Problem with enabling/disabling root user

Before anyone says anything, yes, I am entirely aware of the risks of enabling the root user, and that's why I intended to disable it after I was finished working with it. (Unfortunately, the only easy way to set the keyboard layout of the login window is to enable root user, change the keyboard layout of the root user, and then log out and disable the root user. Using the Setup Assistant again isn't an option because it requires you to go through all the other options as well.)

Normally I enable the root user through the NetInfo Manager utility, log in as root, do what I need to do, and then log out and disable the root user through the NetInfo Manager again. Unfortunately, on one of my iMacs (bondi blue, 233 MHz Rev. A), the NetInfo Manager didn't do anything when I selected the "Enable Root User" menu item. It would prompt me for my administrator password, but then would never actually enable the root user. Finally I got fed up, and just went to the terminal and used the "sudo passwd root" command to enable it manually.

Bad idea. Now the root user is stuck on. The NetInfo Manager application still simply has an "Enable Root User" menu item, and it still doesn't do anything when I try to select it -- it authenticates me, then does nothing. (If the root user is already enabled, the "Enable Root User" menu item changes to "Disable Root User".)

So now my root user is stuck enabled. It's not a big security risk since it's behind a firewall anyway, but I'd rest easier if it were disabled. Does anybody know why this problem with the NetInfo Manager is happening and how to fix it? Alternatively, does someone know how to disable the root user from the command line? Any help would be much appreciated.

(Also, of note, is the fact that my 800 MHz 17" G4 iMac does not have this problem -- the NetInfo Manager application enables and disables the root user fine. My bondi blue iMac has all the latest updates and is running Mac OS X Panther version 10.3.4.)

MacFan26 said:

Try doing this in the terminal:

niutil -createprop . /users/root passwd '*'

This will set the password back to the original setting. Then is should display disabled in NetInfo. Hope that works

Click to expand...

I got this same advice from some other Mac forums, and unfortunately, it didn't help. Here's what happened:

I did as you described. In NetInfo Manager, the "Enable Root User" menu item now works, and NetInfo Manager told me that my root user had a blank password. Additionally, the menu item now changes to "Disable Root User". But my actions in NetInfo Manager still have no effect on the root user. After selecting "Disable Root User" from the menu, it changes to "Enable Root User" as if it's really been disabled, but I can still log in as the root user. Additionally, if I simply change the root user password to "*" in NetInfo Manager (i.e.: a blank password), I still have to put in the original password I set for the root user to login (the one when I used the "sudo passwd root" command)... i.e.: it's not blank, as NetInfo Manager tells me. So changing the password in NetInfo Manager has no effect on the actual root password.

Could this be because I used the Terminal command, and NetInfo Manager doesn't know how to disable the root user after enabling it that way? In effect, it seems like the NetInfo database is disconnected from the NetInfo Manager application, which could be the root of the problem. I don't know how to correct it, though.

Figured it out!

OK, I figured out the problem! It turns out that if you have an "authentication_authority" property for the root user in the NetInfo database (use NetInfo Manager to easily check), then the root user will not be disabled. Deleting this property (and then checking the NetInfo Manager utility to make sure the Security menu says root is disabled) will properly disable the root user.

I tested out doing the "sudo passwd root" command in the Terminal, and guess what? It enters an "authentication_authority" property for the root user when changing the root user's password. So this explains the whole problem. (It's likely that changing the root user's password via System Preferences when actually logged in as root will also do the same thing.) Note that these methods also introduce a "generateduid" property in the root user -- for good measure, you should make sure your root user doesn't have that property either.

Moral of the story: either 1) use a utility like Pseudo to change the root user's System Preference settings, or 2) always use the NetInfo Manager utility to enable or disable the root user.