Psalm57
Level 1 (0 points)

Q: Root account security

Hello Apple community!

 

I have a question regarding the super user (root) account security.

To use this account one must go to the Directory services and activate the account.

 

But how secure is this when people can "sudo su" and access the account login

prompt nevertheless? I don't see the advantage of having this disabled if this can be done.

 

Can someone enlighten me?

MacBook Pro, OS X Yosemite (10.10.5)

Posted on Sep 25, 2015 12:27 AM

by Mark Jalbert,Solvedanswer
Mark Jalbert Mark Jalbert
Level 5 (4,649 points)
A:

The root account is disabled to discourage users from "running as root" .

 

When knowing a privileged users name only the password would need to be cracked. Thus with root disabled a cracker would have to crack both the username and password.

Posted on Sep 25, 2015 3:15 AM

Close
Psalm57

Q: Root account security

  • All replies
  • Helpful answers

  • by Mark Jalbert,Solvedanswer

    Mark Jalbert Mark Jalbert Sep 25, 2015 3:15 AM in response to Psalm57
    Level 5 (4,649 points)
    Sep 25, 2015 3:15 AM in response to Psalm57

    The root account is disabled to discourage users from "running as root" .

     

    When knowing a privileged users name only the password would need to be cracked. Thus with root disabled a cracker would have to crack both the username and password.

  • by BobHarris,

    BobHarris BobHarris Sep 25, 2015 6:50 AM in response to Psalm57
    Level 6 (19,553 points)
    Mac OS X
    Sep 25, 2015 6:50 AM in response to Psalm57

    As Mark Jalbert says, 'root' is a well known account.  And there are regular probes for open port 22 (ssh) and attempts to login to 'root' using password dictionary lists.

     

    If you were to enable "Remote Login" (ssh), then tell your router to port forward port 22 to your Mac, then come back a few days later, you would find a bunch of failed ssh login attempts for the 'root' account in the Console Logs.

     

    Since your Mac's 'root' account is disabled, none of them can work.  And since the script kiddies do not know your personal admin account name, they are much less likely to guess that, and if they do, then they need to guess your password.  But the ssh login code will not tell the guesser if they got the name right and the password right.  It will give the same error if right name, wrong password, or right password, wrong name.  The combined length of your username and password increase the odds of not being broken into.

     

    Disabling the 'root' password has been a hard lesson to be learned in the computer industry, but repeated security failures because the 'root' account was broken into, have eventually sunk in, and very few Unix systems include a fully enabled 'root' account.  They all depend on the 'sudo' command.

     

    Now if you go around leaving your Mac unattended and do not require a screen saver password, and strangers can walk up and mess with it, then if they can guess your password, they can get to root.  So it is good idea to NOT let you make sit unprotected around strangers, and it is a good idea to use a good password for your admin account

    Then again, if you let your Mac sit around unattended with strangers, they could just remove your hard disk and look at it from another computer, unless you also use FileVault to encrypt the disk.

  • by Psalm57,

    Psalm57 Psalm57 Sep 25, 2015 8:10 AM in response to BobHarris
    Level 1 (0 points)
    Sep 25, 2015 8:10 AM in response to BobHarris

    Thanks guys. Yeah Bob, that was one of the features in Ubuntu that when I first used in 07 I found most said.. weird.

    But honestly, to me was never an issue as I "play" with unixes systems since the 90's. I find sudo to be.. "less powerful" But is only a 4 letter annoyance to me since once you auth the session will be able to rerun sudo without auth for some time. So no biggie.

     

    Thanks again.