Root as Primary Login: Why Not?

A user writes, "I help moderate a forum dealing with Mac OS X, and I'm having an awful time convincing a fair portion of our readers that logging in as root all the time is a Really Bad Idea. Worse, though, are the ones who try to convince others to log in as root all the time, claiming it's 'more Mac-OS-9-like,' or saying 'it's not really more insecure,' or even that 'a firewall should deter hackers pretty well.' I know all the standard arguments, but they're not working out. Does anyone here have some real-world anecdotes that I can point to?"

Re:Why i have to log in as root.

[brunson]

If it needs root access to devices, which it almost certainly does to ifconfig an interface up, it should be installed suid root (if safe). Also, sudo is a great utility for doing things as root, does it come installed by default?

Re:Why i have to log in as root.

[lexarius]

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

As for the original poster, I don't know what to say. In OS X root still has to give his password for authentication screens. The only convenience I can really see it having is to mess around with system libraries and configuration files unchecked. Oh yeah, thats right. Most unices aren't very vulnerable to virii because the user isn't root, so the virus can't get at the important things. The most a trojan could do is take out your home directory. Your system would still run.

Of course, logging in as root makes the system slightly more vulnerable to local attacks, but that isn't saying much.

Cmd-S during boot-up.
fsck -y
mount /
SystemStarter
passwd root

System compromised.
But thats a feature. I think it can be disabled, possibly by supplying an OpenFirmware password... auto-logging in as root sort of ruins that, though.
If people want security similar to Windows, tell them to run as root. OS9 is somewhat more "secure" than OSX because it was meant to be stupid-proof. Running as root in OSX is like telling the computer you really know what you're doing. If you don't, you shouldn't.

Real world example.......

[jsimon12]

My main reason for why you don't use root entirely is eventually no matter how careful you are you WILL make a mistake. Be it rm, chmod, mv, it will happen. If you use another account and try to do as much as you can as a none root user and only su up you will be less likely to simply careless do something.

But that is my 2 cents, my advice would be to present your argument, if they don't want to listen and want to put their boxes at risk, let them. When they accidentally make a mistake bring their system down they will learn. If they don't learn from that and keep recommending bad admin practices to others, well they are morons. But that is another issue.

Re:Why i have to log in as root.

[foobar104]

Also, sudo is a great utility for doing things as root, does it come installed by default?

Yup, sure does. As far as I know, it's been there since forever. At least since 10.0.3, which was the earliest version that I used regularly.

Original Thread

[owenc]

There are a lot of threads at various mac forums with this topic, but a current one is here at MacNN forums [macnn.com].

MacNN forums seems to have a well deserved reputation for being full of idiots. Especially in the OS X threads.

Say hello to "Bobby" from Ventura California, who started this thread :)

Here's one.

[Eagle7]

Let's say that you want to change the permissions of all the files in your home directory to go-rwx (which make sense). So, you type:

chmod go-rwx ~/*

But by mistake, you hit the space bar, and get:

chmod go-rwx ~ /*

By the time you realize the hard disk has churned too long, you'd just gone and wiped the permissions on /bin, /sbin, /var, etc. You're system is now screwed up to the point where it's probably faster to reinstall than change all the permissions. If you weren't root, you'd see something like this (from a Linux-PPC box):

[pts/2@tardis:/home/dmorriso @00:45] chmod go-rwx ~ /*
chmod: /bin: Operation not permitted
chmod: /boot: Operation not permitted
chmod: /dev: Operation not permitted
chmod: /etc: Operation not permitted
chmod: /home: Operation not permitted
chmod: /lib: Operation not permitted
chmod: /lost+found: Operation not permitted
chmod: /mnt: Operation not permitted
chmod: /opt: Operation not permitted
chmod: /proc: Operation not permitted
chmod: /root: Operation not permitted
chmod: /sbin: Operation not permitted
chmod: /tmp: Operation not permitted
chmod: /usr: Operation not permitted
chmod: /var: Operation not permitted
[pts/2@tardis:/home/dmorriso @00:46]

And yes, back in the day, I did make this oops and had to reinstall, because I had used su rather than sudo, and had forgotten to un-su. I started using sudo right afterwards. :)

Re:You don't log in as root in macosx

[owenc]

At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".
You can enable root through the netinfo config utility. It asks for a new root password.

Re:Here's one.

[foobar104]

chmod go-rwx ~ /*

I just want to second this. I did the same thing once, but on an SGI O2 rather than a Mac. My variation: chown -R foo / when I meant to type chown -R foo .. The dot and the slash are just too damn close together for comfort.

That was when I learned that you can't boot an SGI if files like /bin/sh and /sbin/init aren't owned by root.

And yeah, it was easier and faster to just reinstall the OS than it was to try to fix the ownerships.

Necessary for GUI users?

[dh003i]

As a command-line user, I understand the value of not logging in as root all the time.

However, most Mac users couldn't use a command line if their life depended on it and probably don't even know that MacOSX has a command line.

The MacOSX user who's a classic mac user will probably never use the command line; if they have to rename a thousand files to add an extension or a prefix or whatever, they'll do it by hand, not by using a tcsh script.

So, the question is, how much damage can one do from the MacOSX GUI at root? I don't know. I have accounts on other ppl's MacOSX computer (namely, at my University) but have never been logged in as root.

Of course, not logging in as root doesn't only protect you from yourself. It also protects you from "trogan" install programs, which say they'll do one thing, and in fact delete the entire hard drive or something else like that.

Re:You don't log in as root in macosx

[Drakino]

At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".

You can enable root through the netinfo config utility. It asks for a new root password.

Partially correct. root is created on install just like any other Unix, and is the owner of most files on the system initially. Just who knows what the password is. Netinfo lets you set a different password, but all it is is a pretty GUI for "sudo su; passwd root".

Re:Here's one.

[Permission Denied]

rm ugly-pron. *

Dude, you're using the wrong shell:

% ls
good-pr0n1.jpg good-pr0n3.jpg good-pr0n6.jpg good-pr0n9.jpg
good-pr0n10.jpg good-pr0n4.jpg good-pr0n7.jpg ugly-pr0n1.jpg
good-pr0n2.jpg good-pr0n5.jpg good-pr0n8.jpg ugly-pr0n2.jpg
% rm ugly-pr0n *
zsh: sure you want to delete all the files in /home/pd/.pr0n [yn]? n
rm: ugly-pr0n: No such file or directory
% ls
good-pr0n1.jpg good-pr0n3.jpg good-pr0n6.jpg good-pr0n9.jpg
good-pr0n10.jpg good-pr0n4.jpg good-pr0n7.jpg ugly-pr0n1.jpg
good-pr0n2.jpg good-pr0n5.jpg good-pr0n8.jpg ugly-pr0n2.jpg

NB: this is zsh figuring out my typo, not 'rm' being annoying.

Re:Here's one.

[tunah]

Mine was worse.

I don't have rpm installed, but I found a program that was only available as rpm. So I ran rpm2targz on it and then tar xvzf. It then extracted a whole bunch of files into a new usr folder in my current working directory, as I had forgotten to cd /. I was still root. So now to get rid of the directory I tried to type:

rm -r usr/

What I actually typed was this:

rm -r /usr

Oops!

Re:Why i have to log in as root.

[Permission Denied]

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

OS X, like most unices, doesn't honor the set-uid bit for scripts.

I would just write a trivial C program and make that set-uid:

#include <unistd.h>

#define ADSL "/path/to/adsl-connect"

int main()
{
execl(ADSL, ADSL, NULL);
return 1;
}

On OS X, install dev tools, compile as "cc file.c -o my-script" and then "chmod 4755 my-script". You can then run it from a normal user shell and the script is run as root (make sure the file is owned by root).

NB: I'm not replying directly to you, but rather to the original poster who wanted to know how to do this.

Re:Why i have to log in as root.

[Permission Denied]

because it doesn't show up

Nobody has yet replied to this point (subtle, this is easy to miss unless you've worked with people).

This is because adsl-connect is probably not in your PATH (I'm guessing it's in /sbin or /usr/sbin). You can do a 'man bash', hit the '/' key, type in PATH and keep typing 'n' until you find the entry in the manual page explaining how PATH works.

Short story: type in the following:

su -
which adsl-connect

Make sure to type in the dash in the 'su' command. The second command should tell you exactly where adsl-connect is, and you can go from there.

Re:Why i have to log in as root.

[foobar104]

You don't see anyone trying to eradicate the usage of "boxen" (even though "boxes" is the proper plural of "box").

There are two big differences between "boxen" and "virii."

First of all, "boxen" is almost always tongue-in-cheek. It's an old joke, but it's just a joke.

Secondly, "boxen" would be correct, if it weren't for the simple fact that it isn't. It's just one of those quirks of the language: one box plus one box is boxes, and one fox plus one fox is foxes, but one ox plus one ox is oxen. Like a friend of mine said, about fifteen years ago, in my high school English class. "Drive, drove, have driven. Dive, dove, have diven?" "Boxen" is funny because its use points out the arbitrary and inconsistent nature of English pluralization.

As I said, though, "virii" isn't just technically wrong, it's completely wrong. Latin had either no plural at all for "virus," or only a very rarely used and easily confused plural, depending on whose interpretation you accept. "Virii" has zero basis in any kind of fact.

If the correct Latin plural of "virus" had been "virii," and if the use were intended to be sarcastic or humorous, I wouldn't mind so much. But the fact is, people often use "virii" in utter seriousness, as if it were correct and acceptable.

It isn't. It's wrong, wrong, wrong.

Re:Here's one.

[Eimi Metamorphoumai]

Ahhh, yes. Been there, done that. Of course, mine looked so innocent. Messing around in /proc, tried to make everything readable (to see how the proc virtual filesystem interacts with permissions). "chmod -R a+rwx *" Even made sure I was in the right place first. What I quickly (but not nearly quickly enough) learnt was that chmod -R follows symlinks, and that symlink to / made that command much less fun than it should have been. To this day, I loath commands that follow symlinks recursively (cp -r, chmod -R, I'm sure there are others), but I have gotten much better at "find -print0 | xargs -0".

Accuntability, least privilege, limiting impact

[Xenophon Fenderson,]

In my analysis, there are three reasons.

1. To make individual administrators accountable for their actions by creating an audit trail. If multiple individuals use the "Administrator" or "root" account, the source of errors is obscured.
2. To implement the principal of "least priviledge". Where possible, system access accounts will be assigned the least amount of priviledge possible (e.g. put a name service administrator into the "DNS Admins" group instead of "Enterprise Admins"). This may limit the degree of damage caused when a particular priviledged account is compromised, although it introduces communication complexity among system administrators and users.
3. To limit the impact of accidents. By forcing administrators to use a non-priviledged account for regular tasks, the chances of accidentally damaging the network or any shared resources are reduced.

Re:stupid newbie question

[DaDigz]

Nope.. You're logging in as an admin user - which is perfectly fine IMHO and much safer than running as root.

Sudo lets you run commands as root without actually running your shell or whatnot under root - when the program is finished, so is your root access and you can't foof the system by accidentally doing rm -Rf / or something.

Why root?

[zenasprime]

I don't get it. Why do people feel the need to be root anyway? I have been an OS X user since Beta. I host my website on OS X and recently OS X server. I have configured Apache, BIND, Sendmail (ugh) and Postfix. I compile C++ source from the command line. If for some reason need to run a command as root (which can be frequent) i use sudo. There is a program called pseudo that will run apps as if they are root by drag/drop-ing files on top of it. If the user is an admin, they can config the system and install by simply providing their passwd. I have activated root from NetInfo to access certain functions but never once needed to log in as root. What is all the fuss is about?

z(p)