Root as Primary Login: Why Not?

A user writes, "I help moderate a forum dealing with Mac OS X, and I'm having an awful time convincing a fair portion of our readers that logging in as root all the time is a Really Bad Idea. Worse, though, are the ones who try to convince others to log in as root all the time, claiming it's 'more Mac-OS-9-like,' or saying 'it's not really more insecure,' or even that 'a firewall should deter hackers pretty well.' I know all the standard arguments, but they're not working out. Does anyone here have some real-world anecdotes that I can point to?"

Why i have to log in as root.

[m_evanchik]

I'm a newbie and I always initially log in as root because that's the only way I can get adsl-connect going. I guess maybe I installed it as root, because it doesn't show up or run when I log-in as a regular user. Not a big deal but it is annoying to have to log in as root to get online and then to log out and log back in.

Re:Why i have to log in as root.

[lexarius]

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

As for the original poster, I don't know what to say. In OS X root still has to give his password for authentication screens. The only convenience I can really see it having is to mess around with system libraries and configuration files unchecked. Oh yeah, thats right. Most unices aren't very vulnerable to virii because the user isn't root, so the virus can't get at the important things. The most a trojan could do is take out your home directory. Your system would still run.

Of course, logging in as root makes the system slightly more vulnerable to local attacks, but that isn't saying much.

Cmd-S during boot-up.
fsck -y
mount /
SystemStarter
passwd root

System compromised.
But thats a feature. I think it can be disabled, possibly by supplying an OpenFirmware password... auto-logging in as root sort of ruins that, though.
If people want security similar to Windows, tell them to run as root. OS9 is somewhat more "secure" than OSX because it was meant to be stupid-proof. Running as root in OSX is like telling the computer you really know what you're doing. If you don't, you shouldn't.

Re:Why i have to log in as root.

[foobar104]

Also, sudo is a great utility for doing things as root, does it come installed by default?

Yup, sure does. As far as I know, it's been there since forever. At least since 10.0.3, which was the earliest version that I used regularly.

Re:Why i have to log in as root.

[Permission+Denied]

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

OS X, like most unices, doesn't honor the set-uid bit for scripts.

I would just write a trivial C program and make that set-uid:

#include <unistd.h>

#define ADSL "/path/to/adsl-connect"

int main()
{
execl(ADSL, ADSL, NULL);
return 1;
}

On OS X, install dev tools, compile as "cc file.c -o my-script" and then "chmod 4755 my-script". You can then run it from a normal user shell and the script is run as root (make sure the file is owned by root).

NB: I'm not replying directly to you, but rather to the original poster who wanted to know how to do this.

Root is like crack

Don't smoke it. I did once and got hooked. I ran Mac OS Updates as root. Fuck, I even had sex with my girlfriend as root. Man, that caused some permissions problems. When I started the road to recovery (logging in as Zacks) my girlfriend was all like: "Fuck no! You can't get any cause you don't own me an I don't go groups. You don't have the power to read, write OR execute so get out of my FACE" So I was all HELL NO bitch. And she wuz like you do not have root (superuser) privlages so get out of my TruBlueEnvironment! So then I went chown and chmodded her ass to me. Dat be-otch be up in my hizzouse. What what. Holla!

OS 9 like? Nope.

[jasonwileymac.com]

"...claiming it's 'more Mac-OS-9-like,' "
Nope. Not at all. OS 9 has the same level of protection for itself that OS X does, it just works a bit differently. Tell your friends to try this... In OS 9, drag your System Folder to the trash. Go on, do it. Whupps - you can't. Why? Because you don't have 'permission' to. You can only do it if you boot from a different source, like a CD or another volume. Unix does this far better than OS 9 could, but it's basically the same idea. Logging in as ROOT lets you do anything you want. Toss your kernel? SURE!!! No problem! BAD idea. I feel that if someone doesn't know why they shouldn't be root, that alone is reason enough for them NOT to be.

Here's one.

[Eagle7]

Let's say that you want to change the permissions of all the files in your home directory to go-rwx (which make sense). So, you type:

chmod go-rwx ~/*

But by mistake, you hit the space bar, and get:

chmod go-rwx ~ /*

By the time you realize the hard disk has churned too long, you'd just gone and wiped the permissions on /bin, /sbin, /var, etc. You're system is now screwed up to the point where it's probably faster to reinstall than change all the permissions. If you weren't root, you'd see something like this (from a Linux-PPC box):

[pts/2@tardis:/home/dmorriso @00:45] chmod go-rwx ~ /*
chmod: /bin: Operation not permitted
chmod: /boot: Operation not permitted
chmod: /dev: Operation not permitted
chmod: /etc: Operation not permitted
chmod: /home: Operation not permitted
chmod: /lib: Operation not permitted
chmod: /lost+found: Operation not permitted
chmod: /mnt: Operation not permitted
chmod: /opt: Operation not permitted
chmod: /proc: Operation not permitted
chmod: /root: Operation not permitted
chmod: /sbin: Operation not permitted
chmod: /tmp: Operation not permitted
chmod: /usr: Operation not permitted
chmod: /var: Operation not permitted
[pts/2@tardis:/home/dmorriso @00:46]

And yes, back in the day, I did make this oops and had to reinstall, because I had used su rather than sudo, and had forgotten to un-su. I started using sudo right afterwards. :)

Re:Here's one.

[foobar104]

chmod go-rwx ~ /*

I just want to second this. I did the same thing once, but on an SGI O2 rather than a Mac. My variation: chown -R foo / when I meant to type chown -R foo .. The dot and the slash are just too damn close together for comfort.

That was when I learned that you can't boot an SGI if files like /bin/sh and /sbin/init aren't owned by root.

And yeah, it was easier and faster to just reinstall the OS than it was to try to fix the ownerships.

You don't log in as root in macosx

[Bart+van+der+Ouderaa]

For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

You can if you want to btw. The password of root is the same as the password of the user.
It does nail down the importance of good passwords which is something that alot of macusers are new to.

Re:You don't log in as root in macosx

[Drakino]

At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".

You can enable root through the netinfo config utility. It asks for a new root password.

Partially correct. root is created on install just like any other Unix, and is the owner of most files on the system initially. Just who knows what the password is. Netinfo lets you set a different password, but all it is is a pretty GUI for "sudo su; passwd root".

Re:You don't log in as root in macosx

[Phroggy]

For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

Um, no. This may have been true in pre-release versions, but in 10.0 and later, only your regular non-root account shows up in System Preferences. The root account doesn't have your name on it, and the encrypted password is set to "*" meaning logins are disabled altogether.

One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

They are not the same account, so changing a user password will not change the root password, and vice-versa.

Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

If you're an Administrator, you do have write access to the contents of /Applications and /Library, just not /System. The reason su doesn't work by default is, root doesn't have a password by default. However, any Administrator can run any command as root with sudo - for example, "sudo tcsh" will get you a root prompt.

In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

If you're doing something that actually requires root privaleges, such as changing system settings or installing software, you must authenticate as an Administrator, even if you're already logged in as an Administrator. If you type "sudo tcsh", sudo will prompt you for your password. It's an excellent system.

You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

What?

You can if you want to btw. The password of root is the same as the password of the user.

As I said before, this is wrong. As I recall, the Public Beta set the root password to the same as the user password at install time; the final version didn't do this.

If you do want to enable root logins, there are three ways to do it:

A) open NetInfo Manager, click the padlock icon, authenticate, then go to select the Domain/Security/Enable Root User menu item

B) open NetInfo Manager, click the padlock icon, authenticate, browse to /users/root, and change the value of the passwd item to an encrypted password

C) open Terminal, type "sudo passwd", authenticate, and set a root password.

It does nail down the importance of good passwords which is something that alot of macusers are new to.

I set my system to automatically log me in at boot time, so it doesn't nail down anything.

The Mac OS X security story direct from Apple

[plsuh]

First, my credentials: I'm a Curriculum Developer with Apple's WorldWide Training and Communications group. I am the author of the Network Security chapter in Apple's Network Administration course. I gave a talk at the last MacWorld on Mac OS X firewalling, and I must have done something right since they asked me to do it again in July in New York. In this post, unlike most of my other postings, I am speaking in my Apple voice.

That said, Mac OS X has a root user, but root does not have a valid password on installation. The first user that is created via the setup assistant is what is known as an admin user. These are users who are members of the group "admin", a predefined group. Apple provides an API whereby a GUI application can ask for an admin user's password, and thus gain sudo-style privileges for actions such as installing software (which might need to put things in places that can only be touched by root). Also, the /Applications directory also is writable by admin users, so apps where the install is just drag and drop (such as OmniWeb or MSOffice) can also be installed by an admin user and do not require root privileges.

In addition, admin users have access to the /Library directory, which is where resources specific to a particular machine should be stored. There are four Library locations that Mac OS X searches for resources such as fonts and frameworks:

• ~/Library - for user-specific items
• /Network/Library - for resources made available to an entire NetInfo network
• /Library - for resources specific to a particular machine
• /System/Library - the base system installation; this area is in general reserved for Apple use, and most people have no need to change anything inside here.

Note that the /Library tree in general has ownership root:admin with privileges 775. This means that any admin user can add or remove resources from his or her own machine without resorting to using root directly. In fact, if you wanted to add a set of resources that would affect only a particular user (say, give only the graphic artist access to the full set of 300 fonts, and leave everyone else with just the usual system set of fonts), you could install them under the user's ~/Library directory. Because of the default search order, resources in ~/Library and /Library take precedence over those in /System/Library, so you can simply install a framework in /Library and override the OS's default behavior.

If a user were to log in as root, he or she would immediately gain write access to the /System/Library area, which contains the really sensitive bits of the operating system. As it were on the warning labels, "No user serviceable parts inside!" Logging in as root is the equivalent of unscrewing the cover of a piece of equipment with that warning label. If you know what you're doing and you're careful, you may be able to do something in there, but if you're not careful or don't know what you're doing, you are likely to get hurt. I know of several users who had the bad habit of looking at a bunch of files in their System Folders and thinking, "I don't know what this does, I can just throw it out to gain more disk space," in older versions of the Mac OS. Turning one of these guys loose as root on Mac OS X is likely to cause major headaches.

From the command line side of the house, admin users are allowed to do anything via the sudo command, which is preinstalled on Mac OS X. If you need root access, you can use sudo to do just about anything from the command line. If you really, really need a root shell, you can always do "sudo -s" and get one.

In summary: Mac OS X has the tools that you need to perform system administration tasks form either the GUI side or the command line side without needing to log in as root. Logging in as root is the equivalent of opening up a piece of machinery with the warning label, "No user serviceable parts inside", and you should not be surprised if you get hurt when you do this.

Paul Suh
psuh@apple.dontbotherspammingmeigetwaytoomuch alrea dy.com

Note: on Mac OS X Server, root is enabled by default. This is considered less of an issue since it is expected that servers will be run by people who have a better understanding of the issues involved and are more likely to be doing things that need root access, even from the GUI level.