Mac OS X 10.5: Hacking Root

December 4th, 2007 · Comments

We are experimenting with upgrading our laptops at work to Mac OS X 10.5, so I volunteered to be an early guinea pig. Mac OS X 10.5 adds a feature that enterprise laptop users have been desperate to have for years: cached credentials. You can now login with Kerberos/LDAP and have it create a local ‘mobile user’ that syncs credentials with the server when you log-in.

Unfortunately, at least with our configuration, this can cause problems. Sometimes it won’t take your password when you are off the network, and sometimes authentication is just dreadfully slow. Off the network, it was taking me 1-3 minutes to unlock my screensaver, which feels like an eternity. Sometimes I was unable to unlock the screensaver at all, but a reboot would let me login just fine. This evening however, it would not let me login at all.

Boot CD

If you have a boot CD, you don’t need to read the rest of this article. You should be able to reset it from there. This is boring.

Single User Mode

In order to bypass the standard authentication to repair a UNIX machine, you boot into it’s rescue instance, called “single user mode”. To access it, press Cmd-S while booting. This puts you into a console interface, and reminds you what you need to do before you edit files:

% fsck -fy
% mount -uw /

The fsck is only actually required if the root filesystem was unmounted ungracefully. If you aren’t sure, the risk of data corruption makes it worth the 60 seconds it will take to run.

Introducing DirectoryService

In Mac OS X 10.4, local user information was stored in NetInfo, which was an abomination at best, and a holdover from the old NeXTstep days. In Mac OS X 10.5, this has been replaced with the Directory Service component of Open Directory. Instead of NetInfo’s binary blobs, the DirectoryService(8) daemon serves data out of XML files held in /private/var/db/dslocal.

While XML files are easy to edit with any text editor, we will use dscl(1) in these examples because it’s hard to come up with a hashed password in it’s format otherwise. First we need to start up the directory service using launchctl(1):

% launchctl /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
% launchctl /System/Library/LaunchDaemons/com.apple.DirectoryServicesLocal.plist

Making teh Change

Now you are ready to launch dscl, the directory service controller. You can use it to explore and manage your directory service, by passing it appropriate arguments on the command line, or using it’s interactive mode. For whatever reason, the interactive mode worked for me whereas the command-mode did not, so I recommend using the interactive mode instead:

% dscl
Entering interactive mode... (type "help" for commands)
> -passwd Local/Default/Users/root MY_PASSWORD
(Ctrl-D)

If you get errors about not being able to access the directory service, make sure you executed both launchctl lines above. It will only ask you to load the Local one, which is an error.

Once the password has been set, hit Ctrl-D to save & exit in dscl, and type ‘exit’ in the shell to leave the console mode. Unlike previous Mac OS X versions, you will exit to the graphical login screen. You should now be able to login as root with MY_PASSWORD. If not, you may need to use dsenableroot to enable root logins, but it was already enabled on my host.

Voila.

Tags: technology