6.3. Nonhuman UsersEven if you are the only human user of the system, there are well over a dozen accounts on the system. Most of these user accounts are not intended for use by you or any user on the system but are set up for use by various services and programs on the system. These nonhuman accounts let applications, such as the Apache web server and the Postfix mail server, run in a controlled environment so if they are breached by a hacker, the potential damage is limited. Table 6-1 lists some of the nonhuman users that are defined on the system.
Many of the nonhuman users, such as cyrusimap and qtss, aren't used on the average person's system but instead are defined for use on Mac OS X Server. Others, such as postfix and www, are used only when you run the Postfix mail server or the Apache web server. Under most conditions, you'll notice only processes owned by either your own ID or by the root user when viewing processes in the Activity Monitor or with the ps command.
6.3.1. The Root UserAs in all Unix systems, Mac OS X has a special user, named root, that is not subject to the control of the permissions structure. The root user, sometimes called the superuser, can modify any part of the filesystem as well as execute any program. It can also stop the execution of any running program on the system. The root user is a dangerous one. Some commands executed as root, such as rm -rf /, can immediately disable a system; you really have to think about what you are doing with every command you issue using root. To help prevent mishaps, Mac OS X is configured by default to allow access to the root user only through the sudo (superuser do) program. To use this program, you must be an administrative user, and simply preface the command you want to enter with sudo. Example 6-3 shows how to use sudo to print out some of the contents of secure.log , a file that is visible only to the root user and that contains the records of the various actions of Mac OS X's security systems. Example 6-3. Using sudo$ sudo tail /var/log/secure.log Password: ******** Jun 11 14:04:42 ronin SecurityAgent[447]: Showing Login Window Jun 11 14:04:46 ronin SecurityAgent[447]: User Authenticated: continue login process Jun 11 14:04:46 ronin com.apple.SecurityServer: authinternal authenticated user jldera (uid 501). Because sudo keeps an internal timer, you can execute multiple commands without typing your password each time. It also logs each use in /var/log/system.log, so you can go back and see a list of commands that were executed (a procedure covered in Chapter 12). This is handy when you have multiple users with administrative privileges on a system. If you prefer to live a bit more dangerously, you can get a shell as the root user by issuing the following command: $ sudo -s Password: ******** # The prompt changes to # indicating that every command typed will be run as the root user.
6.3.1.1. Enabling the root userSome people really want to be able to log into their system as root. For some reason having administrative privileges and the ability to execute any command using sudo isn't enough. If you are one of these people, you can enable the root user so that you can log in either to the GUI or the command line and have unfettered and unmonitored access to your system. I don't recommend that you do this, but if you insist, here's how:
|