About root

About root

The traditional Unix approach to system administration makes heavy use of one highly privileged account: root. Every Unix system has exactly one root account.

The root account is not limited by the permissions or ownership settings of any file on the system, so root can edit, delete, rename, move, and otherwise mess with every file on the system. Most basic system processes run as the root user so that they can access any part of the disk and so that other users cannot interfere with them.

Protection of the root password is critical to system security. The root account is all-powerful. There is no way to stop the root account from altering anything on the system.

To maintain the highest level of system security, access to root must be limited to the smallest possible number of people, and the power of root should be used only when strictly necessary.

The root account is often referred to as the superuser , and Unix veterans have been known to refer to all non-root accounts as "mere mortals ." Determining whether the seemingly all-powerful root is God or the Devil, and how they differ , is left as a theological exercise for the reader.

Because many directories and files that contain system software and configuration settings can be changed only by the root user, most system-administration tasks must be performed by the root account.

On most Unix systems, an administrator uses the root account in one of two ways:

By logging in as the root user. This method is often disabled, however, in which case the next method is required.
By logging in as a "regular" user and then switching to the root account with the su command. ( su stands for substitute user identity and is described later in this chapter.)

Many systems do not allow the root account to log in directly; those systems require that an administrator use the second method. That way only someone who knows the password to a regular account as well as the root password is able to run commands as root.

The Mac OS X/Darwin approach to root

Mac OS X is designed to reduce to an absolute minimum the situations in which users execute commands as root, while still giving users full control over their machines and allowing them to perform any needed system-administration tasks.

As long as you stick to the Aqua GUI, you never come across "root." Instead, a part of the operating system called the Authentication Manager occasionally prompts you to enter the name and password of an admin user before completing a task that requires root access, such as installing software.

But if you use the command line, the situation is different. Unlike Mac OS X, command-line programs that require root privileges almost never prompt you for a passwordthey simply fail if they are not executed by root. So at the command line you must know in advance that what you are about to do requires root, and take some action to "become root" before executing certain commands, such as changing a user's password or installing software.

sudothe Mac OS X way of using root

Mac OS X ships with the root account disabled, and unless you enable it (see "To run any command line as root," below), you can neither log in as root nor use the su command to assume the root identity. Instead, Mac OS X uses the sudo command (think of "substitute user do...") to provide root access at the command line.

Every time someone uses sudo , a record of what that user did is added to the system log file, /var/log/system.log .

The sudo command itself is not unique to Mac OS Xit is used on many Unix systems. But in Mac OS X, it is normally the only way to use root from the command line. In this system, no one has the root password, but instead anyone who is an admin user is a member of the "admin" group , and anyone in group admin is explicitly allowed to use sudo to execute any command as root. (Review Chapter 8, "Working with Permissions and Ownership," to learn about groups.)

The sudo command allows specific users or groups of users to execute specific commands with the power of root. The sudo command has a configuration file (see man sudoers ) that lists who can perform which commands as root.

The idea behind sudo is that a trusted user or group of users can be given the ability to run specific commands, such as restarting a Web server if it crashes.

In Mac OS X, sudo is configured so that any user in group admin can execute any command with the power of root. The first account you created (perhaps it is the only account you created) on your Mac OS X system is always in group admin. If you are using a Mac OS X system set up by someone else, then your account may not be in group admin. In order to perform the tasks in this chapter, you need to ask whoever administers your system (that would be the system administrator!) to allow you to be an admin user. Only admin users are supposed to perform system-administration tasks on Mac OS X.

The most common way you use the sudo command is to run a command line as root.

Problems with the Mac OS X Approach to root

The way Mac OS X allows root access is fine if your Mac OS X machine is being used only by you and perhaps a couple of trusted family members and friends , and if it's not on a publicly accessible network.

On the other hand, if your machine is used by many people, especially by people you don't know, or if it's connected to the Internet on a full-time basis, then Apple's approach to root access could be considered problematic .

On most modern Unix systems, in order for users to operate as root, they have to have two passwords: their own (that is, the one they log in with) and the root password (the one they can use only after having logged in as themselves ).

The Mac OS X approach requires only that a user be in group "admin" and know his or her own password to gain root privileges. As long as that user is an admin user, his or her account can perform any command as root without the user's having to know any other password.

Compounding the problem (only needing one password instead of two) was the fact that prior to Mac OS X 10.3, the default configuration of Mac OS X left weakly encrypted passwords available to non-root users, and so the nidump command could be used by any user to reveal the encrypted passwords of all users. The encryption used was fairly weak, and poor passwords (those based on words or that use simple patterns) can be cracked in a matter of days or hours on modern machines. Starting with Mac OS X 10.3, the default changed so that the encrypted passwords are not available to non-root users, but accounts created before 10.3 and not changed since then will still have the encrypted passwords available to non-root users.

The Mac OS X approach is easier on the userthere's only one password to remember, and for people using their Mac OS X machine as an isolated desktop machine, this is probably fine. However, if the computer is a true multiuser machine in a networked environmentused the way Unix was intendedthe wisdom of this approach is debatable.

One measure you should take is to ensure that the password for any admin user is a good one (see the sidebar "Choosing a Safer Password").

Perhaps in future versions of Mac OS X, admin users will be divided into groups with different levels of access to root, but at present (version 10.4), any admin user is essentially equivalent to root.

To run any command line as root:

sudo commandline

commandline can be any command line.

For example,

sudo du -sk /Users/*

runs the du command (for disk usage ) and shows a summary ( -s ) of how much disk space is being used (in kilobytes because of the k option) by each directory in the /Users directory, effectively showing every user's disk usage. You could not do this without being root, because many of the files in each user's directory are not readable by other regular users. When the command is run by the root user, it can read the size of every file and produce a complete report ( Figure 11.1 ).

Figure 11.1. Using the `sudo` command to execute a command line as root.

As you can see, the first time you use sudo , unusual messages appear. You receive a little lecture on the use of root, and then sudo prompts you for your password.

Enter your password.

If this is the first time you have used sudo , then sudo creates a directory named after your user name in /var/run/sudo/ (for example, /var/run/sudo/ vanilla ).

Each time you use sudo , it checks the modification time on that directory. If the modification time is more than five minutes old, you are prompted for your password again to make sure that you haven't walked away from your keyboard, allowing someone else to try to use sudo .

Your password is not displayed as you type it. Once sudo accepts your password, it executes the command line you gave it and updates the modification time on your directory in /var/run/sudo .

Tips

You can force sudo to ask for a password (overriding the 5-minute time period) with sudo -k
The 5-minute grace period can be modified with the visudo command. See Table 11.1 for a summary of the options for sudo .
sudo will not work on command lines that use shell built-in commands, such as the cd command. That's because shell built-in commands are not separate programs. See man builtin for a list of shell built-in commands.
The sudo command has an entire Web site devoted to it: Sudo Main Page (www.sudo.ws). There you can learn the whole story of how it can be used, find security alerts, peruse a troubleshooting FAQ list, and more. For much more on sudo than we can discuss in this book, check out Mac OS X Server 10.4 Tiger: Visual QuickPro Guide , by Schoun Regan and Kevin White (Peachpit Press; www.peachpit.com), which also covers configuring sudo .

Table 11.1. Common Options for sudo

Remember to see the `man` page for the complete list.
O PTION	M EANING /U SE
`-l`	Lists the allowed and forbidden commands for the current user. This is a good way of seeing what you can (and can't) do with `sudo` .
`-k`	Kills the 5-minute grace period. `sudo` requires a password on the next use, no matter how soon it is.
`-K`	Removes the time-stamp directory entirely. Next time you use `sudo` , you get the lecture again.
`-u` `user`	Runs the command line as user instead of as root.
`-s`	Gives you a root shell. Very dangerous. Every command you enter until you exit the new shell is run as root. Uses the shell in the `SHELL` environment variable if it is set; otherwise, uses the user's default shell.
`-H`	Sets the `HOME` environment variable to the home directory of the user whose identity `sudo` takes on (default is root). Normally `sudo` does not change the `HOME` variable.

To start an entire shell as root:

sudo -s

After entering your password, you get a different shell prompt (ending with root# ) and every command line you run will be executed as root. Exit the root shell with .

Other ways of becoming root

Although using sudo will probably handle all the things you need to do as root from the command line, this wouldn't be Unix if there weren't other ways to do it. Besides, you may come across a situation in which using sudo doesn't achieve what you need. So here are a couple of more ways to become root. We're not including these so much for you to use them as for you to know what is possible.

The default configuration for Mac OS X has the root account disabledyou cannot use the su command to assume the root account's identity, nor can you log in to Aqua as root, nor can you log in to the machine over the Internet as root (using ssh , for example; see Chapter 10, "Connecting over the Internet"). Once you enable the root account, you can do all of these.

Although experienced Unix users will mistakenly think they must enable the root account, it is very unlikely that you will need to log in as root using the Aqua interface, nor should you allow people to log in as root over a network. In fact, we don't even recommend it! Still, if you must know, refer to man dsenableroot for more on enabling the root account.

Compare with Aqua: Becoming root

In its graphical interface, Mac OS X uses an approach very much like the one used with sudo . Whenever you use Aqua to attempt a change that requires root access (for example, installing system software using the Software Update command), the GUI prompts you for an administrator name and password.

There is a big difference between the GUI and the command line in this case, however: The GUI "knows" when something must be done by root and prompts you, and it does not provide a way to run arbitrary programs as root. The command line, on the other hand, leaves it all up to youif you try to perform an action with insufficient privileges, you get an error, and by using sudo you can run any command as root. This is very much in the Unix spirit of not trying (or bothering) to protect you from yourself. Unix expects you to avoid doing foolish things because you know you haven't learned how yet, not because it prevents you from trying.

How sudo Makes Command Names Case Insensitive

When you execute a command using sudo , the command name is not case sensitive. So,

sudo DATE

and

sudo date

do the same thing. This has to do with a combination of how sudo looks up command names and the peculiarities of the Mac file system.

As we discussed in Chapter 5, "Using Files and Directories," the standard Mac file system is a "case- preserving , case-insensitive" file system. In some cases in Mac OS X, then, you can ignore case when specifying file and command names. But do not rely upon it. The default shell bash (and the Bourne shell on which it is based) does not care about case in the way it looks up commands and filenames, while the tcsh shell uses a case-sensitive method. The sudo command itself uses a case-insensitive lookup. An example of how this can get tricky is that if you are using tcsh , then

sudo DATE

works, because it is the sudo command that is looking up DATE , but

SUDO date

does not, because the tcsh shell won't find the SUDO command.