7 Replies Latest reply: May 2, 2013 6:16 PM by Strontium90
gianic Level 1 Level 1 (5 points)

When I enter the command in Terminal.app as shown in the article, replacing italicized text with my specific info, I get:

 

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

 

 

To proceed, enter your password, or type Ctrl-C to abort.

 

 

Password:

 

This worries me.  I have never used Terminal.app and am new to running my own server.  I have a Mac Mini Server, running a netboot for 24 student computers.  My server alerts tell me the certificate has expired and is expiring.  I have also been having problems with students not being able to access a shared folder that I put resources in for their projects.  I don't know if the two are related, but wanted to give as much info as possilbe.


Mac mini, OS X Server, Mac OS X 10.7.5
  • 1. Re: What am I doing wrong?
    Strontium90 Level 4 Level 4 (3,140 points)

    The alert is baked in.  It is designed to make you think before committing commands as sudo.  This is effectively executing actions as root.  If you know what you are doing, then enter the command with confidence.  Screwing up as root could take down the whole server.  Classic case... sudo rm -R * in the wrong place can make for a really, really bad day.

     

    Regarding your certificates, open Server.app and take a look at what you have.  If you are using the self-signed, you may not even be using it for any services.  If this is the case, then let it expire.  If you are using a purchased cert, and it is active on services, then renew it.

     

    And for students not accessing the shared folder, what is the behavior that the student sees?  Permissions denied?  No connectivity?

  • 2. Re: What am I doing wrong?
    gianic Level 1 Level 1 (5 points)

    Thank you.  I looked and saw that I was using self-signed, and then looked at what services were using it... just Mail, which I don't have setup. So, I set the certificate to "none".  As for resources, I realized I made a change and forgot to update the group preferences.  Oops.

  • 3. Re: What am I doing wrong?
    gianic Level 1 Level 1 (5 points)

    Just thought of another problem I am having that might be related... I can't "Connect to Server..." from another computer on the network if I enter username: root and appropriate password.  I have been able to do so in the past, but the last few months have been hit and miss.  Everyone once in awhile it will let me, otherwise the sign-in dialoge just gives a shake like it is a wrong password. Any ideas?  I had another question out there, but no fixes yet... https://discussions.apple.com/message/20522288#20522288

  • 4. Re: What am I doing wrong?
    Strontium90 Level 4 Level 4 (3,140 points)

    Using user root?  That actually worked? 

     

    Logic says that access via root from remote systems should not have worked to begin with.  And, there is strong evidence that the actual use of root is not required (using sudo instead when needed). 

     

    While not a conclusive test, I just hit three different OS X Servers (10.8.3) and none allowed access via the root account.  This is the behavior I expected.  Did you explicitly enable the root account in Directory Utility?  If so, you can likely disable it.  I've found no reason to actually have a root account active.

  • 5. Re: What am I doing wrong?
    gianic Level 1 Level 1 (5 points)

    Yes, I have OS X Server (10.7.5) it has worked and then doesn't.  I did explicitly enable the root user in Directory Utility.  I have it enabled so I can have access to user accounts.  My setup is a classroom with 24 student stations and 192 student user accounts.  I need to be able to access files students have saved. Is there another way to have that access without using the root user?

  • 6. Re: What am I doing wrong?
    Simon Slavin Level 4 Level 4 (1,395 points)

    I'm not sure why you feel you should be able to routinely see everyone's files.  Everyone has their own accounts.  A student gets to keep their own files in their own account and you don't get to look at them.

     

    If you want your students to 'hand in' their work, have them put their file into your own home folder's dropbox.  You might want to put an alias to it where students can easily find it, and create a convention where the filename of the work contains the students name.  Something like the homework for coursework 4 should be named

     

    cw4 pat boone.txt

     

    or whatever.

  • 7. Re: What am I doing wrong?
    Strontium90 Level 4 Level 4 (3,140 points)

    You can promote the admin account to root via the sudo command.  Use sudo -s to enter a root session.  You will remain "root" until you exit the shell.  This does not require the root account to be enabled.  Any user who is a member of the sudousers list (by default the initial admin account is added), can promote themselves to root.

     

    OS X has been shipping rootless for years now.  I can not recall needing the root account since maybe 10.3.  You should never log in as the root user via the login window, and enabling the root account is just another possible exploit vector. 

     

    And admin can prefix any command with sudo (ex: sudo vi /etc/crontab, sudo changeip -checkhostname, etc) or simply assume the roll of root with sudo -s.  This allows you to use the Terminal application to traverse the file system if you need access to other files and folders.

     

    Now, I might also point out that ACLs can probably resolve this issue for you far greater than root access.  If you are defining network homes, simply create an administrative group that has access to the student homes.  If this group only contains the admin account, then no one else has access.

     

    I assume this is for a forensics purpose.  Meaning you are making sure they are not doing anything against code of conduct and fair use policy.