Login Window security settings #188

Open
wants to merge 1 commit into
from

Conversation

Projects
None yet
3 participants

Removes user list, power off, and reboot buttons from login window.

@jonschwenn jonschwenn Login window security settings
Removes user list, power off, and reboot buttons from login window.
4c2dad9

@mathiasbynens mathiasbynens commented on the diff Mar 10, 2013

@@ -81,6 +81,12 @@ defaults write com.apple.helpviewer DevMode -bool true
# in the login window
sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName
+# Disable username list on login window
+sudo defaults write /library/preferences/com.apple.loginwindow SHOWFULLNAME -bool true
@mathiasbynens

mathiasbynens Mar 10, 2013

Owner

Did you mean false?

@jonschwenn

jonschwenn Mar 10, 2013

False is the default behavior. This controls a setting found in System Preferences -> Users & Groups -> Login Options which is called "Display login window as". The default behavior is "List of users".

@mathiasbynens mathiasbynens commented on the diff Mar 10, 2013

@@ -81,6 +81,12 @@ defaults write com.apple.helpviewer DevMode -bool true
# in the login window
sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName
+# Disable username list on login window
+sudo defaults write /library/preferences/com.apple.loginwindow SHOWFULLNAME -bool true
+
+# Remove power off and restart buttons on login window
+sudo defaults write /library/preferences/com.apple.loginwindow PowerOffDisabled -bool true
@mathiasbynens

mathiasbynens Mar 10, 2013

Owner

Why would you want to do this?

@jonschwenn

jonschwenn Mar 10, 2013

In terms of security, it doesn't prevent someone with physical access to a Mac from booting into single user mode or use a password reset application on the boot volume to get in.

What it does do is prevent casual 'attacks'. It will make the login window act like "OS X Server". It will not list out all the user accounts on the system. It will also not let a random person reboot or shut down the machine without being logged in. Attached are the two login screens.

default-login
modified-login

@hkdobrev

hkdobrev Sep 16, 2013

Contributor

@jonschwenn I think your concern is valid only when the attacker does not have a physical access to your Mac. These dotfiles should not be used for production servers IMHO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment