Difference between revisions of "Escalate Privileges on Mac OS X"
(New page: This is a rewrite of the article from Hackszine [http://www.hackszine.com/blog/archive/2009/02/gain_admin_rights_in_os_x_leop.html on 2/13/2009]. == Introduction == Mac OS X has very few ...)
Revision as of 10:22, 13 February 2009
This is a rewrite of the article from Hackszine on 2/13/2009.
Mac OS X has very few core differences in operation from a standard Unix operating system. In many cases, a trick that works on Linux or FreeBSD will work, with little modification, on Mac OS X. We'll apply this to escalation of privileges. We do this the same way a root password is recovered on Linux or BSD systems.
- First, reboot the machine into single-user mode. Do this by holding the Command-S key combination until the machine has booted.
- Once booted, mount the file systems read-write. Most default-installed Mac OS X systems only have one partition:
:/ root# mount /
- Now. we need to launch directory services.
:/ root# launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
- Add the user to the admin group.
To add the group membership to a user, use the following command:
:/ root# dscl . append groups/admin users <username>
- Using one of the two following commands, verify the user has been added to the admin group:
- groups <username> -or-
- dscl . read groups/admin users (there is a space on either side of the period)
Lock it Down
In Mac OS X 10.4 and later, simply setting an Open Firmware, or EFI firmware password will prevent booting into single-user mode without the firmware password. You can view Apple's Knowledge Base articles here: