Escalate Privileges on Mac OS X

From Secure Computing Wiki
Revision as of 22:52, 23 November 2010 by Exyhypele (Talk | contribs)

Jump to: navigation, search

Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page


This is a rewrite of the article from Hackszine on 2/13/2009.


Mac OS X has very few core differences in operation from a standard Unix operating system. In many cases, a trick that works on Linux or FreeBSD will work, with little modification, on Mac OS X. We'll apply this to escalation of privileges. We do this the same way a root password is recovered on Linux or BSD systems.

How To

<ol> <li>First, reboot the machine into single-user mode. Do this by holding the Command-S key combination until the machine has booted.</li> <li>Once booted, mount the file systems read-write. Most default-installed Mac OS X systems only have one partition: <pre>:/ root# mount /</pre></li> <li>Now. we need to launch directory services. <pre>:/ root# launchctl load /System/Library/LaunchDaemons/</pre></li> <li>Add the user to the admin group. To add the group membership to a user, use the following command: <pre>:/ root# dscl . append groups/admin users <username></pre></li> <li>Using one of the two following commands, verify the user has been added to the admin group:

  1. groups <username> -or-
  2. dscl . read groups/admin users (there is a space on either side of the period)


Lock it Down

In Mac OS X 10.4 and later, simply setting an Open Firmware, or EFI firmware password will prevent booting into single-user mode without the firmware password. You can view Apple's Knowledge Base articles here: