I'm unsure whether this was possible in OS X Yosemite, however OS X Mavericks has a security flaw in which : Should a individual have physical access to a computer, he need only launch in Single User Mode, mount the hard drive and remove the file ".AppleSetupDone" in the Directory "/var/db/". In doing so, tricking the computer into thinking it is its first ever launch and allowing the individual to setup a new Admin account.
OS X El Capitan apparently has this new security feature known as System Integrity Protection, which limits root access to an array of Directories including: /system, /bin, /sbin, /usr, /etc, /tmp and /var.
My Question is:
Will System Integrity Protection protect the executable .AppleSetupDone
from deletion, and the subsequent exploit?
Best Answer
No.
.AppleSetupDone
isn't an executable, it's just an empty file. SIP does not include/tmp
or/var
. These are directories that need to remain write able during normal use.