Escalate Privileges on Mac OS X

From Secure Computing Wiki
Jump to: navigation, search

This is a rewrite of the article from Hackszine on 2/13/2009.


Mac OS X has very few core differences in operation from a standard Unix operating system. In many cases, a trick that works on Linux or FreeBSD will work, with little modification, on Mac OS X. We'll apply this to escalation of privileges. We do this the same way a root password is recovered on Linux or BSD systems.

How To

  1. First, reboot the machine into single-user mode. Do this by holding the Command-S key combination until the machine has booted.
  2. Once booted, mount the file systems read-write. Most default-installed Mac OS X systems only have one partition:
    :/ root# mount /
  3. Now. we need to launch directory services.
    :/ root# launchctl load /System/Library/LaunchDaemons/
  4. Add the user to the admin group. To add the group membership to a user, use the following command:
    :/ root# dscl . append groups/admin users <username>
  5. Using one of the two following commands, verify the user has been added to the admin group:
    1. groups <username> -or-
    2. dscl . read groups/admin users (there is a space on either side of the period)

Lock it Down

In Mac OS X 10.4 and later, simply setting an Open Firmware, or EFI firmware password will prevent booting into single-user mode without the firmware password. You can view Apple's Knowledge Base articles here: