Can you make yourself root?

Discussion in 'Mac OS X Lion (10.7)' started by Prodo123, Jan 31, 2012.

  1. Prodo123 macrumors 68020

    Prodo123

    Joined:
    Nov 18, 2010
    #1
    I know sudo is the staple command of Terminal for any Unix and Linux OS, but it's sometimes annoying to type out sudo every time I have to use an admin command.
    And it's annoying to have to log in as root for any non-Terminal admin stuff.

    So, can I give my current account superuser status without using sudo?
     
  2. cal6n, Jan 31, 2012
    Last edited: Jan 31, 2012

    cal6n macrumors 68000

    cal6n

    Joined:
    Jul 25, 2004
    Location:
    Gloucester, UK
    #2
    You're the one with the ubuntu logo for an avatar. You tell us!

    :D

    Only kidding!

    Code:
    sudo su
    (Note: tested in Snow Leopard, not Lion!)
     
  3. jasonvp macrumors 6502a

    jasonvp

    Joined:
    Jun 29, 2007
    Location:
    Northern VA
    #3
    Becoming root should be annoying. What you're asking for goes against every UNIX-based security rule known. But: it's your system. Here are three things you can do, 2 of which I think are stupid as hell (and will point them out as such).

    Use sudo for a shell
    Assuming your login has admin rights (which is, FWIW, very stupid), you automatically have an entry in the sudoers file. Open a terminal and enter the following:
    Code:
    sudo <your favorite shell>
    
    Enter your password and you'll have shell access as root.

    Enable root login (Stupid idea #1)
    Follow These instructions to set the root user's password, which will then allow you to log in as root from via the GUI.

    Change UID to 0 (Stupid idea #2)
    Get a root shell somehow (using sudo, assumedly) and type the following:
    Code:
    chsh <your_user_name>
    
    It'll fire up vi where you'll be able to edit the specifics about your user. One of the entries is the UID; set it to 0 and save the file. Make sure to chown all of the stuff in your home directory over to 0 as well, for some sort of consistency. Log out and back in and you'll have all the rights that root does.

    I use the first one from time to time, but the second two are stupid as stupid can be, IMHO. So... while you can do them, I'd recommend against it.

    jas
     
  4. drambuie macrumors 6502a

    Joined:
    Feb 16, 2010
    #4
    jasonvp,

    I have no intention of becoming or enabling root, but am curious about the procedure, so I followed the instructions for OSX 10.6.x in article HT1528, "your stupid idea #1". When I get to the Directory Utility window per step 8, step 9 is not available because there's no Root User listed in the editable services.

    All I have are:
    Active Directory
    BSD Flat File and NIS
    LDAPv3
    Local

    I assume I am Administrator as it says Admin under my name in My Account.

    I would like to know what could be different about my OSX install that causes the Directory Utility to appear differently. I have a late 2010 15" MBP that came with OSX 10.6.4, and it has been incrementally updated to 10.6.8 as the updates were released. Upd 10.6.5 was done when I started using the MBP.
     
  5. jasonvp macrumors 6502a

    jasonvp

    Joined:
    Jun 29, 2007
    Location:
    Northern VA
    #6
    Did you drop the Edit menu down? Do you see the "Enable Root..." choice there? Step 9 says:

    jas
     
  6. drambuie macrumors 6502a

    Joined:
    Feb 16, 2010
    #7
    Thank you jasonvp and Patron22. It was the screen shot in Patron22's link that finally clued me in. I was focused on the small Directory Utility window, looking for the edit menu, and hadn't noticed that the entire screen had changed from System Preferences to Directory Utility. Oh well. Sometimes a picture is worth a thousand words.

    As I said, I don't intend to become the root, but was curious about the procedure, and thought something was amiss with my OSX install.
     
  7. jasonvp macrumors 6502a

    jasonvp

    Joined:
    Jun 29, 2007
    Location:
    Northern VA
    #8
    Accounts, Security, etc

    This may be more apropos to its own thread, but I figured I'd share what I consider "good practices" in this one.

    Admin Account
    One of the first steps you go through when setting up a new Mac with OS X is to create an account. I'm not really happy with Apple's choice to automatically make that account an admin one. I understand why they did it: to make it easier for folks to set their systems up. But I disagree with the execution of it.

    What I do is this: after logging in as my 'jvp' account, the first thing I do is call up the "Users and Groups" in Sys Prefs, and create a new 'admin' user. I give it administration rights, and then remove mine. Doing this requires logging out and back in, so I do so. Now my 'jvp' account is a stupid-user capable of doing, well basically: nothing.

    Any time I have to install something, OS X pops up an authentication dialog box, where I put in the admin's name and password. It's a nice way to force the system to ask me: "Hey, are you sure you want to install this stuff? Are you sure you want to make these system changes? Are you sure you really want to do that?" It may seem annoying to some, but it's a small extra layer of security.

    Root Access and Sudo
    That said, I may actually want to sudo to root for some reason, from time to time. Since my 'jvp' account is no longer an admin account, it won't be in the sudoers file. So I fix that first by becoming the admin user:

    Code:
    su - admin
    And then sudoing to edit the sudoers file:

    Code:
    sudo visudo
    Both steps require the admin user's password, obviously. Once in the sudoers file, I look for the User privilege specifications section.

    Code:
    # User privilege specification
    root    ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    
    I add my 'jvp' account and save it. It looks like so:

    Code:
    # User privilege specification
    root    ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    jvp      ALL=(ALL) ALL
    
    Now when I and if I need to do something as root (which is exceedingly rare), I just open an iTerm or Terminal.app window and do this:

    Code:
    sudo tcsh
    which requires my password.

    Making SSH a Little More Secure
    All of my machines allow incoming ssh connections, but like most UNIXen boxes, ssh is set up a bit loosely for my tastes. None of these steps are required, mind you. But they tighten up the ssh daemon a bit more than it is by default.

    When dealing with ssh, the first thing I do is add my ssh keys to ~/.ssh/authorized_keys. I'm not going to go into the details of what that is, how you do it, etc. It's easy to reference, look up on the web, read man pages, etc. That and I'm lazy and don't feel like writing an ssh tome. :) Anyway, I add the keys that I know I'll use to the authorized_keys file first, because the next change I make is going to suddenly elevate that key file's importance.

    As root (remember the sudo stuff from above?) I edit the /etc/sshd_config file. Care must be taken here, so I'd recommend if you feel uneasy doing this, save a copy elsewhere. Anyway, I look for 2 important lines to change. The first is
    Code:
    #PermitRootLogin yes
    
    It's commented out in the file, but the default is 'yes'. And that's just silly. So we'll set that to no by uncommenting it and editing its value.

    Code:
    PermitRootLogin no
    
    Check and verify that PasswordAuthentication is set to no. It should be by default. If you want to make certain, just uncomment it.

    Code:
    #PasswordAuthentication no
    
    And finally, the variable UsePAM is set to yes by default. This will ultimately allow someone to use password authentication via ssh, even though PasswordAuthentication is set to no. So set UsePAM to no.

    Code:
    UsePam no
    
    Save the file. What you've just done is make it impossible for root to login via ssh. And you've made it impossible for any users to log in via ssh with a password. They have to have a local authorized_keys file in their ~/.ssh directory.

    I'm sure there are other "best practices", but these are the steps I take to try and secure OS X within reason.

    jas
     
  8. KnightWRX macrumors Pentium

    KnightWRX

    Joined:
    Jan 28, 2009
    Location:
    Quebec, Canada
    #9
    You'd be surprised ;)
     
  9. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #10
    Just so you know, this is completely unnecessary with Mac OS X. Unlike Windows, there are no security risks to running as admin on a regular basis. The same authorization messages will be presented for the same tasks, the only difference being that your username will be filled in automatically so you only have to type in your password. Applications running under that account will not have escalated privileges, and it does not open you up to any malicious software or attack. Most Mac users, including many of us who are very knowledgeable about the system, run as a admin user on a day-to-day basis without any risk or problems, because the system was designed to be used that way. The "Standard" user type is intended for additional users who should not be able to install software or change system settings, not for the primary user of the machine.

    jW
     
  10. jasonvp macrumors 6502a

    jasonvp

    Joined:
    Jun 29, 2007
    Location:
    Northern VA
    #11
    Not actually true. I knew someone was going to point that out to me, but it's not 100% true. It takes some understanding of the UNIX filesystem permissions and groups. Allow me to 'splain.

    Any non-admin-style user you create will be assigned to group staff which is GID 20. Admin users are part of group admin, GID 80. Your /Applications directory is group-writable by GID 80. What this means is that, via CLI (and not GUI), you, or a rogue script or something can write all sorts of crud to /Applications without any checks and balances.

    jas
     
  11. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #12
    True, but the actual Applications within that folder are not set with those permissions, so while a malicious script could place items in the Applications folder, it couldn't do anything that would actually cause harm, except by simply filling up the drive, which could be done with a standard user by simply filling up the user folder.

    jW
     
  12. jasonvp macrumors 6502a

    jasonvp

    Joined:
    Jun 29, 2007
    Location:
    Northern VA
    #13
    Hm. I'm not sure you're seeing the potential here. Anything installed in /Applications via the operating system will be done by root. Anything you download and install in /Applications afterward will have you as the owner and admin as group. And be group-writable.

    Which means they can be removed.

    Or replaced....

    ..with something malicious. And you wouldn't know it. It'd never require a password entry to do it because the admin GID has full write rights to those user-installed items.

    jas
     
  13. ericrwalker macrumors 68030

    ericrwalker

    Joined:
    Oct 8, 2008
    Location:
    Albany, NY
    #14
    That's a hybrid avatar, got a little bit of everything in it.
     

Share This Page