The ability to boot a UNIX system in single-user mode is a security concern, since single-user mode provides a root shell without requiring a password. This example allows you to force the user to supply a password before /bin/sh starts in single user mode. It does this by running a password checking program in the shell's startup file for root, /.profile.
This system has been tested for security holes, and appears to resist concerted efforts to defeat it. However, Apple disclaims any warranty of any kind, expressed or implied, as to its fitness for any particular use.
This script may not work if the password you use is more than eight characters long. Remember to test the script immediately after installing it to be sure your password is being fetched correctly.
To password protect single-user mode on your system, simply log in to a Unix shell as root, cd to the uncompressed directory containing the Makefile and source code and type "make." The pwcheck Makefile will automatically install the pw_check program and /.profile, place your local NetInfo domain's root password in your local /etc/password file, and protect your /etc/rc.boot file so that the startup sequence cannot be interrupted from the keyboard. Backup copies of your original files are created as /etc/passwd.orig, /etc/rc.boot.orig, and /.profile.orig.
The program prompts the user three times to enter a password. The default .profile included with this package will prompt for the root password, but you may specify another user's password in the command line. If the correct password is not entered in three attempts, the program halts the processor, shutting down the computer system.