NVRAM or let the keyboard select an alternate software to boot and bypass your administrative passwords.

Older macs use Open Firmware to enforce this password, newer ones use EFI Password to prevent booting into single user mode.

Physical access means with tools, your mac is vulnerable to physically reset the firmware password or remove the drive. To protect there, consider FileVault which encrypts the contents of your disk and requires the correct password regardless of physical access to the mac.

Solution 2:

With complete physical access, all bets are off regarding security of booting. Make sure that the data or user accounts that you care about are encrypted (filevault, et.al.) so that the bits on the disk are more likely useless without a password.

Related

Is there an iMessage client for OS X?
Is there any way to have a badge appear on the Terminal icon in the Dock when a command completes?
Control arrow key to jump to the next word
Can't stream audio from OSX Mavericks to Apple TV
How to transfer purchases from iPhone into iTunes library
What is the effect of the choice to "set up as new iPad"?
Strange behavior within MS Word: using Command-Shift-L launches Safari sometimes
Natural Scroll Direction: On with trackpad, Off with mouse
Change 'New folder' default name
permission denied mkdir /Volumes
How does the iPhone know it's not using an Apple cable?
what do App Memory, Wired Memory, and Compressed mean?