S 6.147 Restoring system parameters when using Mac OS X

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

If a Mac OS X system fails to boot or if data can no longer be read different courses of action are available. Users and administrators must be informed of the measures for restoration of system parameters when using Mac OS X. To restore a data backup generated using Time Machine, the recommendations in S 6.146 Data backup and restoration of Mac OS X clients must be taken into account. To find errors in the use of a client under Mac OS X which prevent the operating system from booting normally, different boot modes are available for selection. Since these boot modes are sometimes only available if no EFI firmware password has been set, it is necessary to temporarily remove the password beforehand. On the installation DVD of Mac OS X, an application with the name "Open Firmware Password Utility" can be found, by means of which the firmware password can be reset.

Single user mode

If a client is booted under Mac OS X, the keyboard shortcut "cmd + S" must be pressed and held to enter the single user mode. The single user mode boots a rudimentary operating system without a graphic interface. This mode is very robust and usually still available, even if the system fails to boot due to a failed installation or a file system error. Although the root account is used for working in single user mode, the user has read-only access to the boot drive at the beginning.

To check the file system, the command "/sbin/fsck -fy" can be entered. Note, though, that the American keyboard layout is used in single user mode and that it may be necessary to the adjust keyboard input.

If the file system has been checked and possibly repaired, the command "/ sbin mount -uw /" can be used to enable write access to the boot drive. Additional options are now available to remove the error. For example, defective programs which are started automatically with the system can be removed.

Verbose mode

To enter this mode, the EFI password needs to be removed temporarily. The "Verbose mode" offers additional options to gain further insight into the system. To enter this mode, the keyboard shortcut "cmd + V" must be pressed and held during system start. The system is then booted normally, but the screen output is no longer covered by the Apple logo. Instead, the system displays information on, for example, the service which is currently launched. This allows to further localise potential sources of error.

Safe boot mode

If the "Shift" button is pressed and held during the startup procedure, Kernel extensions and startup items by third-party manufacturers will not be loaded. This helps to already eliminate a high number of sources of error during startup. If it is established that one of the startup items prevents the operating system from booting regularly, the relevant startup item can be disabled in the "System settings" under "User accounts". The startup items which cannot be reached via the graphic interface are located in the directory /Library/StartupItems/.

Adjusting startup items

If it is established in safe boot mode that a startup item causes problems and the graphic user interface cannot be used to remove the object, the startup item must be accessed manually. The startup items of the "LaunchDaemon" which are executed with root privileges are located either in the directories "/System/Library/LaunchDaemons" or "/Library/LaunchDaemons". Startup items executed with user privileges can be found in the directories "/System/Library/LaunchAgents" or "/Library/LaunchAgents". To remove a startup item, it is enough to change the file extension.

Restoring file access rights

If it was established that file access rights were accidentally changed, they should be restored by all means. In the worst case, every user could otherwise change system files.

The "Hard drive service program" in the directory "Service programs" can be used to reset the file access rights to their default values. Here, select the partition to be repaired and click the "Repair disk permissions" button. Alternatively, this procedure can be realised by means of a command line command:

diskutil repairPermissions /disk/boot drive

This, however, resets the file access rights to the default value defined by the manufacturer. If the file access rights have been manually adjusted to the local conditions, they will be lost after a repair and must be configured again according to the security policies.

Repairing the key chain

The key chain may be damaged, for example, due to a hard disk error or applications with malfunctions. To restore the information in the key chain, the "Key chain management" application can be launched in the service programs. After that, open the menu item "Key chain management | Key chain ¿ First aid". After entering the user name and the associated password the correctness of the key chain can be verified. If errors are found, the key chain must be repaired before reuse.

Deleting the parameter storage

System information such as the repetition rate, resolution, and colour depth, but also information on the boot drive are stored in the Permanent Random Access Memory (PRAM). To delete the parameter storage, the EFI password must be temporarily deactivated first. Then the buttons Apple (Command, "cmd"), Option (Alt), "p" and "r" must be simultaneously held down when starting the computer until the startup sound was heard several times.

Resetting the power management unit

If the system still fails to boot after a PRAM reset, the power management unit should be reset. Since the procedure varies greatly from product to product, the user should consult the Apple knowledge database in the internet.

Review questions:

© Federal Office for Information Security. All rights reserved.