santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

Bypass via Recovery Mode

Open actualdisaster opened this issue 1 year ago • 2 comments

Unfortunately, the firmware password was removed on Applie Silicon Macs. Any admin user can log into recovery mode and disable Santa from there. Any thoughts on ways to stop this?

actualdisaster avatar Jan 03 '24 09:01 actualdisaster

You’re looking for SetRecoveryLock:

https://developer.apple.com/documentation/devicemanagement/set_recovery_lock_command?language=objc

On Wed, Jan 3, 2024, at 04:46, actualdisaster wrote:

Unfortunately, the firmware password was removed on Applie Silicon Macs. Any admin user can log into recovery mode and disable Santa from there. Any thoughts on ways to stop this?

— Reply to this email directly, view it on GitHub https://github.com/google/santa/issues/1263, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAKRUD34WCFDUA2JSRPL3DYMUSHPAVCNFSM6AAAAABBLFIT2WVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3DGNRTGQ4TMMA. You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Edward Marczak b: https://www.radiotope.com/blog

marczak avatar Jan 03 '24 13:01 marczak

There is a much simpler method of disabling Santa as an admin user: drag Santa.app from /Applications to the Trash and the OS will offer to remove the system extension with an authentication dialog. If you can't trust your users not to remove the security tools you install, they should not be admins.

russellhancox avatar Jan 03 '24 13:01 russellhancox

I'm going to close this issue. Feel free to open this back up if there's more to discuss.

pmarkowsky avatar Mar 03 '24 02:03 pmarkowsky