Root as Primary Login: Why Not?

A user writes, "I help moderate a forum dealing with Mac OS X, and I'm having an awful time convincing a fair portion of our readers that logging in as root all the time is a Really Bad Idea. Worse, though, are the ones who try to convince others to log in as root all the time, claiming it's 'more Mac-OS-9-like,' or saying 'it's not really more insecure,' or even that 'a firewall should deter hackers pretty well.' I know all the standard arguments, but they're not working out. Does anyone here have some real-world anecdotes that I can point to?"

Why i have to log in as root.

[m_evanchik]

I'm a newbie and I always initially log in as root because that's the only way I can get adsl-connect going. I guess maybe I installed it as root, because it doesn't show up or run when I log-in as a regular user. Not a big deal but it is annoying to have to log in as root to get online and then to log out and log back in.

Re:Why i have to log in as root.

[brunson]

If it needs root access to devices, which it almost certainly does to ifconfig an interface up, it should be installed suid root (if safe). Also, sudo is a great utility for doing things as root, does it come installed by default?

Re:Why i have to log in as root.

[lexarius]

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

As for the original poster, I don't know what to say. In OS X root still has to give his password for authentication screens. The only convenience I can really see it having is to mess around with system libraries and configuration files unchecked. Oh yeah, thats right. Most unices aren't very vulnerable to virii because the user isn't root, so the virus can't get at the important things. The most a trojan could do is take out your home directory. Your system would still run.

Of course, logging in as root makes the system slightly more vulnerable to local attacks, but that isn't saying much.

Cmd-S during boot-up.
fsck -y
mount /
SystemStarter
passwd root

System compromised.
But thats a feature. I think it can be disabled, possibly by supplying an OpenFirmware password... auto-logging in as root sort of ruins that, though.
If people want security similar to Windows, tell them to run as root. OS9 is somewhat more "secure" than OSX because it was meant to be stupid-proof. Running as root in OSX is like telling the computer you really know what you're doing. If you don't, you shouldn't.

Re:Why i have to log in as root.

[foobar104]

Also, sudo is a great utility for doing things as root, does it come installed by default?

Yup, sure does. As far as I know, it's been there since forever. At least since 10.0.3, which was the earliest version that I used regularly.

Re:Why i have to log in as root.

[Permission+Denied]

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

OS X, like most unices, doesn't honor the set-uid bit for scripts.

I would just write a trivial C program and make that set-uid:

#include <unistd.h>

#define ADSL "/path/to/adsl-connect"

int main()
{
execl(ADSL, ADSL, NULL);
return 1;
}

On OS X, install dev tools, compile as "cc file.c -o my-script" and then "chmod 4755 my-script". You can then run it from a normal user shell and the script is run as root (make sure the file is owned by root).

NB: I'm not replying directly to you, but rather to the original poster who wanted to know how to do this.

Re:Why i have to log in as root.

[foobar104]

You don't see anyone trying to eradicate the usage of "boxen" (even though "boxes" is the proper plural of "box").

There are two big differences between "boxen" and "virii."

First of all, "boxen" is almost always tongue-in-cheek. It's an old joke, but it's just a joke.

Secondly, "boxen" would be correct, if it weren't for the simple fact that it isn't. It's just one of those quirks of the language: one box plus one box is boxes, and one fox plus one fox is foxes, but one ox plus one ox is oxen. Like a friend of mine said, about fifteen years ago, in my high school English class. "Drive, drove, have driven. Dive, dove, have diven?" "Boxen" is funny because its use points out the arbitrary and inconsistent nature of English pluralization.

As I said, though, "virii" isn't just technically wrong, it's completely wrong. Latin had either no plural at all for "virus," or only a very rarely used and easily confused plural, depending on whose interpretation you accept. "Virii" has zero basis in any kind of fact.

If the correct Latin plural of "virus" had been "virii," and if the use were intended to be sarcastic or humorous, I wouldn't mind so much. But the fact is, people often use "virii" in utter seriousness, as if it were correct and acceptable.

It isn't. It's wrong, wrong, wrong.

Not yet…

[DarkVein]

Does anyone here have some real-world anecdotes that I can point to?

But I can make some what did you say their addresses were?

Root is like crack

Don't smoke it. I did once and got hooked. I ran Mac OS Updates as root. Fuck, I even had sex with my girlfriend as root. Man, that caused some permissions problems. When I started the road to recovery (logging in as Zacks) my girlfriend was all like: "Fuck no! You can't get any cause you don't own me an I don't go groups. You don't have the power to read, write OR execute so get out of my FACE" So I was all HELL NO bitch. And she wuz like you do not have root (superuser) privlages so get out of my TruBlueEnvironment! So then I went chown and chmodded her ass to me. Dat be-otch be up in my hizzouse. What what. Holla!

OS 9 like? Nope.

[jasonwileymac.com]

"...claiming it's 'more Mac-OS-9-like,' "
Nope. Not at all. OS 9 has the same level of protection for itself that OS X does, it just works a bit differently. Tell your friends to try this... In OS 9, drag your System Folder to the trash. Go on, do it. Whupps - you can't. Why? Because you don't have 'permission' to. You can only do it if you boot from a different source, like a CD or another volume. Unix does this far better than OS 9 could, but it's basically the same idea. Logging in as ROOT lets you do anything you want. Toss your kernel? SURE!!! No problem! BAD idea. I feel that if someone doesn't know why they shouldn't be root, that alone is reason enough for them NOT to be.

Here's one.

[Eagle7]

Let's say that you want to change the permissions of all the files in your home directory to go-rwx (which make sense). So, you type:

chmod go-rwx ~/*

But by mistake, you hit the space bar, and get:

chmod go-rwx ~ /*

By the time you realize the hard disk has churned too long, you'd just gone and wiped the permissions on /bin, /sbin, /var, etc. You're system is now screwed up to the point where it's probably faster to reinstall than change all the permissions. If you weren't root, you'd see something like this (from a Linux-PPC box):

[pts/2@tardis:/home/dmorriso @00:45] chmod go-rwx ~ /*
chmod: /bin: Operation not permitted
chmod: /boot: Operation not permitted
chmod: /dev: Operation not permitted
chmod: /etc: Operation not permitted
chmod: /home: Operation not permitted
chmod: /lib: Operation not permitted
chmod: /lost+found: Operation not permitted
chmod: /mnt: Operation not permitted
chmod: /opt: Operation not permitted
chmod: /proc: Operation not permitted
chmod: /root: Operation not permitted
chmod: /sbin: Operation not permitted
chmod: /tmp: Operation not permitted
chmod: /usr: Operation not permitted
chmod: /var: Operation not permitted
[pts/2@tardis:/home/dmorriso @00:46]

And yes, back in the day, I did make this oops and had to reinstall, because I had used su rather than sudo, and had forgotten to un-su. I started using sudo right afterwards. :)

Re:Here's one.

[foobar104]

chmod go-rwx ~ /*

I just want to second this. I did the same thing once, but on an SGI O2 rather than a Mac. My variation: chown -R foo / when I meant to type chown -R foo .. The dot and the slash are just too damn close together for comfort.

That was when I learned that you can't boot an SGI if files like /bin/sh and /sbin/init aren't owned by root.

And yeah, it was easier and faster to just reinstall the OS than it was to try to fix the ownerships.

Re:Here's one.

[tunah]

Mine was worse.

I don't have rpm installed, but I found a program that was only available as rpm. So I ran rpm2targz on it and then tar xvzf. It then extracted a whole bunch of files into a new usr folder in my current working directory, as I had forgotten to cd /. I was still root. So now to get rid of the directory I tried to type:

rm -r usr/

What I actually typed was this:

rm -r /usr

Oops!

Re:Here's one.

[Eagle7]

NB: this is zsh figuring out my typo, not 'rm' being annoying.

You mean, that's zsh being annoying. :)

Re:Here's one.

[Eimi+Metamorphoumai]

Ahhh, yes. Been there, done that. Of course, mine looked so innocent. Messing around in /proc, tried to make everything readable (to see how the proc virtual filesystem interacts with permissions). "chmod -R a+rwx *" Even made sure I was in the right place first. What I quickly (but not nearly quickly enough) learnt was that chmod -R follows symlinks, and that symlink to / made that command much less fun than it should have been. To this day, I loath commands that follow symlinks recursively (cp -r, chmod -R, I'm sure there are others), but I have gotten much better at "find -print0 | xargs -0".

You don't log in as root in macosx

[Bart+van+der+Ouderaa]

For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

You can if you want to btw. The password of root is the same as the password of the user.
It does nail down the importance of good passwords which is something that alot of macusers are new to.

Re:You don't log in as root in macosx

[Drakino]

At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".

You can enable root through the netinfo config utility. It asks for a new root password.

Partially correct. root is created on install just like any other Unix, and is the owner of most files on the system initially. Just who knows what the password is. Netinfo lets you set a different password, but all it is is a pretty GUI for "sudo su; passwd root".

Re:You don't log in as root in macosx

[Phroggy]

For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

Um, no. This may have been true in pre-release versions, but in 10.0 and later, only your regular non-root account shows up in System Preferences. The root account doesn't have your name on it, and the encrypted password is set to "*" meaning logins are disabled altogether.

One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

They are not the same account, so changing a user password will not change the root password, and vice-versa.

Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

If you're an Administrator, you do have write access to the contents of /Applications and /Library, just not /System. The reason su doesn't work by default is, root doesn't have a password by default. However, any Administrator can run any command as root with sudo - for example, "sudo tcsh" will get you a root prompt.

In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

If you're doing something that actually requires root privaleges, such as changing system settings or installing software, you must authenticate as an Administrator, even if you're already logged in as an Administrator. If you type "sudo tcsh", sudo will prompt you for your password. It's an excellent system.

You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

What?

You can if you want to btw. The password of root is the same as the password of the user.

As I said before, this is wrong. As I recall, the Public Beta set the root password to the same as the user password at install time; the final version didn't do this.

If you do want to enable root logins, there are three ways to do it:

A) open NetInfo Manager, click the padlock icon, authenticate, then go to select the Domain/Security/Enable Root User menu item

B) open NetInfo Manager, click the padlock icon, authenticate, browse to /users/root, and change the value of the passwd item to an encrypted password

C) open Terminal, type "sudo passwd", authenticate, and set a root password.

It does nail down the importance of good passwords which is something that alot of macusers are new to.

I set my system to automatically log me in at boot time, so it doesn't nail down anything.

Re:Real world example.......

[irony+nazi]

You miss a very important point.

People who don't understand why you would/wouldn't log in as root are *extremely* unlikely to be playing around with 'rm', 'chmod', and 'mv'.

You would have a better argument saying something to the effect of "dragging an important system file into the trash" or moving/renaming an important file/folder.

I find it amazing how many people don't want to *login* to their computers.

They tell me, "I know that it's safer to log into my computer, but it's such a pain." --to which my usual reply is "You don't know that it's safer to log in."

Necessary for GUI users?

[dh003i]

As a command-line user, I understand the value of not logging in as root all the time.

However, most Mac users couldn't use a command line if their life depended on it and probably don't even know that MacOSX has a command line.

The MacOSX user who's a classic mac user will probably never use the command line; if they have to rename a thousand files to add an extension or a prefix or whatever, they'll do it by hand, not by using a tcsh script.

So, the question is, how much damage can one do from the MacOSX GUI at root? I don't know. I have accounts on other ppl's MacOSX computer (namely, at my University) but have never been logged in as root.

Of course, not logging in as root doesn't only protect you from yourself. It also protects you from "trogan" install programs, which say they'll do one thing, and in fact delete the entire hard drive or something else like that.

The Mac OS X security story direct from Apple

[plsuh]

First, my credentials: I'm a Curriculum Developer with Apple's WorldWide Training and Communications group. I am the author of the Network Security chapter in Apple's Network Administration course. I gave a talk at the last MacWorld on Mac OS X firewalling, and I must have done something right since they asked me to do it again in July in New York. In this post, unlike most of my other postings, I am speaking in my Apple voice.

That said, Mac OS X has a root user, but root does not have a valid password on installation. The first user that is created via the setup assistant is what is known as an admin user. These are users who are members of the group "admin", a predefined group. Apple provides an API whereby a GUI application can ask for an admin user's password, and thus gain sudo-style privileges for actions such as installing software (which might need to put things in places that can only be touched by root). Also, the /Applications directory also is writable by admin users, so apps where the install is just drag and drop (such as OmniWeb or MSOffice) can also be installed by an admin user and do not require root privileges.

In addition, admin users have access to the /Library directory, which is where resources specific to a particular machine should be stored. There are four Library locations that Mac OS X searches for resources such as fonts and frameworks:

• ~/Library - for user-specific items
• /Network/Library - for resources made available to an entire NetInfo network
• /Library - for resources specific to a particular machine
• /System/Library - the base system installation; this area is in general reserved for Apple use, and most people have no need to change anything inside here.

Note that the /Library tree in general has ownership root:admin with privileges 775. This means that any admin user can add or remove resources from his or her own machine without resorting to using root directly. In fact, if you wanted to add a set of resources that would affect only a particular user (say, give only the graphic artist access to the full set of 300 fonts, and leave everyone else with just the usual system set of fonts), you could install them under the user's ~/Library directory. Because of the default search order, resources in ~/Library and /Library take precedence over those in /System/Library, so you can simply install a framework in /Library and override the OS's default behavior.

If a user were to log in as root, he or she would immediately gain write access to the /System/Library area, which contains the really sensitive bits of the operating system. As it were on the warning labels, "No user serviceable parts inside!" Logging in as root is the equivalent of unscrewing the cover of a piece of equipment with that warning label. If you know what you're doing and you're careful, you may be able to do something in there, but if you're not careful or don't know what you're doing, you are likely to get hurt. I know of several users who had the bad habit of looking at a bunch of files in their System Folders and thinking, "I don't know what this does, I can just throw it out to gain more disk space," in older versions of the Mac OS. Turning one of these guys loose as root on Mac OS X is likely to cause major headaches.

From the command line side of the house, admin users are allowed to do anything via the sudo command, which is preinstalled on Mac OS X. If you need root access, you can use sudo to do just about anything from the command line. If you really, really need a root shell, you can always do "sudo -s" and get one.

In summary: Mac OS X has the tools that you need to perform system administration tasks form either the GUI side or the command line side without needing to log in as root. Logging in as root is the equivalent of opening up a piece of machinery with the warning label, "No user serviceable parts inside", and you should not be surprised if you get hurt when you do this.

Paul Suh
psuh@apple.dontbotherspammingmeigetwaytoomuch alrea dy.com

Note: on Mac OS X Server, root is enabled by default. This is considered less of an issue since it is expected that servers will be run by people who have a better understanding of the issues involved and are more likely to be doing things that need root access, even from the GUI level.

Not a new problem

[Permission+Denied]

I knew this physics guy that bought a Linux box so he could do his Fortran numerical analysis on his own, without relying on the insanely big, fast and reliable physics servers (go figure). Smart physics guy, complete unix newbie.

I'll only tell you the anectdote salient to this article. He would, of course, only log in as root as the KDE rpm front-end wouldn't work when you're logged in as a regular user and he didn't want to figure out how to use the the command-line rpm (I don't know if currently KDE does a sudo/su-type thing using the GUI, but it didn't back then - if you ran kfm as non-root, you couldn't use the RPM front-end).

At one point he could no longer log in. Problem? / was full. He was downloading all his stuff into /root (a one gig partition) and /home (20 gig partition) was completely empty. You could log in from console, but not from XDM since XDM creates files in /tmp upon login. He had no idea how to get from XDM to another virtual console, so he was effectively locked out of his machine.

My point? Give up. Don't worry about it. They will not learn why logging in as root is bad until they get burned. Especially since you're just a forum moderator - if you were getting paid to do this and your job depended on these machines staying up, you would have every responsibility to ensure people were properly following your policies; but, as a mere guru to these people, allow them to learn in the most effective fashion: trial by error.

Re:OS 9 like? Nope.

[WalterSobchak]

OS 9 like, sounds like "More Mac like", and logging in as root is not.
My first Macintosh manual (for the Macintosh 512k) had the following to say about installing the "Programmer's Switch": "The Programmer's Switch is used to create an Interrupt or a Reset. If you do not know what an Interrupt or a Reset is, you do not need this switch". While people may criticize this, it has always been Apple's strategy to protect users from their own stupidity.
So really to emphasize the parent post, "If you do not know why to log in as root, don't do it." Period. Nuff said

Alex -- (And I don't even normally log into my BSD box as root)

Two good reasons together make .....

[Dimes]

....an even more significant reason:

1)As root you have the ability to not only do damage to your own user files...but you have the ability to damage/destroy the whole system. Being a user on a UnixOS is one of its beauties. No matter how bad you screw up as a user, its only your files...the system will still be there.

2)OSX runs a number of Microsoft Applications....i.e. the Office Suite, and Outlook...which are notoriously prone to security problems.(albeit, quite a bit less on Mac)

Mix those two reasons and you get something like Windows, where one script sent by email, clicked on by an /uneducated/ user(and sometimes not even clicked on...just received by something like Outlook) while logged in as root....and poof there goes the whole machine....lucky, at least for the rest of us cause at least that users box is gone.....or really unlucky for the net community at large if the virus/worm/et.al. keeps the machine and starts doing nasty self propagation.

So, just dont do it. There is so little a regular user needs root for...and for that Apple has provided sudo....built in from the start.

Dimes