# root user for Mac OS X

Discussion in 'OS X and OS X Apps' started by viral_variance, Apr 10, 2008.

1. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
Hi,

I was playing around with the terminal utility of my Mac and suddenly remembered that since the back-end uses Unix, then it has a root user

so i immediately typed su root and i got prompted with a password, and was amazed, where in the box can I find the password for the root???

since my user is an admin account, i can easily do a sudo su - and login using my account password and voila! i'm root.

but i believe this is a potential security flaw if i do not know what is the password of the one, the most powerful root

Joined:
Apr 19, 2004
Messages:
448
3
3. ### bacchus_3 PhilMUG Addict Member

Joined:
Apr 29, 2007
Messages:
4,804
310
Gender:
Male
sudo is actually a layer to protect the root account - and is not a security flaw the way I see it. Just make sure you keep your admin account separate for maintenance from your usual account that you use everyday. This way, treat your admin account as root.

4. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
cool! it's nice to hear that the root is disabled by default. i'll have it activated tonight.

security flaw <- im referring to myself because i don't know the root password

5. ### bacchus_3 PhilMUG Addict Member

Joined:
Apr 29, 2007
Messages:
4,804
310
Gender:
Male
haha. why would you consider it a security flaw if you don't know the password? You're not running a server and sudo would be sufficient. In fact, since the Mac OS X is pretty much a well thought-of *Nix system you can depend on SUDO.

You may have a different need though but even to the extreme of using server applications in a non-Mac OS X Server Mac, I don't actually intend in running processes in root.

6. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
my impression is that i may have missed the process of setting up the root password or there is a default password for root, ala PIN code or PUK for cellphones hehehe

now i really believe that Mac OS X is secure!

yap sudo will do for me, but it won't hurt securing the root as well hehehe

7. ### kaotep Active Member

Joined:
Apr 22, 2005
Messages:
343
35
Location:
Lapu-Lapu City
i'm not sure if what i'm saying is entirely correct but os x allows you to set the root password the fIrst time without asking for any password. once it's set and you change the password again, it'll ask for the password that you previously set.

the only way to prevent others from doing this is to set it yourself.

8. ### alistair Member

Joined:
Feb 11, 2005
Messages:
931
0
Location:
Makati
Just don't, ever, ever, do:
Code:
sudo rm -rf /

9. ### kaotep Active Member

Joined:
Apr 22, 2005
Messages:
343
35
Location:
Lapu-Lapu City
@alistair - hahaha i did an "\rm -rf ." once. i forgot i was at the '/' directory LOL!

10. ### lamski PhilMUG Addict Member

Joined:
May 8, 2005
Messages:
2,828
432
Location:
Makati, Philippines
Running OS X as root is dangerous. You can accidentally erase system files without prompts and wonder why your mac won't boot on your next startup...

11. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
nope i won't run on OS X as a root user. this is mainly for administration. i've been handling unix and linux servers for quite a long time now and quite knowleagable on what it can do.

12. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
yahoo!!! finally enabled my root. now its time to keep my password list safe hehe

13. ### alistair Member

Joined:
Feb 11, 2005
Messages:
931
0
Location:
Makati
Honest question: Why'd you feel the need to enable root?

I've been doing tons of software development and power user stuff (modding stock apps, for instance) on OS X for years now and I've never once, ever, had to "su root".

14. ### bacchus_3 PhilMUG Addict Member

Joined:
Apr 29, 2007
Messages:
4,804
310
Gender:
Male
Even in Linux or *Nix flavors, it always is best practice to avoid using root when running processes/apps. SUDO is preferable, really.

15. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
Hi,

If you were to look at it at a different perspective, i actually “disabled” root by giving it a different credential aside from its default, which is disabled. Imagine someone using your computer and got to enable the root password without your knowledge, he/she could instantly gain access to your mac if you are on a network by using any exploit.

It gives me security that I know that no one will be able to change the root account itself because I’ve already given it a non-default credential.

You could liken this to software updates of your OS. You could stay with the default package and wait to be attacked by hackers. Or you could update your software to the nondefault, and be safe.

In our company, not even our System Administrator is knowledgeable of the root password, they have sudo roots, but not the root. The root password is kept safely in a vault. We consider this as a best practice in alignment with ISO standards. Now setting the scale down to my macbook, I kept the root hidden somewhere and will just use my access for normal day to day stuff.

This is more of a security issue for me. My macbook is connected more than 8 hours per day on the internet and I’m not that confident on its firewall yet, as I haven’t mastered it. Some of the important security measures I made were disabling sharing for non-essential services, password authentication, and installation of virus scanner (clamxav)

16. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
i just asked our Security Administrator, and as advised, default is not the best practice. the root should be enabled and given a different credential/password.

17. ### kaotep Active Member

Joined:
Apr 22, 2005
Messages:
343
35
Location:
Lapu-Lapu City
the only use for root ive ever had for mac os x is for deleting pesky files that refuse to be deleted from finder. other than that, no other purpose really.

18. ### acid Member

Joined:
Mar 4, 2008
Messages:
478
2
Gender:
Female
Location:
Quezon City
I agree with Lamski. I suggest that you have to use only the root user for specific purposes like troubleshooting or installing certain applications that will ask for the root user to be activated.

19. ### viral_variance Member

Joined:
Mar 16, 2008
Messages:
512
0
Gender:
Male
mmm just to clarify, i'm quite bothered by the way people are replying here when my only objective is to enable root so i can change the password to avoid a potential security issue

20. ### alistair Member

Joined:
Feb 11, 2005
Messages:
931
0
Location:
Makati
See, from what I understand - root is disabled by default. So, it doesn't really have a 'default' password - it has no password which is more secure because that totally prevents login as root.

At least, this is how I understand disabled accounts in *nix to work. A blank password ("") is not the same as an empty password hash value (in /etc/shadow). The former will let anyone who knows the default, empty password in. The latter will totally prevent login.

(It does not, however, prevent "sudo su" - but having a password for root won't prevent that either.)

#20
Last edited: Apr 17, 2008