http://www.samspublishing.com/library/content.asp?b=MacOS_XUnleashed&seqNum=104&rl=1
Enabling the root Account
As mentioned earlier, the administrator account is a powerful account. But the most powerful account on a Unix machine is the account called root. People also refer to root as the super user, but the account name itself is root. On most Unix systems, the first available account is the root account. In OS X, however, the root account is disabled by default as a security precaution.
At some time, however, you might find it necessary to enable the root account. The root account can modify system settings, modify files it does not own, modify files that are not writable by default, modify a user's password, install software, become another user without having to know the password of that account, and so on. In other words, root can do anything anywhere, making the power of root immense. Because root has so much power, the only users who can become root are users with administrative privileges. Because a user with administrative privileges can become the root user, you should assign these capabilities to only completely trusted individuals.
If you choose to enable the root account, please remember to use it with caution. Although the root account might provide some extra utility, you could accidentally wipe out your system if you do not pay careful attention to what you type. In addition, the root password you choose should be difficult to guess. Finally, become the root user only as long as necessary to complete the task at hand.
With the presence of an administrative user, it might be a long time, if ever, before you discover a need for enabling the root user. There are many approaches that you can take for dealing with the root user, from ways to use root without enabling the root account to actually enabling the root account.
Let's take a look at four different ways to gain root access to your system. Although you can choose whichever method you like, it's useful to understand that even though some of these methods appear to work magic, they all accomplish very much the same thing.
The root user is disabled because it does not have a valid password set. Because there are a number of ways to set a password, there are also several ways to enable root, including one method (the first we'll look at), that was designed specifically for assigning the root account password and only the root password. In addition, you'll see how the sudo command can provide root-level access even when the root password is disabled. We recommend that users access the root account only when absolutely necessary.
Using the NetInfo Manager Utility
There are a couple of graphical ways to enable the root account using the NetInfo Manager utility. Do not worry if you do not understand what the NetInfo Manager utility is at this time. We will take an in-depth look at the NetInfo Manager utility in Chapter 23.
NetInfo Manager: Method One
Click on Applications in the Finder window toolbar. Open the Utilities folder and then open the NetInfo Manager utility.
If nothing appears automatically when you open the NetInfo Manager, under the Domain menu, select Open; then select the default domain, which will be /.
Click on the lock button in the bottom-left side of the window to enable a mode that allows making changes. Enter the name and password of an administrative user; then click OK.
Under the Domain menu, select Security. Then choose Enable Root User from the submenu. Unless you have previously set a root password, a message appears with a NetInfo Error, indicating that the password is blank. Click OK.
Enter the root password you want to use, and then click Set. Remember that the root password should not be easily guessable.
Enter the password again for verification, and then click Verify.
Under the Domain menu, select Save. A request to Confirm Modification appears. Click on Update this copy.
Under the Options menu, select Restart All NetInfo Domains on Local Host. An alert asking whether you really want to restart the machine's NetInfo servers appears. Click Yes.
Click on the lock button again to prevent any further changes. Then close the NetInfo Manager.
You might find it sufficient just to click on the lock button again to save your changes. Figure 11.5 shows an example of what an enabled root account looks like in the NetInfo Manager. Note that the password field no longer has an * in it.
Figure 11.5 The root account has been enabled on this machine. Note the * that was in the password field has been replaced with an encrypted password.
NetInfo Manager: Method Two
You could try this alternative NetInfo Manager utility method if the first one does not work for you. The danger to this method is that it copies the password of another user to the root user.
Click on Applications in the Finder window toolbar. Open the Utilities folder; then open the NetInfo Manager utility. If nothing appears automatically when you first open the NetInfo Manager, from the Domain menu, select Open and then select the default domain, which will be /.
Click on the lock button in the bottom-left side of the window to enable a mode that allows making changes. Enter the name and password of an administrative user. Then click OK.
Click on Users in the second list, and then click on a user you created whose password you know.
Double-click on the value across from passwd in the bottom section of the window and copy it. What you are looking at is an encoded copy of the user's password.
Click on root in the users list. Note that the default value for the password for root is *, which means that no one can log in as root right now. Using * in the passwd field is a way to lock a user from the machine.
Double-click in the field with the *; then paste in the encoded password from the previous user to replace the *. The * should no longer be present when you are done.
Select Save from the Domain menu. A request to Confirm Modification appears. Click Update This Copy.
Select Restart All NetInfo Domains on Local Host under the Options menu. An alert asking whether you really want to restart the machine's NetInfo servers appears. Click Yes.
Click the lock button again to prevent any further changes; then close the NetInfo Manager.
Again, note that you might find it sufficient to just click on the lock button again to save your changes.
Using the OS X Installation CD
Because the OS X installation CD comes with an option to reset a user's password, you could use the installation CD itself to enable the root user.
To enable the root account using the OS X installation CD, do the following:
Insert the OS X CD.
With the CD in the CD-ROM drive, reboot the machine. Hold the C key while the machine reboots.
Wait for the Installer to appear and then select the Reset Password option under the Installer menu.
Select the OS X disk that contains the root account you want to enable. If you notice a spinning CD icon appear after you have chosen the Reset Password option, don't wait for the spinning to end to select your OS X disk. The System Administrator (root) user appears as the default user.
Enter a new password and then re-enter the password for verification. Click Save. Click OK when the Password Saved box appears.
Quit the Password Reset application, quit the Installer, and click Restart.
Using sudo at the Command Line
Although we won't start looking at the command-line utilities in depth until Chapter 15, "Command-Line Applications," we take this opportunity to demonstrate some ways to accomplish tasks that root might do by using the sudo command-line utility. It is all right if you do not feel comfortable with trying anything you see in this section at this time. When you are more familiar with working with the command line, you can return to this section. If you do want to try anything in this section, you can run the commands in a terminal window. Just open the Terminal application in the Utilities folder in the Applications folder.
Using sudo to Run Commands as root
sudo is a command-line utility that allows use of the root account without necessarily enabling root.
For example, in a terminal window, you could use sudo to reboot the machine now:
[localhost:~] joray% sudo shutdown -r now
The most common way to use sudo is to preface each command that you want root to do with the sudo utility. If you are asked for a password, use the password of the user who is executing the sudo command. If the user is not eligible to execute sudo, the command is not executed.
If you need to execute a few commands in a row as root, you could try a couple alternative uses of sudo. When you are done with the tasks for root, type exit at the end of your session.
In this example, your shell is elevated to that of root until you exit the session:
[localhost:~] joray% sudo -s
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
[localhost:~] root#
Notice that the prompt changes to include root#, as a reminder that you now have the power of root.
In this example, sudo is used to run su to become root until you exit the session. When root is enabled, su can be used to switch to the root user. When using su by itself, the password you enter to become root is that of root, rather than yours, as you do with sudo.
[localhost:~] joray% sudo su
Password:
[localhost:/Users/joray] root#
Notice that in this example, the prompt also includes root# as a reminder of your power as root. Remember, to return to the status of a regular user, type exit when you are done with your root session.
Using sudo to Enable the root Account
Recall that the sudo command is used to execute a command that root might execute. A way to enable the root account is to use sudo to execute passwd, which is a command used to change passwords.
Here is an example:
[localhost:~] joray% sudo passwd root
Password:
Changing password for root.
New password:
Retype new password:
[localhost:~] joray%
The password that you initially enter is your password. Then you supply a password for root, and re-enter it for verification. If you mistype the password, you will be prompted again, as shown in this example:
[localhost:~] joray% sudo passwd root
Password:
Changing password for root.
New password:
Retype new password:
Mismatch; try again, EOF to quit.
New password:
Retype new password:
[localhost:~] joray%
